[Logwatch-Devel] Cisco (ACL) parsing

Hugo van der Kooij hvdkooij at vanderkooij.org
Sun Sep 4 15:40:03 MST 2005


Hi,

I did add some more ACL parsing this weekend. I'll go over the other
events in the near future as the detection there could do with a few
improvements.

This is getting nearly all the security logging I have recorded so far.

If anyone feels like adding it into CVS feel free to do so. But expect
more updates in the coming weeks. (It is still itching ;-)

The diff against 6.1.1:

--- cisco-6.1.1	2005-08-23 23:57:46.000000000 +0200
+++ cisco	2005-09-05 00:11:00.000000000 +0200
@@ -44,18 +44,107 @@
          ($ThisLine =~ /Copyright/ ) or
          ($ThisLine =~ /Cisco Internetwork Operating System Software/ ) or
          ($ThisLine =~ /IOS \(tm\)/ ) or
-         ($ThisLine =~ /TAC:Home:SW:IOS:Specials/ ) or
-         ($ThisLine =~ /accept udp/ ) or
-         ($ThisLine =~ /accept tcp/ ) or
-         ($ThisLine =~ /accept icmp/ ) or
-         ($ThisLine =~ /accept ip/ ) or
-         ($ThisLine =~ /denied udp/ ) or
-         ($ThisLine =~ /denied tcp/ ) or
-         ($ThisLine =~ /denied icmp/ ) or
-         ($ThisLine =~ /denied ip/ )
+         ($ThisLine =~ /TAC:Home:SW:IOS:Specials/ )
     ) {
+#         ($ThisLine =~ /accept ip/ ) or
+#         ($ThisLine =~ /denied ip/ )
       # don't care about this, will code this later
    }
+   elsif ( $ThisLine =~ /%SEC-6-IPACCESSLOG(|D|N)P/) {
+      $testline = $ThisLine;
+      chomp $testline;
+      $testline =~ s/^.*SEC-6-IPACCESSLOG(|D|N)P: list //;
+      $testline =~ s/ ->//;
+      $testline =~ s/, / /;
+      $testline =~ s/ packets//;
+      $testline =~ s/ packet//;
+      @testfields = split(/ /,$testline);
+      $accesslist = @testfields[0];
+      $action = @testfields[1];
+      $protocol = @testfields[2];
+      if ($protocol =~ /(tcp|udp)/) {
+         $source = @testfields[3];
+         $destination = @testfields[4];
+         $icmp_type = "";
+         $count = @testfields[5];
+         @sfields = split(/\(/, $source);
+         $source_ip = @sfields[0];
+         $source_port = @sfields[1];
+         $source_port =~ s/\)//;
+         @dfields = split(/\(/, $destination);
+         $destination_ip = @dfields[0];
+         $destination_port = @dfields[1];
+         $destination_port =~ s/\)//;
+      } elsif ($protocol =~ /icmp/) {
+         $source_ip = @testfields[3];
+         $source_port = 0;
+         $destination_ip = @testfields[4];
+         $destination_port = 0;
+         $icmp_type = @testfields[5];
+         $count = @testfields[6];
+      } elsif ($protocol =~ /41/) {
+         $source_ip = @testfields[3];
+         $source_port = 0;
+         $destination_ip = @testfields[4];
+         $destination_port = 0;
+         $icmp_type = "";
+         $count = @testfields[5];
+      } else {
+         $count = 0;
+      }
+
+      $ACL{$accesslist} += $count;
+      $ACTION{$action} += $count;
+      $packets += $count;
+      if ( ($destination_port == 22) and ($protocol =~ /tcp/) ) {
+         $SSH{$source_ip} += $count;
+         $SSH_packets += $count;
+      }
+   }
+   elsif ( $ThisLine =~ /%IPV6-6-IPACCESSLOG(|D|N)P/) {
+      $testline = $ThisLine;
+      chomp $testline;
+      $testline =~ s/^.*IPV6-6-IPACCESSLOG(|D|N)P: list //;
+      $testline =~ s/ ->//;
+      $testline =~ s/, / /;
+      $testline =~ s/ packets//;
+      $testline =~ s/ packet//;
+      @testfields = split(/ /,$testline);
+      $accesslist = @testfields[0];
+      $action = @testfields[1];
+      $protocol = @testfields[2];
+      if ($protocol =~ /(tcp|udp)/) {
+         $source = @testfields[3];
+         $destination = @testfields[4];
+         $icmp_type = "";
+         $count = @testfields[5];
+         @sfields = split(/\(/, $source);
+         $source_ip = @sfields[0];
+         $source_port = @sfields[1];
+         $source_port =~ s/\)//;
+         @dfields = split(/\(/, $destination);
+         $destination_ip = @dfields[0];
+         $destination_port = @dfields[1];
+         $destination_port =~ s/\)//;
+      } elsif ($protocol =~ /icmpv6/) {
+         $source_ip = @testfields[3];
+         $source_port = 0;
+         $destination_ip = @testfields[4];
+         $destination_port = 0;
+         $icmp_type = @testfields[5];
+         $count = @testfields[6];
+      } else {
+         $count = 0;
+      }
+
+      $ACL{$accesslist} += $count;
+      $ACTION{$action} += $count;
+      $IPV6_packets += $count;
+      if ( ($destination_port == 22) and ($protocol =~ /tcp/) ) {
+         $SSH{$source_ip} += $count;
+         $SSH_packets += $count;
+      }
+   }
    elsif ( ($interface,$errortype,$withwho) = ($ThisLine =~ /duplex mismatch discovered on (.+) \(.*\), with (.*)/) ) {
       $DuplexMismatched{$host}{$interface," with ",$errortype}++;
    }
@@ -123,14 +212,15 @@
       $InvalidMulticast{$host}{$interface}++;
    }
    elsif ( ($device,$vty,$interface) = ($ThisLine =~ /Configured from (\S+) by (\S+) \((.+)\)/) ) {
-      $Configured{$host}{"Configured from $device by $vty ",LookupIP($interface)}++;
-   }
-   elsif ( ($interface) = ($ThisLine =~ /CONFIG.+: (.*)/) ) {
-      $Configured{$host}{$interface}++;
-   }
-   elsif ( ($interface) = ($ThisLine =~ /CONFIG: (.*)/) ) {
-      $Configured{$host}{$interface}++;
+#      $Configured{$host}{"Configured from $device by $vty ",LookupIP($interface)}++;
+      $Configured{$host}{"Configured from $device by $vty "}++;
    }
+#   elsif ( ($interface) = ($ThisLine =~ /CONFIG.+: (.*)/) ) {
+#      $Configured{$host}{$interface}++;
+#   }
+#   elsif ( ($interface) = ($ThisLine =~ /CONFIG: (.*)/) ) {
+#      $Configured{$host}{$interface}++;
+#   }
    elsif ( ($interface) = ($ThisLine =~ /LINK_FLAP: (.*)/) ) {
       $Flapping{$host}{$interface}++;
    }
@@ -865,13 +955,39 @@
    }
 }

-if (keys %OtherList) {
-	print "\n**Unmatched Entries**\n";
-	foreach $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) {
-	print "   $line: $OtherList{$line} Time(s)\n";
-    }
+if (keys %ACL) {
+   print "\nAccess Control Lists:\n";
+   foreach $ThisOne (sort keys %ACL) {
+      print "   " . $ThisOne . ": " . $ACL{$ThisOne} . " Hit(s)\n";
+   }
+   print "   Total: " . $packets . " Hit(s)\n";
+   print "   IPv6 Total: " . $IPV6_packets . " Hit(s)\n";
+}
+
+if (keys %ACTION) {
+   print "\nActions:\n";
+   foreach $ThisOne (sort keys %ACTION) {
+      print "   " . $ThisOne . ": " . $ACTION{$ThisOne} . " Hit(s)\n";
+   }
+   print "   Total: " . $packets . " Hit(s)\n";
+   print "   IPv6 Total: " . $IPV6_packets . " Hit(s)\n";
+}
+
+if (keys %SSH) {
+   print "\nSSH access:\n";
+   foreach $ThisOne (sort keys %SSH) {
+      print "   " . $ThisOne . ": " . $SSH{$ThisOne} . " Hit(s)\n";
+   }
+   print "   Total: " . $SSH_packets . " Hit(s)\n";
 }

+#if (keys %OtherList) {
+#	print "\n**Unmatched Entries**\n";
+#	foreach $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) {
+#	print "   $line: $OtherList{$line} Time(s)\n";
+#    }
+#}
+

 exit(0);


Hugo.

-- 
	I hate duplicates. Just reply to the relevant mailinglist.
	hvdkooij at vanderkooij.org		http://hvdkooij.xs4all.nl/
		Don't meddle in the affairs of magicians,
		for they are subtle and quick to anger.


More information about the Logwatch-Devel mailing list