diff --git a/ufw.awk b/ufw.awk new file mode 100755 index 0000000..8988ec3 --- /dev/null +++ b/ufw.awk @@ -0,0 +1,79 @@ +#!/bin/bash + +# Check pawn attempts + # Warn on blank log + # Incorrect timestamp - very old TS or latest TS older than older TS + # out of order or blocks of time are missing +# Combine info from "netstat" to determine who is listening on "SRC-PORT" + # Display it on another column - comma separated list of programs + # sudo ss -lpn | grep ":53\b" | awk -F "\"" '{programs[$2]=$2} END {for (name in programs) if(names!="")names=names","name; else names=name; print names}' + # sudo ss -lpntu | awk -F: 'NR>1&&$1!~"\\["{print $2, $4} NR>1&&$1~"\\["{print $4, $8}' | awk '{print $1, substr($3,index($3, "\"")+1,index($3, ",")-index($3,"\"")-2)}' | sort -nu +# Display the GEO-location for source & destination IP +# Combine it with system-log file +# Give options to process only a certain number of day's log + +LC_ALL=C cat /var/log/ufw.log | mawk ' +function GetValue(currentColumnValue, stringToSearch) { + if(currentColumnValue~"^"stringToSearch){ + sub(stringToSearch"=", "", currentColumnValue) + currentColumnValue=(currentColumnValue=="")?"-NA-":currentColumnValue + return currentColumnValue + } +} + +$0~/BLOCK/{ + # loop through each column + # Capture value of those that contain "IN", "OUT" "SRC", "DST", "SPT", "DPT" & "PROTO" capture + for (n=1;n<=NF;n++){ + if($n=="[UFW" && $(n+1)~/]$/) + EVENT=$n "-" $(n+1) + + if($n=="[UFW" && $(n+2)~/]$/) + EVENT=$n "-" $(n+1) "-" $(n+2) + + if($n~/^IN/) IN = GetValue($n, "IN") + if($n~/^OUT/) OUT = GetValue($n, "OUT") + if($n~/^SRC/) SRC = GetValue($n, "SRC") + if($n~/^DST/) DST = GetValue($n, "DST") + if($n~/^SPT/) SRCPORT = GetValue($n, "SPT") + if($n~/^DPT/) DSTPORT = GetValue($n, "DPT") + if($n~/^PROTO/) PROTO = GetValue($n, "PROTO") + } + + print EVENT, IN, OUT, SRC, DST, SRCPORT, DSTPORT, PROTO +}' | sort | uniq -c | sort -rn | column -t | awk ' + BEGIN{ + printf ("%6s %15s %10s %10s %15s %15s %8s %8s %8s\n", "Count", "Event-Type", "IN-BOUND?", "OUT-BOUND?", "SRC-Addr", "DST-Addr", "SRC-PORT", "DST-PORT", "Protocol") + print "-------------------------------------------------------------------------------------------------------" + } + { + total+=$1 + SRC_IPS[$5]+=$1 + DST_IPS[$6]+=$1 + printf ("%6d %15s %10s %10s %15s %15s %8d %8d %8s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9) + } + END { + print "" + print "Top 5 most blocked Destination IPs" + print "-----","-----", "-----", "-----", "-----", "-----" + printf ("%16s\t%5s \n", "IP", "Count") + + PROCINFO["sorted_in"] = "@val_num_desc" + for (IP in DST_IPS){ + printf ("%16s\t%5d \n", IP, DST_IPS[IP]) + i++; if(i==5) break + } + + print " " + print "Top 5 most blocked Source IPs" + print "-----","-----", "-----", "-----", "-----" + printf ("%16s\t%5s \n", "IP", "Count") + for (IP in SRC_IPS){ + printf ("%16s\t%5d \n", IP, SRC_IPS[IP]) + j++; if(j==5) break + } + + print "" + print "Total records parsed = "total + } +' \ No newline at end of file