Firewall Wizards mailing list archives
PIX log analysis script
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Wed, 8 Oct 2003 13:27:06 -0400
I wrote this script for a project I recently completed. It's specific to the PIX OS 6.2 and later syslog message format. It looks at allowed inbound traffic, though it would be easy to modify it for inbound and/or denied traffic as well. I used it to help create access-lists for what is a very busy firewall that was fairly open. It saved me a lot of time and I'm hoping that maybe someone else can benefit from it, too. (PS - be kind. Please keep in mind that I am not, nor have I ever aspired to be, a developer. Though, I am kinda proud of the spiffy IP-aware sort in lines 28 and 43.) IMPORTANT Security Disclaimer: This script uses unsafe temp file naming. DO NOT RUN as root! DO NOT RUN in a world- or group-writable directory such as /tmp. There should be no need to. PaulM #!/bin/sh -f # # PIX 6.2-6.3 syslog parser # Lists incoming traffic by dest IP/port, # source IP, service, and occurances. # # It's a shell script, so I guess it's Open Source. :-) # # Paul Melson (pmelson_at_analysts_dot_com) # if [ $1x = x ]; then echo "Usage: $0 <filename> <min. instances>" exit 1 fi if [ $2x != x ]; then lim=`expr $2` else lim=10 fi echo "`date` Parsing data..." grep Built\ inbound\ TCP $1 |sed 's/\(.*\):\(.*\):\(.*\):\(.*\):\(.*\)\/\(.*\)\/\(.*\):\(.*\)\ \(.*\)/\8_from_\5/'
$1-inbound.tcp.tmp1 2>/dev/null
grep Built\ inbound\ UDP $1 |sed 's/\(.*\):\(.*\):\(.*\):\(.*\):\(.*\)\/\(.*\)\/\(.*\):\(.*\)\ \(.*\)/\8_from_\5/'
$1-inbound.udp.tmp1 2>/dev/null
echo -n "`date` Building report..." date > $1-rpt.txt echo "----------------------------" >> $1-rpt.txt echo "Log file: $1" >> $1-rpt.txt echo "Log file starts: `head -1 $1 |cut -f1-2`" >> $1-rpt.txt echo "Log file ends: `tail -2 $1 |head -1 |cut -f1-2`" >> $1-rpt.txt echo >> $1-rpt.txt echo "Incoming TCP hosts/ports" >> $1-rpt.txt echo "------------------------" >> $1-rpt.txt for dst in `cat $1-inbound.tcp.tmp1 |sort -t . -n +0 -1 +1 -2 +2 -3 +3 -4 |uniq` { echo "${dst}" num=`grep -c "${dst}" $1-inbound.tcp.tmp1` if [ ${num} -gt ${lim} ]; then prt=`echo $dst |cut -d/ -f2 |cut -d_ -f1` echo "${dst}" >> $1-rpt.txt echo "- Service: `grep -m1 ${prt}/tcp /etc/services |cut -f1-2`" >> $1-rpt.txt echo "- Number of occurances: ${num}" >> $1-rpt.txt echo >> $1-rpt.txt fi } # rm $1-inbound.tcp.tmp1 echo >> $1-rpt.txt echo "Incoming UDP hosts/ports" >> $1-rpt.txt echo "------------------------" >> $1-rpt.txt for dst in `cat $1-inbound.udp.tmp1 |sort -t . -n +0 -1 +1 -2 +2 -3 +3 -4 |uniq` do num=`grep -c "${dst}" $1-inbound.udp.tmp1` if [ ${num} -gt ${lim} ]; then prt=`echo $dst |cut -d/ -f2 |cut -d_ -f1` num=`grep -c ${dst} $1-inbound.udp.tmp1` echo "${dst}" >> $1-rpt.txt echo "- Service: `grep -m1 ${prt}/udp /etc/services |cut -f1-2`" >> $1-rpt.txt echo "- Number of occurances: ${num}" >> $1-rpt.txt echo >> $1-rpt.txt fi done # rm $1-inbound.udp.tmp1 echo " $1-rpt.txt done." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX log analysis script Melson, Paul (Oct 08)
- Re: PIX log analysis script Vladimir Parkhaev (Oct 09)