##########################################################################
# $Id$
##########################################################################
# $Log: rt314,v $
# Revision 1.10 2008/06/30 23:07:51 kirk
# fixed copyright holders for files where I know who they should be
#
# Revision 1.9 2008/03/24 23:31:26 kirk
# added copyright/license notice to each script
#
# Revision 1.8 2007/02/16 15:05:06 bjorn
# Deleted "Public Domain" string; now using default Logwatch license, per
# Daniel Barrett.
#
#############################################################################
# rt314: logwatcher processing script for NetGear RT314 router syslog output.
# Author: Daniel J. Barrett, dbarrett@blazemonger.com.
#############################################################################
#######################################################
## Copyright (c) 2008 Daniel Barrett
## Covered under the included MIT/X-Consortium License:
## http://www.opensource.org/licenses/mit-license.php
## All modifications and contributions by other persons to
## this script are assumed to have been donated to the
## Logwatch project and thus assume the above copyright
## and licensing terms. If you want to make contributions
## under your own copyright or a different license this
## must be explicitly stated in the contribution an the
## Logwatch project reserves the right to not accept such
## contributions. If you have made significant
## contributions to this script and want to claim
## copyright please contact logwatch-devel@lists.sourceforge.net.
#########################################################
use Socket;
$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my $separator = "-------------------------------------------------------\n";
### Partition the data into types
my (@portscanlines, @genlines, @otherlines, $begin, $end);
my $psl = 0;
my $gl = 0;
my $ol = 0;
while (my $line = <STDIN>) {
$line =~ s/netgear RAS: //;
unless ($begin) {
$begin = substr($line, 0, 15);
}
$end = $line;
if ( $line =~ /dpo=/ ) {
$portscanlines[$psl++] = $line;
} elsif ( $line =~ / GEN/ ) {
$genlines[$gl++] = $line;
} elsif ( $line =~ /last message repeated/ ) {
;
} else {
$otherlines[$ol++] = $line;
}
}
exit(0) unless ($end);
$end = substr($end, 0, 15);
### Print summary
if ($Detail >= 10) {
print "=== Summary ===\n\n";
}
print "Begin:\t$begin\n";
print "End:\t$end\n";
print "\n";
# Extract the port number and source IP address.
my @portarray;
my %ipaddrs;
foreach my $line (@portscanlines) {
my $portnum;
my $ipaddr;
my $dup = $line;
$dup =~ s/^.*Src=([0-9.]+) .* dpo=([0-9]*).*$/\1/;
$ipaddr = $1;
$portnum = $2;
$portarray[$portnum]++;
if (exists($ipaddrs{$ipaddr})) {
$ipaddrs{$ipaddr}++;
} else {
$ipaddrs{$ipaddr} = 1;
}
}
# Summarize port scans by port number
my $total = 0;
print "Port #\t\tScans\tService Name\n";
print $separator;
for (my $i = 0; $i <= $#portarray; $i++) {
if ( $portarray[$i] > 0 ) {
print "$i\t\t" . $portarray[$i] . "\t" . getservbyport($i, "tcp") . "\n";
$total += $portarray[$i];
}
}
print $separator;
print "Total\t\t$total\n";
print "\n";
# Summarize port scans by initiating host
my @keys = sort {$a <=> $b} (keys %ipaddrs);
print "Scanned by\tScans\tHostname Lookup\n";
print $separator;
$total = 0;
foreach my $ip (@keys) {
print "$ip\t" . $ipaddrs{$ip} . "\t" . gethostbyaddr(inet_aton($ip), AF_INET) . "\n";
$total += $ipaddrs{$ip};
}
print $separator;
print "Total\t\t$total\n";
print "\n";
# Summarize other rule firings
if ( $#genlines > 0 ) {
print "Rules fired:\t" . $#genlines . "\n";
print "\n";
}
# Summarize remaining output
if ( $#otherlines > 0 ) {
print "Uncategorized:\t" . $#otherlines . "!!!!!!!\n";
print "\n";
}
if ($Detail >= 10) {
## Print all data
print "=== Raw Data ===\n\n";
if ( $#portscanlines > 0 ) {
print "Port scans:\n";
foreach my $line (@portscanlines) {
print $line;
}
print "\n";
}
if ( $#genlines > 0 ) {
print "Rule lines:\n";
foreach my $line (@genlines) {
print $line;
}
print "\n";
}
if ( $#otherlines > 0 ) {
print "Other lines:\n";
foreach my $line (@otherlines) {
print $line;
}
print "\n";
}
}
exit(0);
# vi: shiftwidth=3 tabstop=3 syntax=perl et
# Local Variables:
# mode: perl
# perl-indent-level: 3
# indent-tabs-mode: nil
# End: