[Logwatch] pluto scanning
Michael Richardson
mcr@sandelman.ottawa.on.ca
Sun, 08 Sep 2002 08:53:32 -0400
--Multipart_Sun_Sep__8_08:53:31_2002-1
Content-Type: text/plain; charset=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
If finally updated our project CVS server to logwatch 3.1, and tried the
pluto scanner that was provided. It didn't tell me much :-)
I suggest the one that I wrote be distributed instead. There is still WAY
too much verbosity in the Pluto logs - crap that just isn't relevant. You'd
think that as the team technical lead, I'd be able to get it removed
sooner. We're working on it.
Here is some sample output:
Overview summary of log files:
Sep 7 had 417 entries of which 306 were relevant
Summary by peer:
Peer abigail-istari caused 104 lines of output.
connected from:
VID: KAME/Racoon
Keyed: 25 successes 0 failures (max retries: 0)
IPsec SAs: 2
Peer abigail-crowgirl-net caused 58 lines of output.
connected from:
Keyed: 25 successes 0 failures (max retries: 0)
IPsec SAs: 2
Peer abigail-marajade caused 62 lines of output.
connected from:192.139.46.20
Keyed: 26 successes 0 failures (max retries: 0)
IPsec SAs: 2
Peer abigail-mimosa-net caused 58 lines of output.
connected from:
Keyed: 27 successes 0 failures (max retries: 0)
IPsec SAs: 2
Peer abigail-cassidy-net caused 67 lines of output.
connected from:
Keyed: 26 successes 0 failures (max retries: 0)
IPsec SAs: 3
Peer abigail-aaitlol-host caused 66 lines of output.
connected from:216.240.43.114
Keyed: 26 successes 0 failures (max retries: 0)
IPsec SAs: 3
Summary of bad peers
[192.139.46.28]:500 caused 2 bad exchanges
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBPXtIR+Gou/SvHEP9AQH/dAf/eW9lpVdU85QgyOdXjCCEtsoPgRsoQ9nx
Vw1O3hPiStobnZD3mCg9/KDovviY4yCmMYKQTsBtHPq0XVWZTTgVwpQlhrOgnVzK
/517wFAII7CntJRb/zwrbdVMz8p47E6yLlb7VIaBmLJE7/EWSLax9fdkbytHR8NT
fcNpY6hDELh7WGTH/MK65tZeNYAv0FOE+uTYfXQfuxpUSZao2B2lOd3lpKXVTOJb
h31P3y8VfWSy7RcO63D0gzDgzexJgfuzfjH/OPbI4mvwkixbTaltaTDMgttNfvwJ
YetLnhk6xL+5+rChjNsc7XgDBGSN7QNkaNBu1y5V4EIaLoSqcjQQIw==
=96y/
-----END PGP SIGNATURE-----
--Multipart_Sun_Sep__8_08:53:31_2002-1
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="pluto.pl"
Content-Transfer-Encoding: quoted-printable
#!/usr/bin/perl
#
# $Id$
#
# This is a scanner for logwatch (see www.logwatch.org) that processes Pl=
uto
# log files and attempts to make some sense out of them.
#
$vendorID{"p....}..&..i...5..............................."}=3D"KAME/Raco=
on";
$debug=3D0;
while(<>) {
# May 4 04:04:33 abigail Pluto[24170]: "abigail-istari" #1479: ISAKMP SA=
expired (LATEST!)
chop;
($month,$day,$time,$host,$process,$conn,$msg)=3Dsplit(/ +/,$_,7);
$today=3D"$month $day";
next unless ($process =3D~ /pluto/i);
$loglines{$today}++;
=
print STDERR "Msg: $msg\n" if $debug>1;
if($msg =3D~ /([^\#]*)\#(\d*)\:(.*)/) {
$ipaddr =3D $1;
$stateinfo =3D $2;
$rest =3D $3;
} elsif($msg =3D~ /no Phase 1 state for Delete/) {
$baddelete++;
next;
} elsif($msg =3D~ /from ([^:]*)\:([^:]*)\: Main Mode message is part of=
an unknown exchange/) {
$ipaddr =3D $1;
$ipport =3D $2;
$badexch{"[$ipaddr]:$ipport"}++;
next;
} else {
print STDERR "Failed to decode: $msg (of $_)\n" if $debug;
next;
}
# print STDERR "conn: $conn IP: $ipaddr STATE: $stateinfo\n" if $debug=
;
$conn =3D~ s/\"(.*)\"/\1/;
$conns{$conn}++;
if(!defined($peerIP{"$conn|$ipaddr"})) {
#print STDERR "Adding $ipaddr to $conn\n" if $debug;
$peerIP{$conn}=3D$peerIP{$conn}.$ipaddr." ";
}
$peerIP{"$conn|$ipaddr"}++;
$stateobjects{$stateinfo}++;
if(!defined($peer{$stateinfo}) && length($ipaddr)>0) {
$peer{$stateinfo}=3D$ipaddr;
}
# ignore following
next if($rest =3D~ /ISAKMP SA expired/);
next if($rest =3D~ /responding to Main Mode/);
next if($rest =3D~ /responding to Quick Mode/);
next if($rest =3D~ /IPsec SA expired/);
next if($rest =3D~ /ignoring informational payload, type IPSEC_INITIAL_=
CONTACT/);
next if($rest =3D~ /regenerating DH private secret to avoid Pluto 1.0 b=
ug handling public value with leading zero/);
next if($rest =3D~ /regenerating DH private secret to avoid Pluto 1.0 b=
ug handling shared secret with leading zero/);
next if($rest =3D~ /shared DH secret has leading zero -- triggers Pluto=
1.0 bug/);
next if($rest =3D~ /ignoring Delete SA payload/);
next if($rest =3D~ /received and ignored informational message/);
next if($rest =3D~ /discarding duplicate packet; already STATE_MAIN_../=
);
next if($rest =3D~ /discarding duplicate packet; already STATE_QUICK_..=
/);
next if($rest =3D~ /deleting state \(STATE_MAIN_..\)/);
next if($rest =3D~ /deleting state \(STATE_QUICK_..\)/);
next if($rest =3D~ /Quick Mode .. message is unacceptable because it us=
es a previously used Message ID/);
next if($rest =3D~ /deleting connection .* instance with peer .*/);
next if($rest =3D~ /dropping and reinitiating exchange to avoid Pluto 1=
=2E0 bug handling DH shared secret with leading zero byte/);
$relevantlog{"$today"}++;
print STDERR "Rest is $rest\n" if $debug>1;
# but process these.
if($rest =3D~ /initiating Main Mode to replace \#(.*)/) {
$oldinfo =3D $1;
$statechain{$conn.$stateinfo}=3D"$conn|$oldinfo";
next;
} elsif($rest =3D~ /initiating Main Mode/) {
$statechain{$conn.$stateinfo}=3D"$conn";
next;
} elsif($rest =3D~ /initiating Quick Mode (.*) to replace \#(.*)/) {
$oldinfo =3D $2;
$phase2 =3D $1;
$statechain{"$conn|$stateinfo"}=3D"$conn|$oldinfo";
$quickmode{"$conn"}=3D$quickmode{"$conn"}." ".$phase2;
next;
} elsif($rest =3D~ /initiating Quick Mode (.*)/) {
$phase2 =3D $1;
$statechain{"$conn|$stateinfo"}=3D"$conn";
$quickmode{"$conn"}=3D$quickmode{"$conn"}." ".$phase2;
next;
} elsif($rest =3D~ /ISAKMP SA established/) {
$rekeysuccess{$conn}++;
next;
} elsif($rest =3D~ /cannot respond to IPsec SA request because no conne=
ction is known for (.*)/) {
$rekeyfail{$conn}++;
$rekeyfail_notknown{$1}++;
=
} elsif($rest =3D~ /max number of retransmissions \((.*)\) reached STAT=
E_QUICK_I./) {
=
$rekeyfail{$conn}++;
$rekeyfailQI1{$conn}++;
next;
} elsif($rest =3D~ /max number of retransmissions \((.*)\) reached STAT=
E_QUICK_R./) {
=
$rekeyfail{$conn}++;
$rekeyfailQR1{$conn}++;
next;
} elsif($rest =3D~ /max number of retransmissions \((.*)\) reached STAT=
E_MAIN_I./) {
=
$rekeyfail{$conn}++;
$rekeyfailI1{$conn}++;
next;
} elsif($rest =3D~ /max number of retransmissions \((.*)\) reached STAT=
E_MAIN_R./) {
$rekeyfail{$conn}++;
$rekeyfailR1{$conn}++;
next;
} elsif($rest =3D~ /ERROR: asynchronous network error report on .* for =
message to .* port 500, complainant .*:.*errno (.*), origin ICMP type (.*=
) code (.*)/) {
$rekeyfail{$conn}++;
$rekeyfail_ICMPunreachable{$conn}++;
} elsif($rest =3D~ /ERROR: asynchronous network error report on .* for =
message to .* port 500, complainant .*:.*errno (.*), origin ICMP type (.*=
) code (.*)/) {
$rekeyfail{$conn}++;
$rekeyfail_ICMPunreachable{$conn}++;
} elsif($rest =3D~ /starting keying attempt (.*) of an unlimited number/=
) {
$lastattempt=3D$1;
if($maxattempts{$conn} < $lastattempt) {
$maxattempts{$conn} =3D $lastattempt;
}
next;
} elsif($rest =3D~ /Vendor ID: (.*)/) {
$vid=3D$1;
if(defined($vendorID{$vid})) {
$peerID{$conn}=3D$vendorID{$vid};
} else {
$peerID{$conn}=3D"unknown $vid";
$vendorID{$vid}=3D"unknown $vid at $stateinfo/$ipaddr\n";
}
next;
} elsif(($rest =3D~ /sent QI2, IPsec SA established/) ||
($rest =3D~ /IPsec SA established/)) {
$ipsecSAs{$conn}++;
next;
} else {
print STDERR "UNKNOWN: $_"."\n";
}
}
print "Overview summary of log files:\n";
foreach $day (keys %loglines) {
print "\t $day had ".$loglines{$day}." entries of which ".$relevantlog{=
$day}." were relevant\n";
}
print "Summary by peer:\n";
foreach $conn (keys %conns) {
print " Peer $conn caused $conns{$conn} lines of output.\n";
print "\tconnected from:".$peerIP{$conn}."\n";
if(defined($peerID{$conn})) {
print "\tVID: ".$peerID{$conn}."\n";
}
print "\tKeyed: ".($rekeysuccess{$conn}+0)." successes ",($rekeyfail{$c=
onn}+0)." failures (max retries: ".($maxattempts{$conn}+0).")\n";
print "\tIPsec SAs: ".($ipsecSAs{$conn}+0)."\n";
}
print "Summary of bad peers\n";
foreach $badpeer (keys %badexch) {
print "\t".$badpeer." caused ".$badexch{$badpeer}." bad exchanges\n";
}
=
=
p =
--Multipart_Sun_Sep__8_08:53:31_2002-1
Content-Type: text/plain; charset=US-ASCII
--Multipart_Sun_Sep__8_08:53:31_2002-1--