iptables logfile parsing tool

I'm using this perl tool to scan my logfiles each night (cron). It
runs on a RedHat9 server and scans /var/log/messages for log entries
from my iptables firewall (identified by "Firewall" prefix). Here's an
example of what I get each morning to see who's been mucking around
with my ip address from the previous day.

Summary for Oct 30: 459 hits from 117 addresses:
212.219.247.20 20 forfremont.mirror.ac.uk tcp 13 32778
tcp 7 32779
212.219.247.13 19 forgriffithx.mirror.ac.uk tcp 13 32776
tcp 6 32777
62.69.130.242 17 tcp 17
microsoft-ds
62.69.92.228 16 icmp 16 Echo
request
62.69.99.252 14 icmp 14 Echo
request
62.69.101.110 14 icmp 14 Echo
request
62.69.67.218 12 icmp 12 Echo
request
80.15.136.57 12 -7-57.w80-15.abo.wanadoo.fr tcp 12
microsoft-ds
213.239.57.81 11 maxlb1ip.uk2net.com tcp 11 49831
62.69.93.137 10 icmp 10 Echo
request
62.69.96.240 10 icmp 10 Echo
request


It can be configured to mail results or to display them to stdout.

So, if anyone thinks it might be useful then go ahead. If anyone has
any comments then I'd be glad to hear them (constructive ones would be
nice, I'm new to perl and it was a just an excuse to dabble in it.)
I'm also aware that it's not Windows friendly (ie unix calls) and
could be 100% perl, but hey - bothered!

Here it is...

#!/usr/bin/perl
require 5.004;
use strict;
use Getopt::Long;

my $day=1;
my $limit=10;
my $stdout=undef;
my $help=undef;
my $search="Firewall";
my $mailto='root';
my $logfile = "/var/log/messages*";

Usage() if !GetOptions ("date=i" => \$day,
"limit=i" => \$limit,
"stdout" => \$stdout,
"key=s" => \$search,
"user=s" => \$mailto,
"message=s" => \$logfile,
"help" => \$help);

Usage() if defined $help;

my $date=`date -d '-$day days' +"%b %e"`;
chomp $date;
my @logs=`cat $logfile | awk '/$search/ && /$date/'`;
my %ll;
my %cc;
my $title="Firewall logs for ".`uname -n`." - $date";
my @out;

foreach my $logentry (@logs)
{
my $proto;
chomp $logentry;
if ($logentry =~ /SRC=(\S*).*PROTO=ICMP.*TYPE=(\S*).+CODE=(\S*)/)
{$proto="ICMP";}
elsif ($logentry =~ /SRC=(\S*).*PROTO=TCP.*DPT=(\S*)/)
{$proto="TCP";}
elsif ($logentry =~ /SRC=(\S*).*PROTO=UDP.*DPT=(\S*)/)
{$proto="UDP";}
else {push @out, "Unmatched:$logentry\n"; next};

$ll{$1}{$proto}{$2}{"TYPE"}++;
$ll{$1}{$proto}{$2}{"CODE"}=$3 if defined $3;
$cc{$1}++;
}

my %serv = load_services();
my %icmp = load_icmp();

foreach my $ip (sort {$cc{$b} <=> $cc{$a}} keys %cc)
{
next if $cc{$ip} < $limit;
my $host = trans_host($ip);
my $first = undef;
my $text = sprintf "%-16s %-4d %s", $ip, $cc{$ip}, $host;
foreach my $proto (keys %{ $ll{$ip} })
{
foreach my $port (keys %{ $ll{$ip}{$proto} })
{
my $service = trans_service ($ip, $proto, $port);
$text = "" if defined $first;
push @out, (sprintf " %-60s %-4s %-4d %-17s %s\n", $text, lc
$proto, $ll{$ip}{$proto}{$port}{"TYPE"}, $service);
$first=1;
}
}
}

sub trans_host
{
my $ip = shift;
my $host = `host $ip | cut -f5 -d' '`;
$host =~ s/(\n)|(3\(NXDOMAIN\))|(2\(SERVFAIL\))//g;
$host =~ s/\.$//;
if (length $host gt 38 )
{
$host = substr ($host, length($host) - 38, 38);
}
return $host;
}

my $summary = generate_summary();

(defined $stdout)? print $summary, @out, "\n" : `echo "$summary @out"
| mail -s "$title" $mailto`;

sub generate_summary
{
my ($hits, $addresses) = 0;
foreach (keys %cc)
{
$hits += $cc{$_};
$addresses++;
}

return "Summary for $date: $hits hits from $addresses
addresses:\n";
}

sub trans_service
{
my ($ip, $proto, $port) = @_;
my $service;
if ($proto eq "ICMP")
{
my $code = $ll{$ip}{$proto}{$port}{'CODE'};
$service = $icmp{$port}{$code};
}
else
{
$service = $serv{$port."/".lc $proto};
}
$service = $port if !defined $service;
return $service;
}

sub load_services
{
my %ss;
foreach (`awk '!/^#/ {print \$2":"\$1}' < /etc/services`)
{
chomp;
my ($key,$val) = (split ':');
$ss{"$key"} = $val;
}
return %ss;
}

sub load_icmp
{
my %icmp;

$icmp{0}{0}="Echo Reply";
$icmp{3}{0}="Network Unreachable";
$icmp{3}{1}="Host Unreachable";
$icmp{3}{2}="Protocol Unreachable";
$icmp{3}{3}="Port Unreachable";
$icmp{3}{4}="Fragmentation needed but no frag. bit set";
$icmp{3}{5}="Source routing failed";
$icmp{3}{6}="Destination network unknown";
$icmp{3}{7}="Destination host unknown";
$icmp{3}{9}="Destination network administratively prohibited";
$icmp{3}{10}="Destination host administratively prohibited";
$icmp{3}{11}="Network unreachable for TOS";
$icmp{3}{12}="Host unreachable for TOS";
$icmp{3}{13}="Communication administratively prohibited by
filtering";
$icmp{3}{14}="Host precedence violation";
$icmp{3}{15}="Precedence cutoff in effect";
$icmp{4}{0}="Source quench";
$icmp{5}{0}="Redirect for network";
$icmp{5}{1}="Redirect for host";
$icmp{5}{2}="Redirect for TOS and network";
$icmp{5}{3}="Redirect for TOS and host";
$icmp{8}{0}="Echo request";
$icmp{9}{0}="Router advertisement";
$icmp{10}{0}="Route solicitation";
$icmp{11}{0}="TTL equals 0 during transit";
$icmp{11}{1}="TTL equals 0 during reassembly";
$icmp{12}{0}="IP header bad (catchall error)";
$icmp{12}{1}="Required options missing";
$icmp{17}{0}="Address mask request";
$icmp{18}{0}="Address mask reply";

return %icmp;
}

sub Usage
{
print "Usage $0: [options]
options are:
-day day previous day number - 0 today, 1 yesterday.
(default: $day)
-limit hits ignore less than (hits) before recording entry.
(default: $limit)
-key key search key for firewall logs.
(default: \"$search\")
-stdout print results to stdout, does not mail.
(default: no)
-user mailuser mail user to recieve report.
(default: $mailto)
-message file message file.
(default: $logfile)
-help help this message.
\n";
exit 1;
}


Comments to will-NO-SPAM-hall AT email DOT com.

On 4 Nov 2003 05:21:51 -0800, Will Hall <(E-Mail Removed)> wrote:
>I'm using this perl tool to scan my logfiles each night (cron). It
>runs on a RedHat9 server and scans /var/log/messages for log entries
>from my iptables firewall (identified by "Firewall" prefix). Here's an


That's interesting, but did you look at "logwatch" first?

(E-Mail Removed)lid (Joe Dunning) wrote in message news:<2cYpb.108384$Fm2.93696@attbi_s04>...
> On 4 Nov 2003 05:21:51 -0800, Will Hall <(E-Mail Removed)> wrote:
> >I'm using this perl tool to scan my logfiles each night (cron). It
> >runs on a RedHat9 server and scans /var/log/messages for log entries
> >from my iptables firewall (identified by "Firewall" prefix). Here's an
>
>
> That's interesting, but did you look at "logwatch" first?

Very true, and one day I'll do just that.I was more interested in
getting optinions for it's functionality and not the implementation.

On 5 Nov 2003 00:16:47 -0800, Will Hall <(E-Mail Removed)> wrote:

>(E-Mail Removed) (Joe Dunning) wrote in message
news:<2cYpb.108384$Fm2.93696@attbi_s04>...

>> On 4 Nov 2003 05:21:51 -0800, Will Hall <(E-Mail Removed)> wrote:
>> >I'm using this perl tool to scan my logfiles each night (cron). It
>> >runs on a RedHat9 server and scans /var/log/messages for log entries
>> >from my iptables firewall (identified by "Firewall" prefix). Here's an
>>
>>
>> That's interesting, but did you look at "logwatch" first?
>
>Very true, and one day I'll do just that.I was more interested in
>getting optinions for it's functionality and not the implementation.

I think you misunderstood me. "logwatch" does what your script does and
much more. It is an existing tool with all the capbilities you describe.

(E-Mail Removed)lid (Joe Dunning) wrote in news:R0fqb.83180$mZ5.565128
@attbi_s54:

> I think you misunderstood me. "logwatch" does what your script does and
> much more. It is an existing tool with all the capbilities you describe.

Moreover, a recent post to the logwatch mailing list by the logwatch
maintainer has a nice concise iptables report format. With a little work it
would make a good replacement for the current format.

--
Kenneth Porter
http://www.sewingwitch.com/ken/