Port Connections - Logged, Parsed, Mailed.
Apr 19 2007 Programming

The router logs all connection attempts that aren't explicitly allowed.
Then at the end of the day parses and mails the results to me.  

I don't think it's a good idea to post my internal routing here.
Suffice it to say a few ports are allowed, and anything related to an established connection. We have throttling and all that good stuff. Here's the code that parses and mails the log.

#!/usr/bin/perl

# e dziewa decenber 2007

my ($out, %hash_of_ip, $formatted_date, %ip_value, $temp, @temp, $j);
my $in = "/var/log/debug";
my @date_match = split / +/, `date`;
my ($keyy, $ip_value, $theport);
my $oursecondhashvalue = "_";
my %oursecondhashvalue;
my ($i, $z) = 0;
my %porthash;
my $sortedport;

open(FH, $in);
while (<FH>) {
    ($_  =~ /^$date_match[1] +$date_match[2]/) ? "" : next;
    ($ip_value) = /SRC=(\d{1,3}(?:\.\d{1,3})(?:\.\d{1,3})(?:\.\d{1,3}))/ or next;
    ###    broadcast traffic ###
    next if ( $ip_value =~ /10.60.128.1/ );
    ($theport) = /DPT=(\d*)\s/;
    $i++;
    $hash_of_ip{$ip_value}++;
    ($ip_value = $ip_value) =~ s/\.//g;
    $oursecondhashvalue = "_" . "$ip_value";
    $${oursecondhashvalue}{$theport}++;
    $porthash{$theport}++;
}

close FH;

my $OFH = "/tmp/daily_debug_log";
open(FH, ">$OFH") or die("couldn't open $OFH: $!");
select FH;

my @out = sort { $hash_of_ip{$b} <=> $hash_of_ip{$a} } keys %hash_of_ip;
foreach $out (@out) {
    if ($hash_of_ip{$out} > 2) {
        print "\nIP : $out, Count : $hash_of_ip{$out}.\n";
        my $ourlookupval = "$out";
        ($out = $out) =~ s/\.//g;
        $oursecondhashvalue = "_" . "$out";
        my @second_out = sort { $${oursecondhashvalue}{$b} <=> $${oursecondhashvalue}{$a} } keys %${oursecondhashvalue};
        foreach $keyy (@second_out) {
            print " \(Port $keyy Count ${$oursecondhashvalue}{$keyy}\)";
        }

        if ($z == 0) {
            my $ournslookup = `nslookup $ourlookupval`;
            print "\nnslookup follows\n$ournslookup";
            my $ourwhois = `whois $ourlookupval`;
            print "whois follows\n$ourwhois";
            $z = 1;
        }
    }
}

print "\n\n";
my @psort = sort { $porthash{$b} <=> $porthash{$a} } keys %porthash;
foreach $sortedport (@psort) {
    print "\($sortedport : $porthash{$sortedport}\)\n";
    $j++;
}

close FH;
select STDOUT;
my $results = `cat $OFH`;
mail_results();
exit;

sub mail_results {

    my $subject = "-s \"Packets Dropped for $date_match[1] $date_match[2]\"";
    my $from = "-r dailyresults\@dziewa.com";
    my $mailto = "amailbox\@dziewa.com";
    open(MAILER, "|/usr/bin/mail $subject $from $mailto") or die ("coundn't mail $subject $from $mailto: $!");
    print MAILER <<"EOF";
ga.ia results

$results

Total records read: $i
Total ports: $j
C.O. Eric Dziewa
EOF
close MAILER;
}


Results

I would love to put the data into a database some day.

Off topic, I coded a parser to parse the mail and write the results to a file that I included in a webpage section. The section was titled "Top Bad Guys $date". I don't run this anymore.


#!/usr/bin/perl

# e dziewa may 2008

use strict;

my $sortedfileslist = "/absolutepath/sortedfiles";
my (@prolificip, $readmessegefile, $date);
my (@a, $b, $c, @d, $e, @forgotten);
my ($been_in_a, $been_in_b, $been_in_c, $been_in_d, $been_in_e, $been_in_forgotten) = "0";
my $writefile = "/absolutepath/daily.f3";


`ls -t1 /absolutepath/.maildir/new >$sortedfileslist`; ### readdir() would be better


open( FH, "<", "$sortedfileslist") or die "couldn't open $sortedfileslist -> $!";

NEXTFILE:
    while (<FH>) {
        chomp;
        $readmessegefile = "/absolutepath/.maildir/new/";
        $readmessegefile .= $_;
        open ( RMFH, "<", "$readmessegefile" ) or die "couldn't open $readmessegefile -> $!";

        while (<RMFH>) {
            next unless /Subject: /;
            next NEXTFILE unless /Subject: Packets Dropped for/;
            ($date) = /Subject: Packets Dropped for (.*?)$/;
            close FH;
            close RMFH;
            last NEXTFILE;
        }
    }

open ( RMFH, "<", "$readmessegefile" ) or die "couldn't open $readmessegefile -> $!";
open ( WF, ">", "$writefile" ) or die "couldn't open $writefile -> $!\n";
select WF;

    while (<RMFH>) {

        FORGOTTENLINE: {
        if ($been_in_forgotten == "0") {
            ($_ =~ /IP/) ? "" : next;

            (@forgotten) = /IP : (.*?)\, Count : (.*?).$/;
            print "Most prolific IP \($date\) with: <span class=\"caps\">$forgotten[1]</span> rejected connects: <span class=\"caps\">$forgotten[0]</span> ";
            $been_in_forgotten = "1";
            last FORGOTTENLINE;
        }
        }
        LINEA: {    
        if ($been_in_a == "0") {

            ($_ =~ /in-addr\.arpa/) ? "" : next;
            if (/^\*\* server can't find/) { ""; }
            else {
                (@a) = /name = (.*?)$/;
                chop $a[0];
                print "<span class=\"caps\">$a[0]</span><br>";
                $been_in_a = "1";
                $been_in_b = "1";
                last LINEA;
            }
        }
        }
        LINEB: {
        if ($been_in_b == "0") {
            ($_ =~ /netname/) ? "" : next;
            ($b) = /netname:\s*(.*?)$/;
            print "<span class=\"caps\">$b</span> \| ";
            $been_in_b = "1";
            last LINEB;
        }
        }
        LINEC: {
        if ($been_in_c == "0") {
            ($_ =~ /descr/) ? "" : next;
            ($c) = /descr:\s*(.*?)$/;
            print "<span class=\"caps\">$c</span><br>";
            $been_in_c = "1";
            last LINEC;
        }
        }
        LINED: {
        if ($been_in_d == "0") {
            ($_ =~ /^\(/) ? "" : next;
            (@d) = /\((.*?) : (.*?)\)$/;
            print "Our most popular port \($date\): <span class=\"caps\">$d[0]</span> with <span class=\"caps\">$d[1]</span> rejected connects.<br>";
            $been_in_d = "1";
            last LINED;
        }
        }
        LINEE: {
        if ($been_in_e == "0") {
            ($_ =~ /Total records read: /) ? "" : next;
            ($e) = /Total records read: (.*?)$/;
            print "Total connections rejected \($date\): <span class=\"caps\">$e</span>.";
            $been_in_e = "1";
            last LINEE;
        }
        }
    }
close RMFH;
close WF;


Surprise. A good 95% are from China.

   
Comments
No comments.
Comments for this entry available via RSS.
Comment Area
Your Name
Your Email (will not be published)
Your Website
Your Comment
Profanity is Prohibited
eric.dziewa.com is running WordPress.
WhiteSpace theme designed by E. Dziewa.
All content © E. Dziewa.
Thanks for stopping by.