source-git / logwatch

Clone
Source Code
GIT

Blame scripts/services/pix

c8 c8s master
  1.   c8
  2.   scripts
  3.   services
  4.   pix
Blob History Raw
Packit 57988d 
##########################################################################
Packit 57988d 
# $Id$
Packit 57988d 
##########################################################################
Packit 57988d 
# $Log: pix,v $
Packit 57988d 
# Revision 1.4  2008/06/30 23:07:51  kirk
Packit 57988d 
# fixed copyright holders for files where I know who they should be
Packit 57988d 
#
Packit 57988d 
# Revision 1.3  2008/03/24 23:31:26  kirk
Packit 57988d 
# added copyright/license notice to each script
Packit 57988d 
#
Packit 57988d 
# Revision 1.2  2007/02/16 03:30:55  bjorn
Packit 57988d 
# Change to Unix text, without CR/LF, by Ivana Varekova.
Packit 57988d 
#
Packit 57988d 
# Revision 1.1  2006/12/20 04:24:07  bjorn
Packit 57988d 
# New script for cisco pix files, written by Bob Hendry.
Packit 57988d 
#
Packit 57988d 
##########################################################################
Packit 57988d
Packit 57988d 
#######################################################
Packit 57988d 
## Copyright (c) 2008 Bob Hendry
Packit 57988d 
## Covered under the included MIT/X-Consortium License:
Packit 57988d 
##    http://www.opensource.org/licenses/mit-license.php
Packit 57988d 
## All modifications and contributions by other persons to
Packit 57988d 
## this script are assumed to have been donated to the
Packit 57988d 
## Logwatch project and thus assume the above copyright
Packit 57988d 
## and licensing terms.  If you want to make contributions
Packit 57988d 
## under your own copyright or a different license this
Packit 57988d 
## must be explicitly stated in the contribution an the
Packit 57988d 
## Logwatch project reserves the right to not accept such
Packit 57988d 
## contributions.  If you have made significant
Packit 57988d 
## contributions to this script and want to claim
Packit 57988d 
## copyright please contact logwatch-devel@lists.sourceforge.net.
Packit 57988d 
#########################################################
Packit 57988d
Packit 57988d 
use Logwatch ':all';
Packit 57988d 
##########################################################################
Packit 57988d 
# Apply date for Cisco PIX
Packit 57988d 
##########################################################################
Packit 57988d
Packit 57988d 
use POSIX qw(strftime);
Packit 57988d 
use Logwatch ':dates';
Packit 57988d
Packit 57988d 
$SearchDate = TimeFilter('%b %e %H:%M:%S');
Packit 57988d
Packit 57988d 
$Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
Packit 57988d 
$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
Packit 57988d
Packit 57988d 
if ( $Debug >= 5 ) {
Packit 57988d 
    print STDERR "\n\nDEBUG: Inside PIX  Filter \n\n";
Packit 57988d 
    $DebugCounter = 1;
Packit 57988d 
}
Packit 57988d
Packit 57988d 
my ($month,$day,$time,$host,$process,$conn,$msg);
Packit 57988d
Packit 57988d 
while (defined($ThisLine = <STDIN>)) {
Packit 57988d 
    if ($ThisLine =~ m/^$SearchDate/o) { # added
Packit 57988d
Packit 57988d 
    if ( $Debug >= 30 ) {
Packit 57988d 
        print STDERR "DEBUG($DebugCounter): $ThisLine";
Packit 57988d 
        $DebugCounter++;
Packit 57988d 
    }
Packit 57988d
Packit 57988d 
($month,$day,$time,$host,$process,$conn,$msg)=split(/ +/,$ThisLine,7);
Packit 57988d
Packit 57988d 
   if ( ($ThisLine =~ /(ISDN-6-.+)/ ) or
Packit 57988d 
         ($ThisLine =~ /Copyright/ ) or
Packit 57988d 
         ($ThisLine =~ /Cisco Internetwork Operating System Software/ ) or
Packit 57988d 
         ($ThisLine =~ /IOS \(tm\)/ ) or
Packit 57988d 
         ($ThisLine =~ /TAC:Home:SW:IOS:Specials/ )
Packit 57988d 
    ) {
Packit 57988d 
      # don't care about this, will code this later
Packit 57988d 
   }
Packit 57988d
Packit 57988d 
   elsif ( $ThisLine =~ /%PIX-4-106023:/) {
Packit 57988d 
      $testline = $ThisLine;
Packit 57988d 
      chomp $testline;
Packit 57988d 
      $testline =~ s/^.*PIX-4-106023: Deny //;
Packit 57988d 
      $testline =~ s/\[0x0, 0x0\]//;
Packit 57988d 
      $testline =~ s/"/ /g;
Packit 57988d 
      $testline =~ s/by access-group//;
Packit 57988d 
      $testline =~ s/[:,]/ /g;
Packit 57988d 
      $testline =~ s/\// /g;
Packit 57988d 
      @testfields = split(' ',$testline);
Packit 57988d 
      $accesslist = @testfields[$#testfields];
Packit 57988d 
      $action = "Deny";
Packit 57988d 
      $protocol = @testfields[0];
Packit 57988d 
      if ($protocol =~ /(tcp|udp)/) {
Packit 57988d 
         $source = @testfields[3];
Packit 57988d 
         $destination = @testfields[7];
Packit 57988d 
         $icmp_type = "";
Packit 57988d 
         $count = 1;
Packit 57988d 
         $source_ip = @testfields[3];
Packit 57988d 
         $source_port = @testfields[4];
Packit 57988d 
         $destination_ip = @testfields[7];
Packit 57988d 
         $destination_port = @dfields[8];
Packit 57988d 
      } elsif ($protocol =~ /icmp/) {
Packit 57988d 
         $source = @testfields[3];
Packit 57988d 
         $destination = @testfields[7];
Packit 57988d 
         $icmp_type = @testfields[8];
Packit 57988d 
         $count = 1;
Packit 57988d 
         $source_ip = @testfields[3];
Packit 57988d 
         $destination_ip = @testfields[7];
Packit 57988d 
      } elsif ($protocol =~ /41/) { #IPv6
Packit 57988d 
         $source = @testfields[3];
Packit 57988d 
         $destination = @testfields[7];
Packit 57988d 
         $icmp_type = "";
Packit 57988d 
         $count = 1;
Packit 57988d 
         $source_ip = @testfields[3];
Packit 57988d 
         $source_port = @testfields[4];
Packit 57988d 
         $destination_ip = @testfields[7];
Packit 57988d 
         $destination_port = @dfields[8];
Packit 57988d 
      } else {
Packit 57988d 
         $count = 0;
Packit 57988d 
      }
Packit 57988d 
      $ACL{$accesslist} += $count;
Packit 57988d 
      $ACTION{$action} += $count;
Packit 57988d 
      $packets += $count;
Packit 57988d 
      if ( ($destination_port == 22) and ($protocol =~ /TCP|tcp/) ) {
Packit 57988d 
         $SSH{$source_ip} += $count;
Packit 57988d 
         $SSH_packets += $count;
Packit 57988d 
      }
Packit 57988d 
      if ( ($destination_port == 23) and ($protocol =~ /TCP|tcp/) ) {
Packit 57988d 
         $TELNET{$source_ip} += $count;
Packit 57988d 
         $TELNET_packets += $count;
Packit 57988d 
      }
Packit 57988d 
   }
Packit 57988d 
   elsif ($ThisLine =~ /%PIX-6-106100:/) {
Packit 57988d 
      $testline = $ThisLine;
Packit 57988d 
      chomp $testline;
Packit 57988d 
      $testline =~ s/^.*%PIX-6-106100://;
Packit 57988d 
      $testline =~ s/ ->//;
Packit 57988d 
      $testline =~ s/[:,]/ /g;
Packit 57988d 
      $testline =~ s/\// /g;
Packit 57988d 
      $testline =~ s/[()]/ /g;
Packit 57988d 
      @testfields = split(' ',$testline);
Packit 57988d 
      $accesslist = @testfields[1];
Packit 57988d 
      $action = @testfields[2];
Packit 57988d 
      $protocol = @testfields[3];
Packit 57988d 
      if ($protocol =~ /(TCP|UDP|tcp|udp)/) {
Packit 57988d 
         $count = 1;
Packit 57988d 
         $source_ip = @testfields[5];
Packit 57988d 
         $source_port = @testfields[6];
Packit 57988d 
         $destination_ip = @testfields[8];
Packit 57988d 
         $destination_port = @testfields[9];
Packit 57988d 
      } elsif ($protocol =~ /icmpv6/) {
Packit 57988d 
         # not implemented
Packit 57988d 
      } else {
Packit 57988d 
         $count = 0;
Packit 57988d 
      }
Packit 57988d 
      $ACL{$accesslist} += $count;
Packit 57988d 
      $ACTION{$action} += $count;
Packit 57988d 
      $packets += $count;
Packit 57988d 
      if ( ($destination_port == 22) and ($protocol =~ /TCP|tcp/) ) {
Packit 57988d 
         $SSH{$source_ip} += $count;
Packit 57988d 
         $SSH_packets += $count;
Packit 57988d 
      }
Packit 57988d 
      if ( ($destination_port == 23) and ($protocol =~ /TCP|tcp/) ) {
Packit 57988d 
         $TELNET{$source_ip} += $count;
Packit 57988d 
         $TELNET_packets += $count;
Packit 57988d 
      }
Packit 57988d 
      if ( ($destination_port == 21) and ($protocol =~ /TCP|tcp/) ) {
Packit 57988d 
         $FTP{$source_ip} += $count;
Packit 57988d 
         $FTP_packets += $count;
Packit 57988d 
      }
Packit 57988d 
  }
Packit 57988d 
#Error Message %PIX|ASA-6-302013
Packit 57988d 
   elsif ($ThisLine =~ /%PIX-6-302013: Built/) {
Packit 57988d 
      $testline = $ThisLine;
Packit 57988d 
      chomp $testline;
Packit 57988d 
      $testline =~ s/^.*%PIX-6-302013: Built//;
Packit 57988d 
      $testline =~ s/[:,]/ /g;
Packit 57988d 
      $testline =~ s/\// /g;
Packit 57988d 
      $testline =~ s/[()]/ /g;
Packit 57988d 
      @testfields = split(' ',$testline);
Packit 57988d 
      $connection_id = @testfields[3];
Packit 57988d 
      $CONNECTION_ID{$connection_id} = $connection_id;
Packit 57988d 
   }
Packit 57988d 
#Error Message %PIX|ASA-6-302015
Packit 57988d 
   elsif ($ThisLine =~ /%PIX-6-302015: Built/) {
Packit 57988d 
      $testline = $ThisLine;
Packit 57988d 
      chomp $testline;
Packit 57988d 
      $testline =~ s/^.*%PIX-6-302015: Built//;
Packit 57988d 
      $testline =~ s/[:,]/ /g;
Packit 57988d 
      $testline =~ s/\// /g;
Packit 57988d 
      $testline =~ s/[()]/ /g;
Packit 57988d 
      @testfields = split(' ',$testline);
Packit 57988d 
      $connection_id = @testfields[3];
Packit 57988d 
      $CONNECTION_ID{$connection_id} = $connection_id;
Packit 57988d 
  }
Packit 57988d
Packit 57988d 
#Error Message %PIX|ASA-6-302014
Packit 57988d 
   elsif ($ThisLine =~ /%PIX-6-302014: Teardown/) {
Packit 57988d 
      $testline = $ThisLine;
Packit 57988d 
      chomp $testline;
Packit 57988d 
      $testline =~ s/^.*%PIX-6-302014: Teardown//;
Packit 57988d 
      $testline =~ s/[:,]/ /g;
Packit 57988d 
      $testline =~ s/\// /g;
Packit 57988d 
      $testline =~ s/[()]/ /g;
Packit 57988d 
      @testfields = split(' ',$testline);
Packit 57988d 
      $protocol = @testfields[0];
Packit 57988d 
      $connection_id = @testfields[2];
Packit 57988d 
      $count = 1;
Packit 57988d 
      $source_ip = @testfields[5];
Packit 57988d 
      $source_port = @testfields[6];
Packit 57988d 
      $destination_ip = @testfields[11];
Packit 57988d 
      $destination_port = @testfields[12];
Packit 57988d
Packit 57988d 
      if ($connection_id == $CONNECTION_ID{$connection_id}) {
Packit 57988d 
         if ( ($destination_port == 21) and ($protocol =~ /TCP|tcp/) ) {
Packit 57988d 
            $FTP{$source_ip} += $count;
Packit 57988d 
            $FTP_packets += $count;
Packit 57988d 
            }
Packit 57988d 
         if ( ($destination_port == 22) and ($protocol =~ /TCP|tcp/) ) {
Packit 57988d 
            $SSH{$source_ip} += $count;
Packit 57988d 
            $SSH_packets += $count;
Packit 57988d 
            }
Packit 57988d 
         if ( ($destination_port == 23) and ($protocol =~ /TCP|tcp/) ) {
Packit 57988d 
            $TELNET{$source_ip} += $count;
Packit 57988d 
            $TELNET_packets += $count;
Packit 57988d 
            }
Packit 57988d
Packit 57988d 
         }
Packit 57988d 
   }
Packit 57988d 
#Error Message %PIX|ASA-6-302016
Packit 57988d 
   elsif ($ThisLine =~ /%PIX-6-302016: Teardown/) {
Packit 57988d 
      $testline = $ThisLine;
Packit 57988d 
      chomp $testline;
Packit 57988d 
      $testline =~ s/^.*%PIX-6-302016: Teardown//;
Packit 57988d 
      $testline =~ s/[:,]/ /g;
Packit 57988d 
      $testline =~ s/\// /g;
Packit 57988d 
      $testline =~ s/[()]/ /g;
Packit 57988d 
      @testfields = split(' ',$testline);
Packit 57988d 
      $protocol = @testfields[0];
Packit 57988d 
      $connection_id = @testfields[2];
Packit 57988d 
      $count = 1;
Packit 57988d 
      $source_ip = @testfields[5];
Packit 57988d 
      $source_port = @testfields[6];
Packit 57988d 
      $destination_ip = @testfields[11];
Packit 57988d 
      $destination_port = @testfields[12];
Packit 57988d
Packit 57988d 
      if ($connection_id == $CONNECTION_ID{$connection_id}) {
Packit 57988d
Packit 57988d 
         if ( ($source_port == 53) and ($protocol =~ /UDP|udp/) ) {
Packit 57988d 
            $DNS{$source_ip} += $count;
Packit 57988d 
            $DNS_packets += $count;
Packit 57988d 
         }
Packit 57988d 
         if ( ($source_port == 123) and ($protocol =~ /UDP|udp/) ) {
Packit 57988d 
            $NTP{$source_ip} += $count;
Packit 57988d 
            $NTP_packets += $count;
Packit 57988d 
         }
Packit 57988d 
         if ( ($source_port == 514) and ($protocol =~ /UDP|udp/) ) {
Packit 57988d 
            $SYSLOG{$source_ip} += $count;
Packit 57988d 
            $SYSLOG_packets += $count;
Packit 57988d 
         }
Packit 57988d 
      }
Packit 57988d 
   }
Packit 57988d 
   elsif ( $ThisLine =~ /%PIX-3-710003:/) {
Packit 57988d 
      $testline = $ThisLine;
Packit 57988d 
      chomp $testline;
Packit 57988d 
      $testline =~ s/^.*%PIX-3-710003://;
Packit 57988d 
      $testline =~ s/[:,]/ /g;
Packit 57988d 
      $testline =~ s/\// /g;
Packit 57988d 
      @testfields = split(' ',$testline);
Packit 57988d 
      $accesslist = @testfields[4];
Packit 57988d 
      $action = "denied";
Packit 57988d 
      $protocol = @testfields[0];
Packit 57988d 
      if ($protocol =~ /(TCP|UDP|tcp|udp)/) {
Packit 57988d 
         $icmp_type = "";
Packit 57988d 
         $count = 1;
Packit 57988d 
         $source_ip = @testfields[6];
Packit 57988d 
         $source_port = @testfields[7];
Packit 57988d 
         $destination_ip = @testfields[10];
Packit 57988d 
         $destination_port = @testfields[11];
Packit 57988d 
      } elsif ($protocol =~ /icmpv6/) {
Packit 57988d 
         $source_ip = @testfields[3];
Packit 57988d 
         $source_port = 0;
Packit 57988d 
         $destination_ip = @testfields[4];
Packit 57988d 
         $destination_port = 0;
Packit 57988d 
         $icmp_type = @testfields[5];
Packit 57988d 
         $count = @testfields[6];
Packit 57988d 
      } else {
Packit 57988d 
         $count = 0;
Packit 57988d 
      }
Packit 57988d 
      $ACL{$accesslist} += $count;
Packit 57988d 
      $ACTION{$action} += $count;
Packit 57988d 
      $packets += $count;
Packit 57988d 
      if ( ($destination_port == 22) and ($protocol =~ /TCP|tcp/) ) {
Packit 57988d 
         $SSH{$source_ip} += $count;
Packit 57988d 
         $SSH_packets += $count;
Packit 57988d 
      }
Packit 57988d 
   }#Error Message %PIX|ASA-6-302020
Packit 57988d 
   elsif ($ThisLine =~ /%PIX-6-302020: Built ICMP connection for faddr/) {
Packit 57988d 
      $testline = $ThisLine;
Packit 57988d 
      chomp $testline;
Packit 57988d 
      $testline =~ s/^.*%PIX-6-302020: Built ICMP connection for faddr//;
Packit 57988d 
      $testline =~ s/[:,]/ /g;
Packit 57988d 
      $testline =~ s/\// /g;
Packit 57988d 
      $testline =~ s/[()]/ /g;
Packit 57988d 
      @testfields = split(' ',$testline);
Packit 57988d 
      $connection_id = @testfields[0];
Packit 57988d 
      $CONNECTION_ID{$connection_id} = $connection_id;
Packit 57988d 
  }
Packit 57988d
Packit 57988d 
#Error Message %PIX|ASA-6-302021
Packit 57988d 
   elsif ($ThisLine =~ /%PIX-6-302021: Teardown ICMP connection for faddr/) {
Packit 57988d 
      $testline = $ThisLine;
Packit 57988d 
      chomp $testline;
Packit 57988d 
      $testline =~ s/^.*%PIX-6-302021: Teardown ICMP connection for faddr//;
Packit 57988d 
      $testline =~ s/[:,]/ /g;
Packit 57988d 
      $testline =~ s/\// /g;
Packit 57988d 
      $testline =~ s/[()]/ /g;
Packit 57988d 
      @testfields = split(' ',$testline);
Packit 57988d 
      $connection_id = @testfields[0];
Packit 57988d 
      $count = 1;
Packit 57988d 
      $source_ip = $connection_id;
Packit 57988d
Packit 57988d 
      if ($connection_id == $CONNECTION_ID{$connection_id}) {
Packit 57988d 
            $ICMP{$source_ip} += $count;
Packit 57988d 
            $ICMP_packets += $count;
Packit 57988d 
      }
Packit 57988d 
   }
Packit 57988d 
   else {
Packit 57988d 
      # Report any unmatched entries...
Packit 57988d 
	  chomp $ThisLine;
Packit 57988d 
	  $OtherList{$ThisLine}++;
Packit 57988d 
   }
Packit 57988d 
 }
Packit 57988d 
}
Packit 57988d 
if (keys %ACL) {
Packit 57988d 
   print "\nAccess Control Lists:\n";
Packit 57988d 
   foreach $ThisOne (sort keys %ACL) {
Packit 57988d 
      print "   " . $ThisOne . " : " . $ACL{$ThisOne} . " Hit(s)\n";
Packit 57988d 
   }
Packit 57988d 
   print "   Total : " . $packets . " Hit(s)\n";
Packit 57988d 
   if ($IPV6_packets >0) {print "   IPv6 Total : " . $IPV6_packets . " Hit(s)\n"}
Packit 57988d 
}
Packit 57988d
Packit 57988d 
if (keys %ACTION) {
Packit 57988d 
   print "\nActions:\n";
Packit 57988d 
   foreach $ThisOne (sort keys %ACTION) {
Packit 57988d 
      print "   " . $ThisOne . " : " . $ACTION{$ThisOne} . " Hit(s)\n";
Packit 57988d 
   }
Packit 57988d 
   print "   Total : " . $packets . " Hit(s)\n";
Packit 57988d 
   if ($IPV6_packets >0) {print "   IPv6 Total : " . $IPV6_packets . " Hit(s)\n"}
Packit 57988d 
}
Packit 57988d 
if (keys %ICMP) {
Packit 57988d 
   print "\nICMP Requests:\n";
Packit 57988d 
   foreach $ThisOne (sort keys %ICMP) {
Packit 57988d 
      print "   " . $ThisOne . " : " . $ICMP{$ThisOne} . " Hit(s)\n";
Packit 57988d 
   }
Packit 57988d 
   print "   Total : " . $ICMP_packets . " Hit(s)\n";
Packit 57988d 
}
Packit 57988d
Packit 57988d 
if (keys %SSH) {
Packit 57988d 
   print "\nSSH access:\n";
Packit 57988d 
   foreach $ThisOne (sort keys %SSH) {
Packit 57988d 
      print "   " . $ThisOne . " : " . $SSH{$ThisOne} . " Hit(s)\n";
Packit 57988d 
   }
Packit 57988d 
   print "   Total : " . $SSH_packets . " Hit(s)\n";
Packit 57988d 
}
Packit 57988d
Packit 57988d 
if (keys %TELNET) {
Packit 57988d 
   print "\nTELNET access:\n";
Packit 57988d 
   foreach $ThisOne (sort keys %TELNET) {
Packit 57988d 
      print "   " . $ThisOne . " : " . $TELNET{$ThisOne} . " Hit(s)\n";
Packit 57988d 
   }
Packit 57988d 
   print "   Total : " . $TELNET_packets . " Hit(s)\n";
Packit 57988d 
}
Packit 57988d
Packit 57988d 
if (keys %FTP) {
Packit 57988d 
   print "\nFTP access:\n";
Packit 57988d 
   foreach $ThisOne (sort keys %FTP) {
Packit 57988d 
      print "   " . $ThisOne . " : " . $FTP{$ThisOne} . " Hit(s)\n";
Packit 57988d 
   }
Packit 57988d 
   print "   Total : " . $FTP_packets . " Hit(s)\n";
Packit 57988d 
}
Packit 57988d
Packit 57988d 
if (keys %DNS) {
Packit 57988d 
   print "\nDNS access:\n";
Packit 57988d 
   foreach $ThisOne (sort keys %DNS) {
Packit 57988d 
      print "   " . $ThisOne . " : " . $DNS{$ThisOne} . " Hit(s)\n";
Packit 57988d 
   }
Packit 57988d 
   print "   Total : " . $DNS_packets . " Hit(s)\n";
Packit 57988d 
}
Packit 57988d 
if (keys %NTP) {
Packit 57988d 
   print "\nNTP access:\n";
Packit 57988d 
   foreach $ThisOne (sort keys %NTP) {
Packit 57988d 
      print "   " . $ThisOne . " : " . $NTP{$ThisOne} . " Hit(s)\n";
Packit 57988d 
   }
Packit 57988d 
   print "   Total : " . $NTP_packets . " Hit(s)\n";
Packit 57988d 
}
Packit 57988d 
if (keys %SYSLOG) {
Packit 57988d 
   print "\nSYSLOG access:\n";
Packit 57988d 
   foreach $ThisOne (sort keys %SYSLOG) {
Packit 57988d 
      print "   " . $ThisOne . " : " . $SYSLOG{$ThisOne} . " Hit(s)\n";
Packit 57988d 
   }
Packit 57988d 
   print "   Total : " . $SYSLOG_packets. " Hit(s)\n";
Packit 57988d 
}
Packit 57988d
Packit 57988d 
#if (keys %OtherList) {
Packit 57988d 
#	print "\n**Unmatched Entries**\n";
Packit 57988d 
#	foreach $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) {
Packit 57988d 
#	print "   $line: $OtherList{$line} Time(s)\n";
Packit 57988d 
#    }
Packit 57988d 
#}
Packit 57988d
Packit 57988d 
exit(0);
Packit 57988d
Packit 57988d 
# vi: shiftwidth=3 tabstop=3 syntax=perl et
Packit 57988d 
# Local Variables:
Packit 57988d 
# mode: perl
Packit 57988d 
# perl-indent-level: 3
Packit 57988d 
# indent-tabs-mode: nil
Packit 57988d 
# End:

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation