#!/usr/bin/bash #Check FW-1 Log Script -- designed for FireWall-1 4.1 # Contributed by Steve Costaras # _UNCOMMENT "TO" line in the e-mail section ONLY when you are sure this # script is running the way you want it in your environment DATE=`date +"%Y%m%d"` LOGS=/var/log/fwlogs LOGFILE=$LOGS/fwexport.log.${DATE}.gz INTERFACE=hme0 ACTION=drop FROMADDR=security@127.0.0.1 CC=security@127.0.0.1 BIN=/var/log/scripts LOGRAW=/tmp/checkfw.$$ LOGMRG=/tmp/checkfw.merged.$$ LOGSRT=/tmp/checkfw.sorted.$$ EMAIL=/tmp/checkfw.letter.$$ # First let's make sure we're safe umask 077 rm -f $LOGRAW $LOGMRG $LOGSRT touch $LOGRAW $LOGMRG $LOGSRT # Now lets grab and format this crap. if test -f $LOGFILE ; then gzcat $LOGFILE | grep $ACTION | grep $INTERFACE | grep -v icmp | cut -d\; -f2,3,4,6,8,10,11,12,13,14 | \ awk -F\; '{ printf("%9s %8s %6s %15s %-4s %4s %-15s %-15s %-10s %-10s\n", \ $1, $2, $4, $3, $5, $6, $7, $8, $9, $10)}' $1 >> $LOGRAW gzcat $LOGFILE | grep $ACTION | grep $INTERFACE | grep icmp | cut -d\; -f2,3,4,6,8,10,11,12,24,25 | \ awk -F\; '{ printf("%9s %8s %6s %15s %-4s %4s %-15s %-15s %-10s %-10s\n", \ $1, $2, $4, $3, $5, $6, $7, $8, $9, $10)}' $1 >> $LOGRAW else printf "ERROR: $LOGFILE does not exist!\n" exit 1 fi # Find out who to contact for the IP zones and merge. for IP in `cat $LOGRAW | awk '{ print $7 }' | sort | uniq` ; do ZONEADMIN=`whois -h whois.arin.net $IP | grep @ | awk '{ print $NF }' | sed '2,$d'` if [[ $ZONEADMIN = "" ]] ; then ZONEADMIN=`whois -h whois.ripe.net $IP | grep e-mail | awk '{ print $NF }' | sed '2,$d'` if [[ $ZONEADMIN = "" ]] ; then ZONEADMIN=`whois $IP | grep @ | awk '{ print $NF }' | sed '2,$d'` if [[ $ZONEADMIN = "" ]] ; then ZONEADMIN="nobody@nowhere.com" fi fi fi # NOTE: IFS here contains just a NL. OLDIFS="$IFS" IFS=" " for LINE in `grep $IP $LOGRAW` ; do printf "$LINE $ZONEADMIN\n" >> $LOGMRG done IFS="$OLDIFS" done # find all email addresses and sort it by e-mail address. grep @ $LOGMRG | sort -d -f -k 11 > $LOGSRT # Mail out the complaint letters for ISP in `cat $LOGSRT | grep -v icmp | awk '{print $11}' | sort -d -f | uniq`; do rm -f $EMAIL if ( ( test $ISP != "nobody@nowhere.com") && ( test $ISP != "bitbucket@ripe.net" ) ) ; then # printf "To: $ISP\n" > $EMAIL printf "Cc: $CC\n" >> $EMAIL else printf "To: $CC\n" > $EMAIL fi printf "Subject: Attempted Security Compromise from your network\n\n\n" >> $EMAIL ; printf "Dear $ISP,\n\n" >> $EMAIL; printf "Over the past few weeks we have received various attempted\n" >> $EMAIL; printf "break-ins from your network. Included is part of our firewall\n" >> $EMAIL; printf "log for your reference. All times are +/- 1sec GMT-5:\n\n\n" >> $EMAIL ; printf "date time action fwnode int prot sourceAddr destAddr DPort SPort\n" >> $EMAIL grep -i $ISP $LOGSRT | sort -d -f -M | awk \ '{printf("%9s %8s %6s %15s %4s %4s %-15s %-15s %-10s %-10s\n", \ $1, $2, $3, $4, $5, $6, $7, $8, $9, $10)}' $1 >> $EMAIL; /usr/lib/sendmail -f $FROMADDR -t < $EMAIL; done # Clean up old temp files. Gotta keep things tiddy. ;) rm -f $LOGRAW $LOGMRG $LOGSRT $EMAIL