[Logwatch-Devel] Cisco update (%FW-6-DROP_PKT)

Hugo van der Kooij hvdkooij at vanderkooij.org
Mon Sep 26 14:58:18 MST 2005


Hi,

The latest patch against v6.1.1 for the Cisco parser.

Tonight I worked on the handling of %FW-6-DROP_PKT log lines. (Indication
when the inspection engine dropped a packet as it violated the statefull
tables.)

I suspect I get these because the firmware is less then perfect in
handling statefull connections. (Which is a nice phrase to say it is a
bug.)

Enjoy,
Hugo.

-- 
	I hate duplicates. Just reply to the relevant mailinglist.
	hvdkooij at vanderkooij.org		http://hvdkooij.xs4all.nl/
		Don't meddle in the affairs of magicians,
		for they are subtle and quick to anger.
-------------- next part --------------
--- cisco-6.1.1	2005-08-23 23:57:46.000000000 +0200
+++ cisco	2005-09-26 23:50:24.000000000 +0200
@@ -5,11 +5,13 @@
 ########################################################
 # This was written and is maintained by:
 #    Laurent DUFOUR <laurent.dufour at havas.com>,<dufour_l at hotmail.com>
+# Heavily modified by:
+#    Hugo van der Kooij <hvdkooij at vanderkooij.org>
 #    based on the work of
 #    Kirk Bauer <kirk at kaybee.org>
 #
 # Please send all comments, suggestions, bug reports,
-#    etc, to laurent.dufour at havas.com
+#    etc, to laurent.dufour at havas.com and hvdkooij at vanderkooij.org
 ########################################################
 
 use Logwatch ':all';
@@ -44,18 +46,145 @@
          ($ThisLine =~ /Copyright/ ) or 
          ($ThisLine =~ /Cisco Internetwork Operating System Software/ ) or 
          ($ThisLine =~ /IOS \(tm\)/ ) or 
-         ($ThisLine =~ /TAC:Home:SW:IOS:Specials/ ) or
-         ($ThisLine =~ /accept udp/ ) or
-         ($ThisLine =~ /accept tcp/ ) or
-         ($ThisLine =~ /accept icmp/ ) or
-         ($ThisLine =~ /accept ip/ ) or
-         ($ThisLine =~ /denied udp/ ) or
-         ($ThisLine =~ /denied tcp/ ) or
-         ($ThisLine =~ /denied icmp/ ) or
-         ($ThisLine =~ /denied ip/ )
+         ($ThisLine =~ /TAC:Home:SW:IOS:Specials/ )
     ) {
       # don't care about this, will code this later
    }
+   elsif ( $ThisLine =~ /%SEC-6-IPACCESSLOG(|D|N)P/) {
+      $testline = $ThisLine;
+      chomp $testline;
+      $testline =~ s/^.*SEC-6-IPACCESSLOG(|D|N)P: list //;
+      $testline =~ s/ ->//;
+      $testline =~ s/, / /;
+      $testline =~ s/ packets//;
+      $testline =~ s/ packet//;
+      @testfields = split(/ /,$testline);
+      $accesslist = @testfields[0];
+      $action = @testfields[1];
+      $protocol = @testfields[2];
+      if ($protocol =~ /(tcp|udp)/) {
+         $source = @testfields[3];
+         $destination = @testfields[4];
+         $icmp_type = "";
+         $count = @testfields[5];
+         @sfields = split(/\(/, $source);
+         $source_ip = @sfields[0];
+         $source_port = @sfields[1];
+         $source_port =~ s/\)//;
+         @dfields = split(/\(/, $destination);
+         $destination_ip = @dfields[0];
+         $destination_port = @dfields[1];
+         $destination_port =~ s/\)//;
+      } elsif ($protocol =~ /icmp/) {
+         $source_ip = @testfields[3];
+         $source_port = 0;
+         $destination_ip = @testfields[4];
+         $destination_port = 0;
+         $icmp_type = @testfields[5];
+         $count = @testfields[6];
+      } elsif ($protocol =~ /41/) {
+         $source_ip = @testfields[3];
+         $source_port = 0;
+         $destination_ip = @testfields[4];
+         $destination_port = 0;
+         $icmp_type = "";
+         $count = @testfields[5];
+      } else {
+         $count = 0;
+      }
+       
+      $ACL{$accesslist} += $count;
+      $ACTION{$action} += $count;
+      $packets += $count;
+      if ( ($destination_port == 22) and ($protocol =~ /tcp/) ) {
+         $SSH{$source_ip} += $count;
+         $SSH_packets += $count;
+      }
+   }
+   elsif ( $ThisLine =~ /%IPV6-6-ACCESSLOG(|D|N)P/) {
+      $testline = $ThisLine;
+      chomp $testline;
+      $testline =~ s/^.*IPV6-6-ACCESSLOG(|D|N)P: list //;
+      $testline =~ s/ ->//;
+      $testline =~ s/, / /;
+      $testline =~ s/ packets//;
+      $testline =~ s/ packet//;
+      @testfields = split(/ /,$testline);
+      $accesslist = @testfields[0];
+      $action = @testfields[1];
+      $protocol = @testfields[2];
+      if ($protocol =~ /(tcp|udp)/) {
+         $source = @testfields[3];
+         $destination = @testfields[4];
+         $icmp_type = "";
+         $count = @testfields[5];
+         @sfields = split(/\(/, $source);
+         $source_ip = @sfields[0];
+         $source_port = @sfields[1];
+         $source_port =~ s/\)//;
+         @dfields = split(/\(/, $destination);
+         $destination_ip = @dfields[0];
+         $destination_port = @dfields[1];
+         $destination_port =~ s/\)//;
+      } elsif ($protocol =~ /icmpv6/) {
+         $source_ip = @testfields[3];
+         $source_port = 0;
+         $destination_ip = @testfields[4];
+         $destination_port = 0;
+         $icmp_type = @testfields[5];
+         $count = @testfields[6];
+      } else {
+         $count = 0;
+      }
+       
+      $ACL{$accesslist} += $count;
+      $ACTION{$action} += $count;
+      $IPV6_packets += $count;
+      if ( ($destination_port == 22) and ($protocol =~ /tcp/) ) {
+         $SSH{$source_ip} += $count;
+         $SSH_packets += $count;
+      }
+   }
+   elsif ( ($protocol,$source,$destination) = ($ThisLine =~ /%FW-6-DROP_PKT: Dropping (\S+) pkt (\S+) => (\S+)/) ) {
+      @sfields = split(/:/, $source);
+      $source_ip = @sfields[0];
+      $source_port = @sfields[1];
+      @dfields = split(/:/, $destination);
+      $destination_ip = @dfields[0];
+      $destination_port = @dfields[1];
+      if ($source_port == 25) {
+         $dropsmtphost{$destination_ip}++;
+         $dropsmtppkts++;
+      }
+      if ($destination_port == 25) {
+         $dropsmtphost{$source_ip}++;
+         $dropsmtppkts++;
+      }
+      if ($source_port == 80) {
+         $drophttphost{$source_ip}++;
+         $drophttppkts++;
+      }
+      if ($destination_port == 80) {
+         $drophttphost{$destination_ip}++;
+         $drophttppkts++;
+      }
+      $InspectDrop++;
+   }
+   elsif ($ThisLine =~ /%FW-3-HTTP_JAVA_BLOCK/) {
+      $JavaBlock++;
+   }
+   elsif ( ($username,$vty,$address) = ($ThisLine =~ /%SYS-5-CONFIG_I: Configured from console by (\S+) on (\S+) \((\S+)\)/) ) {
+      $Configured{$host}{"Configured from $vty by $username at ",LookupIP($address)}++;
+   }
+   elsif ( ($username,$vty) = ($ThisLine =~ /%SYS-5-CONFIG_I: Configured from console by (\S+) on (\S+)/) ) {
+      $Configured{$host}{"Configured from $vty by $username"}++;
+   }
+   elsif ( ($unmatched) = ($ThisLine =~ /%SYS-5-CONFIG_I: (.+)/) ) {
+      $Configured{$host}{"UNMATCHED: $unmatched"}++;
+   }
+   elsif ( ($unmatched) = ($ThisLine =~ /%AUDIT-5-RUN_CONFIG/) ) {
+      $ConfigChange{$host}++;
+   }
    elsif ( ($interface,$errortype,$withwho) = ($ThisLine =~ /duplex mismatch discovered on (.+) \(.*\), with (.*)/) ) {
       $DuplexMismatched{$host}{$interface," with ",$errortype}++;
    }
@@ -122,15 +251,6 @@
    elsif ( ($interface) = ($ThisLine =~ /P2_WARN: (.*)/) ) {
       $InvalidMulticast{$host}{$interface}++;
    }
-   elsif ( ($device,$vty,$interface) = ($ThisLine =~ /Configured from (\S+) by (\S+) \((.+)\)/) ) {
-      $Configured{$host}{"Configured from $device by $vty ",LookupIP($interface)}++;
-   }
-   elsif ( ($interface) = ($ThisLine =~ /CONFIG.+: (.*)/) ) {
-      $Configured{$host}{$interface}++;
-   }
-   elsif ( ($interface) = ($ThisLine =~ /CONFIG: (.*)/) ) {
-      $Configured{$host}{$interface}++;
-   }
    elsif ( ($interface) = ($ThisLine =~ /LINK_FLAP: (.*)/) ) {
       $Flapping{$host}{$interface}++;
    }
@@ -475,7 +595,7 @@
    foreach $ThisOne (keys %CountersMsg) {
       print "   " . $ThisOne . ":\n";
       foreach $ThatOne (keys %{$CountersMsg{$ThisOne}}) {
-         print "\t " .$ThatOne . "\t: " . $CountersMsg{$ThisOne}{$ThatOne} . " Time(s)\n";
+         print "\t" .$ThatOne . "\t: " . $CountersMsg{$ThisOne}{$ThatOne} . " Time(s)\n";
       }
    }
 }
@@ -485,11 +605,18 @@
    foreach $ThisOne (keys %Configured) {
       print "   " . $ThisOne . ":\n";
       foreach $ThatOne (keys %{$Configured{$ThisOne}}) {
-         print "\t " .$ThatOne . "\t: " . $Configured{$ThisOne}{$ThatOne} . " Time(s)\n";
+         print "\t" .$ThatOne . "\t: " . $Configured{$ThisOne}{$ThatOne} . " Time(s)\n";
       }
    }
 }
 
+if (keys %ConfigChange) {
+   print "\nDevice config changes :\n";
+   foreach $ThisOne (keys %ConfigChange) {
+      print "   " . $ThisOne . ": " . $ConfigChange{$ThisOne} . " Time(s)\n";
+   }
+}
+
 if (keys %LoginFail) {
    print "\nLogin failed on device :\n";
    foreach $ThisOne (keys %LoginFail) {
@@ -865,13 +992,67 @@
    }
 }
 
-if (keys %OtherList) {
-	print "\n**Unmatched Entries**\n";
-	foreach $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) {
-	print "   $line: $OtherList{$line} Time(s)\n";
-    }
+if (keys %ACL) {
+   print "\nAccess Control Lists:\n";
+   foreach $ThisOne (sort keys %ACL) {
+      print "   " . $ThisOne . " : " . $ACL{$ThisOne} . " Hit(s)\n";
+   }
+   print "   Total : " . $packets . " Hit(s)\n";
+   print "   IPv6 Total : " . $IPV6_packets . " Hit(s)\n";
 }
 
+if (keys %ACTION) {
+   print "\nActions:\n";
+   foreach $ThisOne (sort keys %ACTION) {
+      print "   " . $ThisOne . " : " . $ACTION{$ThisOne} . " Hit(s)\n";
+   }
+   print "   Total : " . $packets . " Hit(s)\n";
+   print "   IPv6 Total : " . $IPV6_packets . " Hit(s)\n";
+}
+
+if ($InspectDrop > 0) {
+   print "\nInspect rule drops : $InspectDrop\n";
+}
+
+if (keys %dropsmtphost) {
+   print "  SMTP servers:\n";
+   foreach $ThisOne (sort keys %dropsmtphost) {
+      if ($dropsmtphost{$ThisOne} > 1) {
+         print "   " . $ThisOne . " : " . $dropsmtphost{$ThisOne} . " Drops\n";
+      }
+   }
+   print "   Total : " . $dropsmtppkts . "\n";
+}
+
+if (keys %drophttphost) {
+   print "  HTTP servers:\n";
+   foreach $ThisOne (sort keys %drophttphost) {
+      if ($drophttphost{$ThisOne} > 1) {
+         print "   " . $ThisOne . " : " . $drophttphost{$ThisOne} . " Drop(s)\n";
+      }
+   }
+   print "   Total : " . $drophttppkts . "\n";
+}
+
+if ($JavaBlock > 0) {
+   print "\nJAVA applet(s) blocked : $JavaBlock\n";
+}
+
+if (keys %SSH) {
+   print "\nSSH access:\n";
+   foreach $ThisOne (sort keys %SSH) {
+      print "   " . $ThisOne . " : " . $SSH{$ThisOne} . " Hit(s)\n";
+   }
+   print "   Total : " . $SSH_packets . " Hit(s)\n";
+}
+
+#if (keys %OtherList) {
+#	print "\n**Unmatched Entries**\n";
+#	foreach $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) {
+#	print "   $line: $OtherList{$line} Time(s)\n";
+#    }
+#}
+
 
 exit(0);
 


More information about the Logwatch-Devel mailing list