diff --git a/ufw.awk b/ufw.awk index ee5d670..4195f3f 100755 --- a/ufw.awk +++ b/ufw.awk @@ -11,6 +11,11 @@ # Display the GEO-location for source & destination IP # Combine it with system-log file # Give options to process only a certain number of day's log +# Check if mawk is available -> if yes, use that + +# Since changing language improves performance +LC_ALL=C + declare port_programs=$(ss -lpntu | awk 'BEGIN {FS=":"} @@ -38,70 +43,82 @@ declare port_programs=$(ss -lpntu | print port, port_programs[port] }') -LC_ALL=C cat /var/log/ufw.log | mawk ' -function GetValue(currentColumnValue, stringToSearch) { - if(currentColumnValue~"^"stringToSearch){ - sub(stringToSearch"=", "", currentColumnValue) - currentColumnValue=(currentColumnValue=="")?"-NA-":currentColumnValue - return currentColumnValue - } +function getProgramName() { + echo port_programs | grep $1 } -$0~/BLOCK/{ - # loop through each column - # Capture value of those that contain "IN", "OUT" "SRC", "DST", "SPT", "DPT" & "PROTO" capture - for (n=1;n<=NF;n++){ - if($n=="[UFW" && $(n+1)~/]$/) - EVENT=$n "-" $(n+1) - - if($n=="[UFW" && $(n+2)~/]$/) - EVENT=$n "-" $(n+1) "-" $(n+2) - - if($n~/^IN/) IN = GetValue($n, "IN") - if($n~/^OUT/) OUT = GetValue($n, "OUT") - if($n~/^SRC/) SRC = GetValue($n, "SRC") - if($n~/^DST/) DST = GetValue($n, "DST") - if($n~/^SPT/) SRCPORT = GetValue($n, "SPT") - if($n~/^DPT/) DSTPORT = GetValue($n, "DPT") - if($n~/^PROTO/) PROTO = GetValue($n, "PROTO") - } - - print EVENT, IN, OUT, SRC, DST, SRCPORT, DSTPORT, PROTO -}' | sort | uniq -c | sort -rn | column -t | awk -v port_programs_bash="$port_programs" ' - BEGIN{ - printf ("%6s %15s %10s %10s %15s %15s %8s %8s %8s %20s\n", "Count", "Event-Type", "IN-BOUND?", "OUT-BOUND?", "SRC-Addr", "DST-Addr", "SRC-PORT", "DST-PORT", "Protocol", "Listeners") - print "-----------------------------------------------------------------------------------------------------------------------------" - - } - { - total+=$1 - SRC_IPS[$5]+=$1 - DST_IPS[$6]+=$1 - printf ("%6d %15s %10s %10s %15s %15s %8d %8d %8s %20s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9,temp) - } - END { - print "" - print "Top 5 most blocked Destination IPs" - print "-----","-----", "-----", "-----", "-----", "-----" - printf ("%16s\t%5s \n", "IP", "Count") - - PROCINFO["sorted_in"] = "@val_num_desc" - for (IP in DST_IPS){ - printf ("%16s\t%5d \n", IP, DST_IPS[IP]) - i++; if(i==5) break +cat /var/log/ufw.log | + mawk ' + function GetValue(currentColumnValue, stringToSearch) { + if(currentColumnValue~"^"stringToSearch){ + sub(stringToSearch"=", "", currentColumnValue) + currentColumnValue=(currentColumnValue=="")?"-NA-":currentColumnValue + return currentColumnValue + } } - print " " - print "Top 5 most blocked Source IPs" - print "-----","-----", "-----", "-----", "-----" - printf ("%16s\t%5s \n", "IP", "Count") - for (IP in SRC_IPS){ - printf ("%16s\t%5d \n", IP, SRC_IPS[IP]) - j++; if(j==5) break + $0~/BLOCK/{ + # loop through each column + # Capture value of those that contain "IN", "OUT" "SRC", "DST", "SPT", "DPT" & "PROTO" capture + for (n=1;n<=NF;n++){ + if($n=="[UFW" && $(n+1)~/]$/) + EVENT=$n "-" $(n+1) + + if($n=="[UFW" && $(n+2)~/]$/) + EVENT=$n "-" $(n+1) "-" $(n+2) + + if($n~/^IN/) IN = GetValue($n, "IN") + if($n~/^OUT/) OUT = GetValue($n, "OUT") + if($n~/^SRC/) SRC = GetValue($n, "SRC") + if($n~/^DST/) DST = GetValue($n, "DST") + if($n~/^SPT/) SRCPORT = GetValue($n, "SPT") + if($n~/^DPT/) DSTPORT = GetValue($n, "DPT") + if($n~/^PROTO/) PROTO = GetValue($n, "PROTO") + } + + print EVENT, IN, OUT, SRC, DST, SRCPORT, DSTPORT, PROTO + }' | + sort | uniq -c | sort -rn | column -t | + awk -v port_programs_bash="$port_programs" ' + BEGIN{ + printf ("%6s %15s %10s %10s %15s %15s %8s %8s %8s %20s\n", "Count", "Event-Type", "IN-BOUND?", "OUT-BOUND?", "SRC-Addr", "DST-Addr", "SRC-PORT", "DST-PORT", "Protocol", "Port-Listeners") + print "-----------------------------------------------------------------------------------------------------------------------------" + + #Deserialize the port_programs_bash + split(port_programs_bash, temp) + for (i=2;i<=length(temp);i+=2) { + port_programs[temp[i-1]]=temp[i] + } + i=0 } + { + total+=$1 + SRC_IPS[$5]+=$1 + DST_IPS[$6]+=$1 + printf ("%6d %15s %10s %10s %15s %15s %8d %8d %8s %20s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9,port_programs[$7]) + } + END { + print "" + print "Top-5 Most-blocked Destination-IPs" + print "-----","-----", "-----", "-----", "-----", "-----" + printf ("%16s\t%5s \n", "IP", "Count") - print "" - print "Total records parsed = "total + PROCINFO["sorted_in"] = "@val_num_desc" + for (IP in DST_IPS){ + printf ("%16s\t%5d \n", IP, DST_IPS[IP]) + i++; if(i==5) break + } - } + print " " + print "Top-5 Most-blocked Source-IPs" + print "-----","-----", "-----", "-----", "-----" + printf ("%16s\t%5s \n", "IP", "Count") + for (IP in SRC_IPS){ + printf ("%16s\t%5d \n", IP, SRC_IPS[IP]) + j++; if(j==5) break + } + + print "" + print "Total records parsed = "total + } ' \ No newline at end of file