pratik/ufw-log-scan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

port_programs rectification

Browse Source 
sorting rectification
sudo for ss
This commit is contained in:
Pratik
2019-09-24 14:37:20 +05:30
parent 2adb3890a2
commit 24ba825eeb
1 changed files with 23 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
ufw.awk
View File

@@ -4,7 +4,6 @@
# Warn on blank log # Warn on blank log
# Incorrect timestamp - very old TS or latest TS older than older TS # Incorrect timestamp - very old TS or latest TS older than older TS
# out of order or blocks of time are missing # out of order or blocks of time are missing
# Combine it with system-log file
# Give options to process only a certain number of day's log # Give options to process only a certain number of day's log
# Check if mawk is available -> if yes, use that # Check if mawk is available -> if yes, use that
@@ -13,7 +12,7 @@ LC_ALL=C
# Adding the port-program mapping to a shell variable # Adding the port-program mapping to a shell variable
# We shall pass it to awk later # We shall pass it to awk later
declare port_programs=$(ss -lpntu | declare port_programs=$(sudo ss -lpntu |
awk 'BEGIN {FS=":"} awk 'BEGIN {FS=":"}
NR>1 && $1 !~ "\\[" {print $2, $NF} # Row does NOT contains [ -> Fetch 2nd and last columns NR>1 && $1 !~ "\\[" {print $2, $NF} # Row does NOT contains [ -> Fetch 2nd and last columns
NR>1 && $1 ~ "\\[" {print $4, $NF} # Row contains [ -> Fetch 4th and last columns NR>1 && $1 ~ "\\[" {print $4, $NF} # Row contains [ -> Fetch 4th and last columns
@@ -69,8 +68,7 @@ cat /var/log/ufw.log |
} }
print EVENT, IN, OUT, SRC, DST, SRCPORT, DSTPORT, PROTO print EVENT, IN, OUT, SRC, DST, SRCPORT, DSTPORT, PROTO
}' | }' | uniq -c | sort -n |
sort | uniq -c |
awk -v port_programs_bash="$port_programs" ' awk -v port_programs_bash="$port_programs" '
BEGIN{ BEGIN{
# Column headers # Column headers
@@ -78,8 +76,8 @@ cat /var/log/ufw.log |
print "-----------------------------------------------------------------------------------------------------------------------------" print "-----------------------------------------------------------------------------------------------------------------------------"
#Deserialize the port_programs_bash #Deserialize the port_programs_bash
split(port_programs_bash, temp) len=split(port_programs_bash, temp)
for (i=2;i<=length(temp);i+=2) { for (i=2;i<=len;i+=2) {
port_programs[temp[i-1]]=temp[i] port_programs[temp[i-1]]=temp[i]
} }
i=0 i=0
@@ -88,7 +86,7 @@ cat /var/log/ufw.log |
total+=$1 total+=$1
SRC_IPS[$5]+=$1 SRC_IPS[$5]+=$1
DST_IPS[$6]+=$1 DST_IPS[$6]+=$1
printf ("%6d %15s %10s %10s %15s %15s %8d %8d %8s %20s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9,port_programs[$7]) printf ("%6d %15s %10s %10s %15s %15s %8d %8d %8s %20s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, port_programs[$7])
} }
END { END {
print "" print ""
@@ -114,4 +112,21 @@ cat /var/log/ufw.log |
print "" print ""
print "Total records parsed = "total print "Total records parsed = "total
} }
' '
# Check if there are huge gaps in TS
cat /var/log/ufw.log |
awk '{
curr_ts=$1
# TS out of order
if(last_ts != "" && curr_ts < last_ts)
something_wrong_at[i++]=curr_ts
if (last_ts != "" && curr_ts > (last_ts + huge_gap))
gaps_at[++j]=curr_ts
last_ts=curr_ts
}
'