[Logwatch-Devel] kernel/kernel.diff files for iptables parsing

James Wysynski wysynskij@yahoo.com
Sun, 4 Aug 2002 12:27:23 -0700 (PDT)


Here are the diff and the kernel file in a (more)
human-readable format.  My apologies.

-James

====================================

88d87
<    # IPCHAINS 
122,123c121
<    # IPTABLES
<    } elsif (
($chain,$ifin,$ifout,$fromip,$toip,$proto,$fromport,$toport)
= ($ThisLine =~
/^(.*)IN=(\w*).*OUT=(\w*).*SRC=([\d|\.]*).*DST=([\d|\.]*).*PROTO=(\w*).*SPT=(\w*).*DPT=(\w*)/
) ){
---
>    } elsif(
($chain,$ifin,$ifout,$fromip,$toip,$proto,$fromport,$toport)
= ( $ThisLine =~
/^(\w*)\s+IN=(\w+)\sOUT=(\w+)\sSRC=([\d|\.]+)\sDST=([\d|\.]+).*PROTO=(\w+)\sSPT=(\d+)\sDPT=(\d+)\s/
) ){
133d130
<       
135,174d131
< 	if ( $chain =~ /.*reject.*/i ) {	    
<            $RejectCount{$fromhost}++;
<           
$Rejected{$fromhost}{"$tohost:$toport\t\($proto,$ifin,$ifout,$chain\)"}++;
<         } elsif ( $chain =~ /.*drop.*/i ) {
<             $DropCount{$fromhost}++;
<           
$Dropped{$fromhost}{"$tohost:$toport\t\($proto,$ifin,$ifout,$chain\)"}++;
<         } elsif ( $chain =~ /.*deny.*/i ) {
<             $DenyCount{$fromhost}++;
<           
$Denied{$fromhost}{"$tohost:$toport\t\($proto,$ifin,$ifout,$chain\)"}++;
<         } elsif ( $chain =~ /.*accept.*/i ) {
<            $AcceptCount{$fromhost}++;
<           
$Accepted{$fromhost}{"$tohost:$toport\t\($proto,$ifin,$ifout,$chain\)"}++;
<         } else {
<            $iptCount{$fromhost}++;
<           
$ipt{$fromhost}{"$tohost:$toport\t\($proto,$ifin,$ifout,$chain\)"}++;
<         }
<       }
<    } elsif (
($chain,$ifin,$ifout,$fromip,$toip,$proto) =
($ThisLine =~
/^(.*)IN=(\w*).*OUT=(\w*).*SRC=([\d|\.]*).*DST=([\d|\.]*).*PROTO=(\w*)/
) ){
<       $fromhost = LookupIP($fromip);
<       $tohost = LookupIP($toip);
<       if ( $ proto =~ /\d+/ ) {
<          $proto = LookupProtocol($proto);
<       } else {
<          $proto = lc($proto);
<       }
< 
<       # this covers ICMP packets and others that
don't have a from/to port
<       if ( $chain =~ /.*reject.*/i ) {	    
<          $RejectCount{$fromhost}++;
<         
$Rejected{$fromhost}{"$tohost\t\($proto,$ifin,$ifout,$chain\)"}++;
<       } elsif ( $chain =~ /.*drop.*/i ) {
<          $DropCount{$fromhost}++;
<         
$Dropped{$fromhost}{"$tohost\t\($proto,$ifin,$ifout,$chain\)"}++;
<       } elsif ( $chain =~ /.*deny.*/i ) {
<          $DenyCount{$fromhost}++;
<         
$Denied{$fromhost}{"$tohost\t\($proto,$ifin,$ifout,$chain\)"}++;
<       } elsif ( $chain =~ /.*accept.*/i ) {
<          $AcceptCount{$fromhost}++;
<         
$Accepted{$fromhost}{"$tohost\t\($proto,$ifin,$ifout,$chain\)"}++;
<       } else {
176c133
<         
$ipt{$fromhost}{"$tohost\t\($proto,$ifin,$ifout,$chain\)"}++;
---
>         
$ipt{$fromhost}{"$tohost:$toport\t\($proto,$ifin,$ifout,$chain\)"}++;
178c135
<    } else {
---
>    } else{
182c139
<       $Kernel{$ThisLine}++;     
---
>       $Kernel{$ThisLine}++;
188c145
<          or (keys %Rejected) or (keys %Denied) or
(keys %Dropped)
---
>          or (keys %Rejected) or (keys %Denied)
234,243d190
<       if (keys %Dropped) {
<          foreach $host (keys %Dropped) {
<             print "\nDropped packets from $host.\n";
<             foreach $ThisOne (keys
%{$Dropped{$host}}) {
<                print "  Port $ThisOne:
$Dropped{$host}{$ThisOne} packet(s).\n";
<             }
<             print "Total of $DropCount{$host}
packet(s).\n";
<          }
<       }
< 
255,258c202,205
<          foreach $host (keys %ipt) {
<             print "\nLogged packets from $host.\n";
<             foreach $ThisOne (keys %{$ipt{$host}}) {
<                print "  Port $ThisOne:
$ipt{$host}{$ThisOne} packet(s).\n";
---
>          foreach $tohost (keys %ipt) {
>             print "\nLogged packets to $tohost.\n";
>             foreach $ThisOne (keys %{$ipt{$tohost}})
{
>                print "  $ThisOne:
$ipt{$tohost}{$ThisOne} packet(s).\n";
260c207
<             print "Total of $iptCount{$host}
packet(s).\n";
---
>             print "Total of $iptCount{$tohost}
packet(s).\n";

=========================================

#!/usr/bin/perl -w
##########################################################################
# $Id: kernel,v 1.9 2002/06/17 02:47:42 kirk Exp $
##########################################################################
# $Log: kernel,v $
# Revision 1.9  2002/06/17 02:47:42  kirk
# *** empty log message ***
#
# Revision 1.8d 2002/06/13 gs 	order by $fromhost
again
# Revision 1.8c 2002/06/12 gs 	fix bug that prevented
output
# Revision 1.8b 2002/06/11 gs 	improved iptables
support
# Revision 1.8a 2002/06/07 gs 	added iptables support
again
# Revision 1.8  2002/03/28 05:00:00  kirk
# - Implemented several bug fixes and patches that
have been sent in
# - Fixed a possible root exploit using a race
condition in /tmp
# - Fixed bugs 46371, 56191, 58578, 61202, 61829,
61831, 61832 from bugzilla.redhat.com
#
# Revision 1.7  2000/09/22 15:59:05  kirk
# Prepping for Version 2.0.1
#
# Revision 1.6  2000/09/22 14:47:04  kirk
# *** empty log message ***
#
# Revision 1.5  1999/02/23 00:39:54  kirk
# Added code written by Fabrizio Zeno Cornelli
<zeno@filibusta.crema.unimi.it>.
#
# Revision 1.4  1998/04/08 18:32:03  kirk
# Applied changes submitted by Luuk de Boer
<luuk_de_boer@pi.net>.. Thanks!
#
# Revision 1.3  1998/02/23 01:16:57  kirk
# Getting ready for a first distribution
#
# Revision 1.2  1998/02/22 22:36:28  kirk
# Created named...
#
# Revision 1.1  1998/02/22 21:45:41  kirk
# Added kernel message processing
#
##########################################################################

########################################################
# This was written and is maintained by:
#    Kirk Bauer <kirk@kaybee.org>
#
# Please send all comments, suggestions, bug reports,
#    etc, to kirk@kaybee.org.
#
########################################################

$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'};
#$MaxFlood = $ENV{'MAXFLOOD'};
$MaxFlood = 10;
$MaxNum =0;

sub LookupIP {
   my ($name, $a1, $a2,$a3,$a4,$PackedAddr,$Addr);
   $Addr = $_[0];
   ($a1,$a2,$a3,$a4) = split /\./,$Addr;
   $PackedAddr = pack('C4',$a1,$a2,$a3,$a4);
   if ($name = gethostbyaddr ($PackedAddr,2)) {
      return ($name . " (" . $Addr . ")");
   } else {
      return ($Addr);
   }
}

sub LookupService {
   my ($port, $proto, $service);
   ($port, $proto) = ($_[0], $_[1]);
   if ($service = getservbyport ($port, $proto)) {
      return ($service);
   }
   return ($port);
}

sub LookupProtocol {
   my ($proto, $name);
   $proto = $_[0];
   if ($name = getprotobynumber ($proto)) {
      return ($name);
   }
   return ($proto);
}

while (defined($ThisLine = <STDIN>)) {
   chomp($ThisLine);
   next if ($ThisLine eq "");
   # IPCHAINS 
   if ( ($from,$on) = ( $ThisLine =~ /^Warning:
possible SYN flood from ([^ ]+) on ([^ ]+):.+ Sending
cookies/ ) ) {
      $Fullfrom = LookupIP($from);
      $Fullon = LookupIP($on);
      $SYNflood{$Fullon}{$Fullfrom}++;
   } elsif( ($TU,$from,$port,$on) = ( $ThisLine =~ /IP
fw-in deny \w+ (\w+) ([^:]+):\d+ ([^:]+):(\d+) / ) ){
      if($MaxNum < ++$TCPscan{$TU}{$from}) {
         $MaxNum = $TCPscan{$TU}{$from}
      }
      $port=0;
   } elsif ( ($chain,$if,$proto,$ip,$port) = (
$ThisLine =~ /^Packet log: (\w+) REJECT (\w+)
PROTO=([0-9]+) ([^:]+):[0-9]+ [^:]+:([0-9]+)/ ) ){
      $host = LookupIP($ip);
      $proto = LookupProtocol($proto);
      $port = LookupService($port,$proto);
      if ($port ne 'auth') {
         $RejectCount{$host}++;
        
$Rejected{$host}{"$port\t\($proto,$if,$chain\)"}++;
      }
   } elsif( ($chain,$if,$proto,$ip,$port) = (
$ThisLine =~ /^Packet log: (\w+) DENY (\w+)
PROTO=([0-9]+) ([^:]+):[0-9]+ [^:]+:([0-9]+)/ ) ){
      $host = LookupIP($ip);
      $proto = LookupProtocol($proto);
      $port = LookupService($port,$proto);
      if ($port ne "auth") { # don't care about auth
         $DenyCount{$host}++;
        
$Denied{$host}{"$port\t\($proto,$if,$chain\)"}++;
      }
   } elsif( ($chain,$if,$proto,$ip,$port) = (
$ThisLine =~ /^Packet log: (\w+) ACCEPT (\w+)
PROTO=([0-9]+) ([^:]+):[0-9]+ [^:]+:([0-9]+)/ ) ){
      $host = LookupIP($ip);
      $proto = LookupProtocol($proto);
      $port = LookupService($port,$proto);
      if ($port ne "auth") { # don't care about auth
         $AcceptCount{$host}++;
        
$Accepted{$host}{"$port\t\($proto,$if,$chain\)"}++;
      }
   # IPTABLES
   } elsif (
($chain,$ifin,$ifout,$fromip,$toip,$proto,$fromport,$toport)
= ($ThisLine =~
/^(.*)IN=(\w*).*OUT=(\w*).*SRC=([\d|\.]*).*DST=([\d|\.]*).*PROTO=(\w*).*SPT=(\w*).*DPT=(\w*)/
) ){
      $fromhost = LookupIP($fromip);
      $tohost = LookupIP($toip);
      if ( $ proto =~ /\d+/ ) {
         $proto = LookupProtocol($proto);
      } else {
         $proto = lc($proto);
      }
      $fromport = LookupService($fromport,$proto);
      $toport = LookupService($toport,$proto);
      
      if ($toport ne "auth") { # don't care about auth
	if ( $chain =~ /.*reject.*/i ) {	    
           $RejectCount{$fromhost}++;
          
$Rejected{$fromhost}{"$tohost:$toport\t\($proto,$ifin,$ifout,$chain\)"}++;
        } elsif ( $chain =~ /.*drop.*/i ) {
            $DropCount{$fromhost}++;
          
$Dropped{$fromhost}{"$tohost:$toport\t\($proto,$ifin,$ifout,$chain\)"}++;
        } elsif ( $chain =~ /.*deny.*/i ) {
            $DenyCount{$fromhost}++;
          
$Denied{$fromhost}{"$tohost:$toport\t\($proto,$ifin,$ifout,$chain\)"}++;
        } elsif ( $chain =~ /.*accept.*/i ) {
           $AcceptCount{$fromhost}++;
          
$Accepted{$fromhost}{"$tohost:$toport\t\($proto,$ifin,$ifout,$chain\)"}++;
        } else {
           $iptCount{$fromhost}++;
          
$ipt{$fromhost}{"$tohost:$toport\t\($proto,$ifin,$ifout,$chain\)"}++;
        }
      }
   } elsif (
($chain,$ifin,$ifout,$fromip,$toip,$proto) =
($ThisLine =~
/^(.*)IN=(\w*).*OUT=(\w*).*SRC=([\d|\.]*).*DST=([\d|\.]*).*PROTO=(\w*)/
) ){
      $fromhost = LookupIP($fromip);
      $tohost = LookupIP($toip);
      if ( $ proto =~ /\d+/ ) {
         $proto = LookupProtocol($proto);
      } else {
         $proto = lc($proto);
      }

      # this covers ICMP packets and others that don't
have a from/to port
      if ( $chain =~ /.*reject.*/i ) {	    
         $RejectCount{$fromhost}++;
        
$Rejected{$fromhost}{"$tohost\t\($proto,$ifin,$ifout,$chain\)"}++;
      } elsif ( $chain =~ /.*drop.*/i ) {
         $DropCount{$fromhost}++;
        
$Dropped{$fromhost}{"$tohost\t\($proto,$ifin,$ifout,$chain\)"}++;
      } elsif ( $chain =~ /.*deny.*/i ) {
         $DenyCount{$fromhost}++;
        
$Denied{$fromhost}{"$tohost\t\($proto,$ifin,$ifout,$chain\)"}++;
      } elsif ( $chain =~ /.*accept.*/i ) {
         $AcceptCount{$fromhost}++;
        
$Accepted{$fromhost}{"$tohost\t\($proto,$ifin,$ifout,$chain\)"}++;
      } else {
         $iptCount{$fromhost}++;
        
$ipt{$fromhost}{"$tohost\t\($proto,$ifin,$ifout,$chain\)"}++;
      }
   } else {
      # XXX For now, going to ignore all other kernel
messages as there
      # XXX are practically an infinite number and
most of them are obviously
      # XXX not parsed here at this time.
      $Kernel{$ThisLine}++;     
   }
}

   if (   (keys %SYNflood)
         or (($MaxNum > $MaxFlood) and (keys
%TCPscan))
         or (keys %Rejected) or (keys %Denied) or
(keys %Dropped)
         or (($Detail >= 5) and (keys %Kernel)) 
	 or (keys %ipt) ) {

      print "\n\n ---------------------- Kernel Begin
------------------------- \n\n";

      if (keys %SYNflood) {
         print "\nWarning: SYN flood on:\n";
         foreach $ThisOne (sort {$a cmp $b} keys
%SYNflood) {
            print "   " . $ThisOne . " from:\n";
            foreach $Next (sort {$a cmp $b} keys
%{$SYNflood{$ThisOne}}) {
               print "      " . $Next . ":
$SYNflood{$ThisOne}{$Next} Time(s)\n";
            }
         }
      }
      if (keys %TCPscan and $MaxNum>$MaxFlood) {
         print "\nWarning: ipfwadm scan detected
on:\n";
         foreach $ThisOne (sort {$a cmp $b} keys
%TCPscan) {
            print "   " . $ThisOne . " from:\n";
            foreach $Next (sort {$a cmp $b} keys
%{$TCPscan{$ThisOne}}) {
               $TCPscan{$ThisOne}{$Next}>$MaxFlood &&
                  print "      " . LookupIP($Next). ":
$TCPscan{$ThisOne}{$Next} Time(s)\n";
            }
         }
      }

      if (keys %Rejected) {
         foreach $host (keys %Rejected) {
            print "\nRejected packets from $host.\n";
            foreach $ThisOne (keys
%{$Rejected{$host}}) {
               print "  Port $ThisOne:
$Rejected{$host}{$ThisOne} packet(s).\n";
            }
            print "Total of $RejectCount{$host}
packet(s).\n";
         }
      }

      if (keys %Denied) {
         foreach $host (keys %Denied) {
            print "\nDenied packets from $host.\n";
            foreach $ThisOne (keys %{$Denied{$host}})
{
               print "  Port $ThisOne:
$Denied{$host}{$ThisOne} packet(s).\n";
            }
            print "Total of $DenyCount{$host}
packet(s).\n";
         }
      }

      if (keys %Dropped) {
         foreach $host (keys %Dropped) {
            print "\nDropped packets from $host.\n";
            foreach $ThisOne (keys %{$Dropped{$host}})
{
               print "  Port $ThisOne:
$Dropped{$host}{$ThisOne} packet(s).\n";
            }
            print "Total of $DropCount{$host}
packet(s).\n";
         }
      }

      if (keys %Accepted) {
         foreach $host (keys %Accepted) {
            print "\nAccepted packets from $host.\n";
            foreach $ThisOne (keys
%{$Accepted{$host}}) {
               print "  Port $ThisOne:
$Accepted{$host}{$ThisOne} packet(s).\n";
            }
            print "Total of $AcceptCount{$host}
packet(s).\n";
         }
      }

      if (keys %ipt) {
         foreach $host (keys %ipt) {
            print "\nLogged packets from $host.\n";
            foreach $ThisOne (keys %{$ipt{$host}}) {
               print "  Port $ThisOne:
$ipt{$host}{$ThisOne} packet(s).\n";
            }
            print "Total of $iptCount{$host}
packet(s).\n";
         }
      }

      if ( ($Detail >= 5) and (keys %Kernel) ) {
         print "\n";
         foreach $ThisOne (sort {$a cmp $b} keys
%Kernel) {
            print $Kernel{$ThisOne} . " Time(s): " .
$ThisOne . "\n";
         }
      }

      print "\n\n ---------------------- Kernel End
------------------------- \n\n";

   }


   exit(0);




__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com