PIX log analysis script

["Melson, Paul" <PMelson () sequoianet com>]

I wrote this script for a project I recently completed.  It's specific to the PIX OS 6.2 and later syslog message 
format.  It looks at allowed inbound traffic, though it would be easy to modify it for inbound and/or denied traffic as 
well.   I used it to help create access-lists for what is a very busy firewall that was fairly open.  It saved me a lot 
of time and I'm hoping that maybe someone else can benefit from it, too.  (PS - be kind.  Please keep in mind that I am 
not, nor have I ever aspired to be, a developer.  Though, I am kinda proud of the spiffy IP-aware sort in lines 28 and 
43.)

IMPORTANT Security Disclaimer:  This script uses unsafe temp file naming.  DO NOT RUN as root!  DO NOT RUN in a world- 
or group-writable directory such as /tmp.  There should be no need to.

PaulM

#!/bin/sh -f
# 
# PIX 6.2-6.3 syslog parser
# Lists incoming traffic by dest IP/port,
# source IP, service, and occurances.
#
# It's a shell script, so I guess it's Open Source. :-)
#
# Paul Melson (pmelson_at_analysts_dot_com)
#

if [ $1x = x ]; then echo "Usage: $0 <filename> <min. instances>"
  exit 1
fi
if [ $2x != x ]; then lim=`expr $2`
  else lim=10
fi
echo "`date` Parsing data..."
grep Built\ inbound\ TCP $1 |sed 's/\(.*\):\(.*\):\(.*\):\(.*\):\(.*\)\/\(.*\)\/\(.*\):\(.*\)\ \(.*\)/\8_from_\5/' 
> $1-inbound.tcp.tmp1 2>/dev/null
grep Built\ inbound\ UDP $1 |sed 's/\(.*\):\(.*\):\(.*\):\(.*\):\(.*\)\/\(.*\)\/\(.*\):\(.*\)\ \(.*\)/\8_from_\5/' 
> $1-inbound.udp.tmp1 2>/dev/null
echo -n "`date` Building report..."
date > $1-rpt.txt
echo "----------------------------" >> $1-rpt.txt
echo "Log file: $1" >> $1-rpt.txt
echo "Log file starts: `head -1 $1 |cut -f1-2`" >> $1-rpt.txt
echo "Log file ends: `tail -2 $1 |head -1 |cut -f1-2`" >> $1-rpt.txt
echo >> $1-rpt.txt
echo "Incoming TCP hosts/ports" >> $1-rpt.txt
echo "------------------------" >> $1-rpt.txt
for dst in `cat $1-inbound.tcp.tmp1 |sort -t . -n +0 -1 +1 -2 +2 -3 +3 -4 |uniq`
{
  echo "${dst}"
  num=`grep -c "${dst}" $1-inbound.tcp.tmp1`
  if [ ${num} -gt ${lim} ]; then 
    prt=`echo $dst |cut -d/ -f2 |cut -d_ -f1`
    echo "${dst}" >> $1-rpt.txt
    echo "- Service: `grep -m1 ${prt}/tcp /etc/services |cut -f1-2`" >> $1-rpt.txt
    echo "- Number of occurances: ${num}" >> $1-rpt.txt
    echo >> $1-rpt.txt
  fi
}
# rm $1-inbound.tcp.tmp1
echo >> $1-rpt.txt
echo "Incoming UDP hosts/ports" >> $1-rpt.txt
echo "------------------------" >> $1-rpt.txt
for dst in `cat $1-inbound.udp.tmp1 |sort -t . -n +0 -1 +1 -2 +2 -3 +3 -4 |uniq`
do
  num=`grep -c "${dst}" $1-inbound.udp.tmp1`
  if [ ${num} -gt ${lim} ]; then
    prt=`echo $dst |cut -d/ -f2 |cut -d_ -f1`
    num=`grep -c ${dst} $1-inbound.udp.tmp1`
    echo "${dst}" >> $1-rpt.txt
    echo "- Service: `grep -m1 ${prt}/udp /etc/services |cut -f1-2`" >> $1-rpt.txt
    echo "- Number of occurances: ${num}" >> $1-rpt.txt
    echo >> $1-rpt.txt
  fi
done
# rm $1-inbound.udp.tmp1
echo " $1-rpt.txt done."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards