#!/usr/bin/perl #----------------------------------------------------------------# # Copyright 2003 (c) by I.S. # #----------------------------------------------------------------# # pflog.pl 0.1 - Logfileauswertung fuer die OpenBSD PF-Firewall # #----------------------------------------------------------------# # Use all at your own risk # #----------------------------------------------------------------# $fxp0 = "Internet"; ### das externe Interface $tx0 = "Intranet"; ### das interne Interface open(F, "tcpdump -n -e -ttt -r /var/log/pflog |"); @all = ; close(F); foreach (@all){ @zeile = split /\s+/, $_; next if $zeile[12] eq "icmp:"; ### icmp wird ausgeblendet @time = split /:/, $zeile[2]; @send = split /[.]/, $zeile[9]; $intruder = "$send[0].$send[1].$send[2].$send[3]"; @targ = split /[.]/, $zeile[11]; $ziel = "$targ[0].$targ[1].$targ[2].$targ[3]"; chop($targ[4]); $zeile[12] = "tcp" unless (($zeile[12] eq "udp") || ($zeile[12] eq "icmp:")); chop($zeile[8]); $hilf1 = $zeile[8]; $to = $$hilf1; push(@later, "[$zeile[1]/$zeile[0] $time[0]:$time[1]] $zeile[5] $zeile[12] $zeile[6] $zeile[7] $to \tIP: $intruder \tPort: $targ[4]\n") if $zeile[6] eq "in"; push(@later, "[$zeile[1]/$zeile[0] $time[0]:$time[1]] $zeile[5] $zeile[12] $zeile[6] $zeile[7] $to \tIP: $ziel \tPort: $targ[4]\n") if $zeile[6] eq "out"; push (@$intruder, $targ[4]); next if grep /$intruder/, @hacker; push (@hacker, $intruder); } print "\nOpenBSD-Firewall Statistik\n"; print "--------------------------\n\n"; $count1 = $#all + 1; print " Gesamtanzahl geblockter Pakete: $count1\n"; $count2 = $#hacker + 1; print " Anzahl der dafuer verantwortlichen externen Hosts: $count2\n"; print "\nDie aktivsten Hosts\n"; print "-------------------\n\n"; foreach (@hacker){ $hilf2 = $_; $hilf3 = $#$hilf2 + 1; print " Block Pakete: $hilf3 \tAbsender-IP: $hilf2\n" if ($hilf3 > 20); } print "\nBlock-Report\n"; print "------------\n\n"; print " @later\n";