[Logwatch] pluto scanning

Michael Richardson mcr@sandelman.ottawa.on.ca
Sun, 08 Sep 2002 08:53:32 -0400


--Multipart_Sun_Sep__8_08:53:31_2002-1
Content-Type: text/plain; charset=US-ASCII

-----BEGIN PGP SIGNED MESSAGE-----


  If finally updated our project CVS server to logwatch 3.1, and tried the
pluto scanner that was provided. It didn't tell me much :-)

  I suggest the one that I wrote be distributed instead. There is still WAY
too much verbosity in the Pluto logs - crap that just isn't relevant. You'd
think that as the team technical lead, I'd be able to get it removed
sooner. We're working on it. 

  Here is some sample output:

Overview summary of log files:
	 Sep 7 had 417 entries of which 306 were relevant
Summary by peer:
  Peer abigail-istari caused 104 lines of output.
	connected from: 
	VID: KAME/Racoon
	Keyed: 25 successes 0 failures (max retries: 0)
	IPsec SAs: 2
  Peer abigail-crowgirl-net caused 58 lines of output.
	connected from: 
	Keyed: 25 successes 0 failures (max retries: 0)
	IPsec SAs: 2
  Peer abigail-marajade caused 62 lines of output.
	connected from:192.139.46.20  
	Keyed: 26 successes 0 failures (max retries: 0)
	IPsec SAs: 2
  Peer abigail-mimosa-net caused 58 lines of output.
	connected from: 
	Keyed: 27 successes 0 failures (max retries: 0)
	IPsec SAs: 2
  Peer abigail-cassidy-net caused 67 lines of output.
	connected from: 
	Keyed: 26 successes 0 failures (max retries: 0)
	IPsec SAs: 3
  Peer abigail-aaitlol-host caused 66 lines of output.
	connected from:216.240.43.114  
	Keyed: 26 successes 0 failures (max retries: 0)
	IPsec SAs: 3
Summary of bad peers
	[192.139.46.28]:500 caused 2 bad exchanges
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBPXtIR+Gou/SvHEP9AQH/dAf/eW9lpVdU85QgyOdXjCCEtsoPgRsoQ9nx
Vw1O3hPiStobnZD3mCg9/KDovviY4yCmMYKQTsBtHPq0XVWZTTgVwpQlhrOgnVzK
/517wFAII7CntJRb/zwrbdVMz8p47E6yLlb7VIaBmLJE7/EWSLax9fdkbytHR8NT
fcNpY6hDELh7WGTH/MK65tZeNYAv0FOE+uTYfXQfuxpUSZao2B2lOd3lpKXVTOJb
h31P3y8VfWSy7RcO63D0gzDgzexJgfuzfjH/OPbI4mvwkixbTaltaTDMgttNfvwJ
YetLnhk6xL+5+rChjNsc7XgDBGSN7QNkaNBu1y5V4EIaLoSqcjQQIw==
=96y/
-----END PGP SIGNATURE-----


--Multipart_Sun_Sep__8_08:53:31_2002-1
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="pluto.pl"
Content-Transfer-Encoding: quoted-printable

#!/usr/bin/perl

#
# $Id$
#
# This is a scanner for logwatch (see www.logwatch.org) that processes Pl=
uto
# log files and attempts to make some sense out of them.
#

$vendorID{"p....}..&..i...5..............................."}=3D"KAME/Raco=
on";
$debug=3D0;

while(<>) {
# May  4 04:04:33 abigail Pluto[24170]: "abigail-istari" #1479: ISAKMP SA=
 expired (LATEST!)

  chop;
  ($month,$day,$time,$host,$process,$conn,$msg)=3Dsplit(/ +/,$_,7);
  $today=3D"$month $day";

  next unless ($process =3D~ /pluto/i);

  $loglines{$today}++;
  =

  print STDERR "Msg: $msg\n" if $debug>1;

  if($msg =3D~ /([^\#]*)\#(\d*)\:(.*)/) {
    $ipaddr    =3D $1;
    $stateinfo =3D $2;
    $rest      =3D $3;
  } elsif($msg =3D~ /no Phase 1 state for Delete/) {
    $baddelete++;
    next;
  } elsif($msg =3D~ /from ([^:]*)\:([^:]*)\: Main Mode message is part of=
 an unknown exchange/) {
    $ipaddr =3D $1;
    $ipport =3D $2;
    $badexch{"[$ipaddr]:$ipport"}++;
    next;
  } else {
    print STDERR "Failed to decode: $msg (of $_)\n" if $debug;
    next;
  }

  #  print STDERR "conn: $conn IP: $ipaddr STATE: $stateinfo\n" if $debug=
;

  $conn =3D~ s/\"(.*)\"/\1/;

  $conns{$conn}++;
  if(!defined($peerIP{"$conn|$ipaddr"})) {
    #print STDERR "Adding $ipaddr to $conn\n" if $debug;
    $peerIP{$conn}=3D$peerIP{$conn}.$ipaddr." ";
  }
  $peerIP{"$conn|$ipaddr"}++;

  $stateobjects{$stateinfo}++;
  if(!defined($peer{$stateinfo}) && length($ipaddr)>0) {
    $peer{$stateinfo}=3D$ipaddr;
  }

  # ignore following
  next if($rest =3D~ /ISAKMP SA expired/);
  next if($rest =3D~ /responding to Main Mode/);
  next if($rest =3D~ /responding to Quick Mode/);
  next if($rest =3D~ /IPsec SA expired/);
  next if($rest =3D~ /ignoring informational payload, type IPSEC_INITIAL_=
CONTACT/);
  next if($rest =3D~ /regenerating DH private secret to avoid Pluto 1.0 b=
ug handling public value with leading zero/);
  next if($rest =3D~ /regenerating DH private secret to avoid Pluto 1.0 b=
ug handling shared secret with leading zero/);
  next if($rest =3D~ /shared DH secret has leading zero -- triggers Pluto=
 1.0 bug/);
  next if($rest =3D~ /ignoring Delete SA payload/);
  next if($rest =3D~ /received and ignored informational message/);
  next if($rest =3D~ /discarding duplicate packet; already STATE_MAIN_../=
);
  next if($rest =3D~ /discarding duplicate packet; already STATE_QUICK_..=
/);
  next if($rest =3D~ /deleting state \(STATE_MAIN_..\)/);
  next if($rest =3D~ /deleting state \(STATE_QUICK_..\)/);
  next if($rest =3D~ /Quick Mode .. message is unacceptable because it us=
es a previously used Message ID/);
  next if($rest =3D~ /deleting connection .* instance with peer .*/);
  next if($rest =3D~ /dropping and reinitiating exchange to avoid Pluto 1=
=2E0 bug handling DH shared secret with leading zero byte/);

  $relevantlog{"$today"}++;

  print STDERR "Rest is $rest\n" if $debug>1;

  # but process these.
  if($rest =3D~ /initiating Main Mode to replace \#(.*)/) {
    $oldinfo =3D $1;
    $statechain{$conn.$stateinfo}=3D"$conn|$oldinfo";
    next;

  } elsif($rest =3D~ /initiating Main Mode/) {
    $statechain{$conn.$stateinfo}=3D"$conn";
    next;

  } elsif($rest =3D~ /initiating Quick Mode (.*) to replace \#(.*)/) {
    $oldinfo =3D $2;
    $phase2  =3D $1;
    $statechain{"$conn|$stateinfo"}=3D"$conn|$oldinfo";
    $quickmode{"$conn"}=3D$quickmode{"$conn"}." ".$phase2;
    next;

  } elsif($rest =3D~ /initiating Quick Mode (.*)/) {
    $phase2  =3D $1;
    $statechain{"$conn|$stateinfo"}=3D"$conn";
    $quickmode{"$conn"}=3D$quickmode{"$conn"}." ".$phase2;
    next;

  } elsif($rest =3D~ /ISAKMP SA established/) {
    $rekeysuccess{$conn}++;
    next;

  } elsif($rest =3D~ /cannot respond to IPsec SA request because no conne=
ction is known for (.*)/) {
	$rekeyfail{$conn}++;
	$rekeyfail_notknown{$1}++;
 =

  } elsif($rest =3D~ /max number of retransmissions \((.*)\) reached STAT=
E_QUICK_I./) {
    =

    $rekeyfail{$conn}++;
    $rekeyfailQI1{$conn}++;
    next;

  } elsif($rest =3D~ /max number of retransmissions \((.*)\) reached STAT=
E_QUICK_R./) {
    =

    $rekeyfail{$conn}++;
    $rekeyfailQR1{$conn}++;
    next;

  } elsif($rest =3D~ /max number of retransmissions \((.*)\) reached STAT=
E_MAIN_I./) {
    =

    $rekeyfail{$conn}++;
    $rekeyfailI1{$conn}++;
    next;

  } elsif($rest =3D~ /max number of retransmissions \((.*)\) reached STAT=
E_MAIN_R./) {
    $rekeyfail{$conn}++;
    $rekeyfailR1{$conn}++;
    next;

  } elsif($rest =3D~ /ERROR: asynchronous network error report on .* for =
message to .* port 500, complainant .*:.*errno (.*), origin ICMP type (.*=
) code (.*)/) {
    $rekeyfail{$conn}++;
    $rekeyfail_ICMPunreachable{$conn}++;

  } elsif($rest =3D~ /ERROR: asynchronous network error report on .* for =
message to .* port 500, complainant .*:.*errno (.*), origin ICMP type (.*=
) code (.*)/) {
    $rekeyfail{$conn}++;
    $rekeyfail_ICMPunreachable{$conn}++;

 } elsif($rest =3D~ /starting keying attempt (.*) of an unlimited number/=
) {
    $lastattempt=3D$1;
    if($maxattempts{$conn} < $lastattempt) {
      $maxattempts{$conn} =3D $lastattempt;
    }
    next;

  } elsif($rest =3D~ /Vendor ID: (.*)/) {
    $vid=3D$1;
    if(defined($vendorID{$vid})) {
      $peerID{$conn}=3D$vendorID{$vid};
    } else {
      $peerID{$conn}=3D"unknown $vid";
      $vendorID{$vid}=3D"unknown $vid at $stateinfo/$ipaddr\n";
    }
    next;

  } elsif(($rest =3D~ /sent QI2, IPsec SA established/) ||
	  ($rest =3D~ /IPsec SA established/)) {
    $ipsecSAs{$conn}++;
    next;

  } else {
    print STDERR "UNKNOWN: $_"."\n";
  }
}

print "Overview summary of log files:\n";
foreach $day (keys %loglines) {
  print "\t $day had ".$loglines{$day}." entries of which ".$relevantlog{=
$day}." were relevant\n";
}

print "Summary by peer:\n";

foreach $conn (keys %conns) {
  print "  Peer $conn caused $conns{$conn} lines of output.\n";
  print "\tconnected from:".$peerIP{$conn}."\n";
  if(defined($peerID{$conn})) {
    print "\tVID: ".$peerID{$conn}."\n";
  }
  print "\tKeyed: ".($rekeysuccess{$conn}+0)." successes ",($rekeyfail{$c=
onn}+0)." failures (max retries: ".($maxattempts{$conn}+0).")\n";
  print "\tIPsec SAs: ".($ipsecSAs{$conn}+0)."\n";
}

print "Summary of bad peers\n";
foreach $badpeer (keys %badexch) {
  print "\t".$badpeer." caused ".$badexch{$badpeer}." bad exchanges\n";
}

  =


  =

p  =


--Multipart_Sun_Sep__8_08:53:31_2002-1
Content-Type: text/plain; charset=US-ASCII




--Multipart_Sun_Sep__8_08:53:31_2002-1--