Re: PIX log analysis script

[Vladimir Parkhaev <vladimir () arobas net>]

Quoting Melson, Paul (PMelson () sequoianet com):
> I wrote this script for a project I recently completed.  It's specific to the PIX OS 6.2 and later syslog message 
> format.

Nice fork() fest :)
Here is my perl version of the same...


#!/usr/local/bin/perl
use warnings;
#Oct  9 00:36:16 fw Oct 09 2003 00:36:16: %PIX-6-302013: Built inbound TCP connection 8091666 for 
outside:111.222.33.4/1025 (111.222.33.4/1025) to inside:10.0.0.1/80 (22.3.4.5/80)

$fn = shift || die "Usage: $0 log\n";

$err_code   = '%PIX-6-302013:';      # to speed up the whole thing consider err code
$direction  = 'inbound';             #

$code_fld   = 8;                     # counting from 0
$proto_fld  = 11;                    #
$src_fld    = 15;                    # when NAT/PAT is used 
$dst_fld    = 18;
$dir_fld    = 10;

open ( IN, $fn ) or die "Can't open $fn: $!\n";
while ( <IN> ) {
   @flds = split;
   next unless $flds[$code_fld]  eq $err_code ;

   if ( $flds[$proto_fld] =~ /^(UDP|TCP)\b/o && $flds[$dir_fld] eq $direction ) {
      my $proto = $1;
      my $src   = (split /:|\//, $flds[$src_fld])[1];
      my $dst   = (split /:/,    $flds[$dst_fld])[1];
      $hits{$proto}{$src}{$dst}++;
   } 
   
}
close IN;

foreach $proto ( keys %hits ) {
   print  "\nIncoming $proto hosts/ports\n------------------------\n";
   foreach $src ( keys %{$hits{$proto}} ) {
      foreach $dst ( keys %{$hits{$proto}{$src}} ) {
         $cnt = $hits{$proto}{$src}{$dst};
         $srv = getservbyport((split /\//, $dst)[1], lc $proto) || '';
         printf "From %15s  To %20s %-10s ", $src, $dst, (($srv)? "($srv)" : '');
         print  ": $cnt hit", ($cnt > 1)? "s\n": "\n";
      }
   }
}
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards