- Clean up
- More comments added
This commit is contained in:
Pratik
17
ufw.awk
17
ufw.awk
@@ -4,11 +4,6 @@
|
|||||||
# Warn on blank log
|
# Warn on blank log
|
||||||
# Incorrect timestamp - very old TS or latest TS older than older TS
|
# Incorrect timestamp - very old TS or latest TS older than older TS
|
||||||
# out of order or blocks of time are missing
|
# out of order or blocks of time are missing
|
||||||
# Combine info from "netstat" to determine who is listening on "SRC-PORT"
|
|
||||||
# Display it on another column - comma separated list of programs
|
|
||||||
# sudo ss -lpn | grep ":53\b" | awk -F "\"" '{programs[$2]=$2} END {for (name in programs) if(names!="")names=names","name; else names=name; print names}'
|
|
||||||
# sudo ss -lpntu | awk -F: 'NR>1&&$1!~"\\["{print $2, $4} NR>1&&$1~"\\["{print $4, $8}' | awk '{print $1, substr($3,index($3, "\"")+1,index($3, ",")-index($3,"\"")-2)}' | sort -nu
|
|
||||||
# Display the GEO-location for source & destination IP
|
|
||||||
# Combine it with system-log file
|
# Combine it with system-log file
|
||||||
# Give options to process only a certain number of day's log
|
# Give options to process only a certain number of day's log
|
||||||
# Check if mawk is available -> if yes, use that
|
# Check if mawk is available -> if yes, use that
|
||||||
@@ -16,7 +11,8 @@
|
|||||||
# Since changing language improves performance
|
# Since changing language improves performance
|
||||||
LC_ALL=C
|
LC_ALL=C
|
||||||
|
|
||||||
|
# Adding the port-program mapping to a shell variable
|
||||||
|
# We shall pass it to awk later
|
||||||
declare port_programs=$(ss -lpntu |
|
declare port_programs=$(ss -lpntu |
|
||||||
awk 'BEGIN {FS=":"}
|
awk 'BEGIN {FS=":"}
|
||||||
NR>1 && $1 !~ "\\[" {print $2, $NF} # Row does NOT contains [ -> Fetch 2nd and last columns
|
NR>1 && $1 !~ "\\[" {print $2, $NF} # Row does NOT contains [ -> Fetch 2nd and last columns
|
||||||
@@ -43,10 +39,6 @@ declare port_programs=$(ss -lpntu |
|
|||||||
print port, port_programs[port]
|
print port, port_programs[port]
|
||||||
}')
|
}')
|
||||||
|
|
||||||
function getProgramName() {
|
|
||||||
echo port_programs | grep $1
|
|
||||||
}
|
|
||||||
|
|
||||||
cat /var/log/ufw.log |
|
cat /var/log/ufw.log |
|
||||||
mawk '
|
mawk '
|
||||||
function GetValue(currentColumnValue, stringToSearch) {
|
function GetValue(currentColumnValue, stringToSearch) {
|
||||||
@@ -78,9 +70,10 @@ cat /var/log/ufw.log |
|
|||||||
|
|
||||||
print EVENT, IN, OUT, SRC, DST, SRCPORT, DSTPORT, PROTO
|
print EVENT, IN, OUT, SRC, DST, SRCPORT, DSTPORT, PROTO
|
||||||
}' |
|
}' |
|
||||||
sort | uniq -c | sort -rn | column -t |
|
sort | uniq -c |
|
||||||
awk -v port_programs_bash="$port_programs" '
|
awk -v port_programs_bash="$port_programs" '
|
||||||
BEGIN{
|
BEGIN{
|
||||||
|
# Column headers
|
||||||
printf ("%6s %15s %10s %10s %15s %15s %8s %8s %8s %20s\n", "Count", "Event-Type", "IN-BOUND?", "OUT-BOUND?", "SRC-Addr", "DST-Addr", "SRC-PORT", "DST-PORT", "Protocol", "Port-Listeners")
|
printf ("%6s %15s %10s %10s %15s %15s %8s %8s %8s %20s\n", "Count", "Event-Type", "IN-BOUND?", "OUT-BOUND?", "SRC-Addr", "DST-Addr", "SRC-PORT", "DST-PORT", "Protocol", "Port-Listeners")
|
||||||
print "-----------------------------------------------------------------------------------------------------------------------------"
|
print "-----------------------------------------------------------------------------------------------------------------------------"
|
||||||
|
|
||||||
@@ -91,7 +84,7 @@ cat /var/log/ufw.log |
|
|||||||
}
|
}
|
||||||
i=0
|
i=0
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
total+=$1
|
total+=$1
|
||||||
SRC_IPS[$5]+=$1
|
SRC_IPS[$5]+=$1
|
||||||
DST_IPS[$6]+=$1
|
DST_IPS[$6]+=$1
|
||||||
|
|||||||
Reference in New Issue
Block a user