########################################################################## # $Id$ ########################################################################## # $Log: pix,v $ # Revision 1.4 2008/06/30 23:07:51 kirk # fixed copyright holders for files where I know who they should be # # Revision 1.3 2008/03/24 23:31:26 kirk # added copyright/license notice to each script # # Revision 1.2 2007/02/16 03:30:55 bjorn # Change to Unix text, without CR/LF, by Ivana Varekova. # # Revision 1.1 2006/12/20 04:24:07 bjorn # New script for cisco pix files, written by Bob Hendry. # ########################################################################## ####################################################### ## Copyright (c) 2008 Bob Hendry ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### use Logwatch ':all'; ########################################################################## # Apply date for Cisco PIX ########################################################################## use POSIX qw(strftime); use Logwatch ':dates'; $SearchDate = TimeFilter('%b %e %H:%M:%S'); $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; if ( $Debug >= 5 ) { print STDERR "\n\nDEBUG: Inside PIX Filter \n\n"; $DebugCounter = 1; } my ($month,$day,$time,$host,$process,$conn,$msg); while (defined($ThisLine = )) { if ($ThisLine =~ m/^$SearchDate/o) { # added if ( $Debug >= 30 ) { print STDERR "DEBUG($DebugCounter): $ThisLine"; $DebugCounter++; } ($month,$day,$time,$host,$process,$conn,$msg)=split(/ +/,$ThisLine,7); if ( ($ThisLine =~ /(ISDN-6-.+)/ ) or ($ThisLine =~ /Copyright/ ) or ($ThisLine =~ /Cisco Internetwork Operating System Software/ ) or ($ThisLine =~ /IOS \(tm\)/ ) or ($ThisLine =~ /TAC:Home:SW:IOS:Specials/ ) ) { # don't care about this, will code this later } elsif ( $ThisLine =~ /%PIX-4-106023:/) { $testline = $ThisLine; chomp $testline; $testline =~ s/^.*PIX-4-106023: Deny //; $testline =~ s/\[0x0, 0x0\]//; $testline =~ s/"/ /g; $testline =~ s/by access-group//; $testline =~ s/[:,]/ /g; $testline =~ s/\// /g; @testfields = split(' ',$testline); $accesslist = @testfields[$#testfields]; $action = "Deny"; $protocol = @testfields[0]; if ($protocol =~ /(tcp|udp)/) { $source = @testfields[3]; $destination = @testfields[7]; $icmp_type = ""; $count = 1; $source_ip = @testfields[3]; $source_port = @testfields[4]; $destination_ip = @testfields[7]; $destination_port = @dfields[8]; } elsif ($protocol =~ /icmp/) { $source = @testfields[3]; $destination = @testfields[7]; $icmp_type = @testfields[8]; $count = 1; $source_ip = @testfields[3]; $destination_ip = @testfields[7]; } elsif ($protocol =~ /41/) { #IPv6 $source = @testfields[3]; $destination = @testfields[7]; $icmp_type = ""; $count = 1; $source_ip = @testfields[3]; $source_port = @testfields[4]; $destination_ip = @testfields[7]; $destination_port = @dfields[8]; } else { $count = 0; } $ACL{$accesslist} += $count; $ACTION{$action} += $count; $packets += $count; if ( ($destination_port == 22) and ($protocol =~ /TCP|tcp/) ) { $SSH{$source_ip} += $count; $SSH_packets += $count; } if ( ($destination_port == 23) and ($protocol =~ /TCP|tcp/) ) { $TELNET{$source_ip} += $count; $TELNET_packets += $count; } } elsif ($ThisLine =~ /%PIX-6-106100:/) { $testline = $ThisLine; chomp $testline; $testline =~ s/^.*%PIX-6-106100://; $testline =~ s/ ->//; $testline =~ s/[:,]/ /g; $testline =~ s/\// /g; $testline =~ s/[()]/ /g; @testfields = split(' ',$testline); $accesslist = @testfields[1]; $action = @testfields[2]; $protocol = @testfields[3]; if ($protocol =~ /(TCP|UDP|tcp|udp)/) { $count = 1; $source_ip = @testfields[5]; $source_port = @testfields[6]; $destination_ip = @testfields[8]; $destination_port = @testfields[9]; } elsif ($protocol =~ /icmpv6/) { # not implemented } else { $count = 0; } $ACL{$accesslist} += $count; $ACTION{$action} += $count; $packets += $count; if ( ($destination_port == 22) and ($protocol =~ /TCP|tcp/) ) { $SSH{$source_ip} += $count; $SSH_packets += $count; } if ( ($destination_port == 23) and ($protocol =~ /TCP|tcp/) ) { $TELNET{$source_ip} += $count; $TELNET_packets += $count; } if ( ($destination_port == 21) and ($protocol =~ /TCP|tcp/) ) { $FTP{$source_ip} += $count; $FTP_packets += $count; } } #Error Message %PIX|ASA-6-302013 elsif ($ThisLine =~ /%PIX-6-302013: Built/) { $testline = $ThisLine; chomp $testline; $testline =~ s/^.*%PIX-6-302013: Built//; $testline =~ s/[:,]/ /g; $testline =~ s/\// /g; $testline =~ s/[()]/ /g; @testfields = split(' ',$testline); $connection_id = @testfields[3]; $CONNECTION_ID{$connection_id} = $connection_id; } #Error Message %PIX|ASA-6-302015 elsif ($ThisLine =~ /%PIX-6-302015: Built/) { $testline = $ThisLine; chomp $testline; $testline =~ s/^.*%PIX-6-302015: Built//; $testline =~ s/[:,]/ /g; $testline =~ s/\// /g; $testline =~ s/[()]/ /g; @testfields = split(' ',$testline); $connection_id = @testfields[3]; $CONNECTION_ID{$connection_id} = $connection_id; } #Error Message %PIX|ASA-6-302014 elsif ($ThisLine =~ /%PIX-6-302014: Teardown/) { $testline = $ThisLine; chomp $testline; $testline =~ s/^.*%PIX-6-302014: Teardown//; $testline =~ s/[:,]/ /g; $testline =~ s/\// /g; $testline =~ s/[()]/ /g; @testfields = split(' ',$testline); $protocol = @testfields[0]; $connection_id = @testfields[2]; $count = 1; $source_ip = @testfields[5]; $source_port = @testfields[6]; $destination_ip = @testfields[11]; $destination_port = @testfields[12]; if ($connection_id == $CONNECTION_ID{$connection_id}) { if ( ($destination_port == 21) and ($protocol =~ /TCP|tcp/) ) { $FTP{$source_ip} += $count; $FTP_packets += $count; } if ( ($destination_port == 22) and ($protocol =~ /TCP|tcp/) ) { $SSH{$source_ip} += $count; $SSH_packets += $count; } if ( ($destination_port == 23) and ($protocol =~ /TCP|tcp/) ) { $TELNET{$source_ip} += $count; $TELNET_packets += $count; } } } #Error Message %PIX|ASA-6-302016 elsif ($ThisLine =~ /%PIX-6-302016: Teardown/) { $testline = $ThisLine; chomp $testline; $testline =~ s/^.*%PIX-6-302016: Teardown//; $testline =~ s/[:,]/ /g; $testline =~ s/\// /g; $testline =~ s/[()]/ /g; @testfields = split(' ',$testline); $protocol = @testfields[0]; $connection_id = @testfields[2]; $count = 1; $source_ip = @testfields[5]; $source_port = @testfields[6]; $destination_ip = @testfields[11]; $destination_port = @testfields[12]; if ($connection_id == $CONNECTION_ID{$connection_id}) { if ( ($source_port == 53) and ($protocol =~ /UDP|udp/) ) { $DNS{$source_ip} += $count; $DNS_packets += $count; } if ( ($source_port == 123) and ($protocol =~ /UDP|udp/) ) { $NTP{$source_ip} += $count; $NTP_packets += $count; } if ( ($source_port == 514) and ($protocol =~ /UDP|udp/) ) { $SYSLOG{$source_ip} += $count; $SYSLOG_packets += $count; } } } elsif ( $ThisLine =~ /%PIX-3-710003:/) { $testline = $ThisLine; chomp $testline; $testline =~ s/^.*%PIX-3-710003://; $testline =~ s/[:,]/ /g; $testline =~ s/\// /g; @testfields = split(' ',$testline); $accesslist = @testfields[4]; $action = "denied"; $protocol = @testfields[0]; if ($protocol =~ /(TCP|UDP|tcp|udp)/) { $icmp_type = ""; $count = 1; $source_ip = @testfields[6]; $source_port = @testfields[7]; $destination_ip = @testfields[10]; $destination_port = @testfields[11]; } elsif ($protocol =~ /icmpv6/) { $source_ip = @testfields[3]; $source_port = 0; $destination_ip = @testfields[4]; $destination_port = 0; $icmp_type = @testfields[5]; $count = @testfields[6]; } else { $count = 0; } $ACL{$accesslist} += $count; $ACTION{$action} += $count; $packets += $count; if ( ($destination_port == 22) and ($protocol =~ /TCP|tcp/) ) { $SSH{$source_ip} += $count; $SSH_packets += $count; } }#Error Message %PIX|ASA-6-302020 elsif ($ThisLine =~ /%PIX-6-302020: Built ICMP connection for faddr/) { $testline = $ThisLine; chomp $testline; $testline =~ s/^.*%PIX-6-302020: Built ICMP connection for faddr//; $testline =~ s/[:,]/ /g; $testline =~ s/\// /g; $testline =~ s/[()]/ /g; @testfields = split(' ',$testline); $connection_id = @testfields[0]; $CONNECTION_ID{$connection_id} = $connection_id; } #Error Message %PIX|ASA-6-302021 elsif ($ThisLine =~ /%PIX-6-302021: Teardown ICMP connection for faddr/) { $testline = $ThisLine; chomp $testline; $testline =~ s/^.*%PIX-6-302021: Teardown ICMP connection for faddr//; $testline =~ s/[:,]/ /g; $testline =~ s/\// /g; $testline =~ s/[()]/ /g; @testfields = split(' ',$testline); $connection_id = @testfields[0]; $count = 1; $source_ip = $connection_id; if ($connection_id == $CONNECTION_ID{$connection_id}) { $ICMP{$source_ip} += $count; $ICMP_packets += $count; } } else { # Report any unmatched entries... chomp $ThisLine; $OtherList{$ThisLine}++; } } } if (keys %ACL) { print "\nAccess Control Lists:\n"; foreach $ThisOne (sort keys %ACL) { print " " . $ThisOne . " : " . $ACL{$ThisOne} . " Hit(s)\n"; } print " Total : " . $packets . " Hit(s)\n"; if ($IPV6_packets >0) {print " IPv6 Total : " . $IPV6_packets . " Hit(s)\n"} } if (keys %ACTION) { print "\nActions:\n"; foreach $ThisOne (sort keys %ACTION) { print " " . $ThisOne . " : " . $ACTION{$ThisOne} . " Hit(s)\n"; } print " Total : " . $packets . " Hit(s)\n"; if ($IPV6_packets >0) {print " IPv6 Total : " . $IPV6_packets . " Hit(s)\n"} } if (keys %ICMP) { print "\nICMP Requests:\n"; foreach $ThisOne (sort keys %ICMP) { print " " . $ThisOne . " : " . $ICMP{$ThisOne} . " Hit(s)\n"; } print " Total : " . $ICMP_packets . " Hit(s)\n"; } if (keys %SSH) { print "\nSSH access:\n"; foreach $ThisOne (sort keys %SSH) { print " " . $ThisOne . " : " . $SSH{$ThisOne} . " Hit(s)\n"; } print " Total : " . $SSH_packets . " Hit(s)\n"; } if (keys %TELNET) { print "\nTELNET access:\n"; foreach $ThisOne (sort keys %TELNET) { print " " . $ThisOne . " : " . $TELNET{$ThisOne} . " Hit(s)\n"; } print " Total : " . $TELNET_packets . " Hit(s)\n"; } if (keys %FTP) { print "\nFTP access:\n"; foreach $ThisOne (sort keys %FTP) { print " " . $ThisOne . " : " . $FTP{$ThisOne} . " Hit(s)\n"; } print " Total : " . $FTP_packets . " Hit(s)\n"; } if (keys %DNS) { print "\nDNS access:\n"; foreach $ThisOne (sort keys %DNS) { print " " . $ThisOne . " : " . $DNS{$ThisOne} . " Hit(s)\n"; } print " Total : " . $DNS_packets . " Hit(s)\n"; } if (keys %NTP) { print "\nNTP access:\n"; foreach $ThisOne (sort keys %NTP) { print " " . $ThisOne . " : " . $NTP{$ThisOne} . " Hit(s)\n"; } print " Total : " . $NTP_packets . " Hit(s)\n"; } if (keys %SYSLOG) { print "\nSYSLOG access:\n"; foreach $ThisOne (sort keys %SYSLOG) { print " " . $ThisOne . " : " . $SYSLOG{$ThisOne} . " Hit(s)\n"; } print " Total : " . $SYSLOG_packets. " Hit(s)\n"; } #if (keys %OtherList) { # print "\n**Unmatched Entries**\n"; # foreach $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) { # print " $line: $OtherList{$line} Time(s)\n"; # } #} exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: