Display source port listener programs
This commit is contained in:
Pratik
135
ufw.awk
135
ufw.awk
@@ -11,6 +11,11 @@
|
||||
# Display the GEO-location for source & destination IP
|
||||
# Combine it with system-log file
|
||||
# Give options to process only a certain number of day's log
|
||||
# Check if mawk is available -> if yes, use that
|
||||
|
||||
# Since changing language improves performance
|
||||
LC_ALL=C
|
||||
|
||||
|
||||
declare port_programs=$(ss -lpntu |
|
||||
awk 'BEGIN {FS=":"}
|
||||
@@ -38,70 +43,82 @@ declare port_programs=$(ss -lpntu |
|
||||
print port, port_programs[port]
|
||||
}')
|
||||
|
||||
LC_ALL=C cat /var/log/ufw.log | mawk '
|
||||
function GetValue(currentColumnValue, stringToSearch) {
|
||||
if(currentColumnValue~"^"stringToSearch){
|
||||
sub(stringToSearch"=", "", currentColumnValue)
|
||||
currentColumnValue=(currentColumnValue=="")?"-NA-":currentColumnValue
|
||||
return currentColumnValue
|
||||
}
|
||||
function getProgramName() {
|
||||
echo port_programs | grep $1
|
||||
}
|
||||
|
||||
$0~/BLOCK/{
|
||||
# loop through each column
|
||||
# Capture value of those that contain "IN", "OUT" "SRC", "DST", "SPT", "DPT" & "PROTO" capture
|
||||
for (n=1;n<=NF;n++){
|
||||
if($n=="[UFW" && $(n+1)~/]$/)
|
||||
EVENT=$n "-" $(n+1)
|
||||
|
||||
if($n=="[UFW" && $(n+2)~/]$/)
|
||||
EVENT=$n "-" $(n+1) "-" $(n+2)
|
||||
|
||||
if($n~/^IN/) IN = GetValue($n, "IN")
|
||||
if($n~/^OUT/) OUT = GetValue($n, "OUT")
|
||||
if($n~/^SRC/) SRC = GetValue($n, "SRC")
|
||||
if($n~/^DST/) DST = GetValue($n, "DST")
|
||||
if($n~/^SPT/) SRCPORT = GetValue($n, "SPT")
|
||||
if($n~/^DPT/) DSTPORT = GetValue($n, "DPT")
|
||||
if($n~/^PROTO/) PROTO = GetValue($n, "PROTO")
|
||||
}
|
||||
|
||||
print EVENT, IN, OUT, SRC, DST, SRCPORT, DSTPORT, PROTO
|
||||
}' | sort | uniq -c | sort -rn | column -t | awk -v port_programs_bash="$port_programs" '
|
||||
BEGIN{
|
||||
printf ("%6s %15s %10s %10s %15s %15s %8s %8s %8s %20s\n", "Count", "Event-Type", "IN-BOUND?", "OUT-BOUND?", "SRC-Addr", "DST-Addr", "SRC-PORT", "DST-PORT", "Protocol", "Listeners")
|
||||
print "-----------------------------------------------------------------------------------------------------------------------------"
|
||||
|
||||
}
|
||||
{
|
||||
total+=$1
|
||||
SRC_IPS[$5]+=$1
|
||||
DST_IPS[$6]+=$1
|
||||
printf ("%6d %15s %10s %10s %15s %15s %8d %8d %8s %20s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9,temp)
|
||||
}
|
||||
END {
|
||||
print ""
|
||||
print "Top 5 most blocked Destination IPs"
|
||||
print "-----","-----", "-----", "-----", "-----", "-----"
|
||||
printf ("%16s\t%5s \n", "IP", "Count")
|
||||
|
||||
PROCINFO["sorted_in"] = "@val_num_desc"
|
||||
for (IP in DST_IPS){
|
||||
printf ("%16s\t%5d \n", IP, DST_IPS[IP])
|
||||
i++; if(i==5) break
|
||||
cat /var/log/ufw.log |
|
||||
mawk '
|
||||
function GetValue(currentColumnValue, stringToSearch) {
|
||||
if(currentColumnValue~"^"stringToSearch){
|
||||
sub(stringToSearch"=", "", currentColumnValue)
|
||||
currentColumnValue=(currentColumnValue=="")?"-NA-":currentColumnValue
|
||||
return currentColumnValue
|
||||
}
|
||||
}
|
||||
|
||||
print " "
|
||||
print "Top 5 most blocked Source IPs"
|
||||
print "-----","-----", "-----", "-----", "-----"
|
||||
printf ("%16s\t%5s \n", "IP", "Count")
|
||||
for (IP in SRC_IPS){
|
||||
printf ("%16s\t%5d \n", IP, SRC_IPS[IP])
|
||||
j++; if(j==5) break
|
||||
$0~/BLOCK/{
|
||||
# loop through each column
|
||||
# Capture value of those that contain "IN", "OUT" "SRC", "DST", "SPT", "DPT" & "PROTO" capture
|
||||
for (n=1;n<=NF;n++){
|
||||
if($n=="[UFW" && $(n+1)~/]$/)
|
||||
EVENT=$n "-" $(n+1)
|
||||
|
||||
if($n=="[UFW" && $(n+2)~/]$/)
|
||||
EVENT=$n "-" $(n+1) "-" $(n+2)
|
||||
|
||||
if($n~/^IN/) IN = GetValue($n, "IN")
|
||||
if($n~/^OUT/) OUT = GetValue($n, "OUT")
|
||||
if($n~/^SRC/) SRC = GetValue($n, "SRC")
|
||||
if($n~/^DST/) DST = GetValue($n, "DST")
|
||||
if($n~/^SPT/) SRCPORT = GetValue($n, "SPT")
|
||||
if($n~/^DPT/) DSTPORT = GetValue($n, "DPT")
|
||||
if($n~/^PROTO/) PROTO = GetValue($n, "PROTO")
|
||||
}
|
||||
|
||||
print EVENT, IN, OUT, SRC, DST, SRCPORT, DSTPORT, PROTO
|
||||
}' |
|
||||
sort | uniq -c | sort -rn | column -t |
|
||||
awk -v port_programs_bash="$port_programs" '
|
||||
BEGIN{
|
||||
printf ("%6s %15s %10s %10s %15s %15s %8s %8s %8s %20s\n", "Count", "Event-Type", "IN-BOUND?", "OUT-BOUND?", "SRC-Addr", "DST-Addr", "SRC-PORT", "DST-PORT", "Protocol", "Port-Listeners")
|
||||
print "-----------------------------------------------------------------------------------------------------------------------------"
|
||||
|
||||
#Deserialize the port_programs_bash
|
||||
split(port_programs_bash, temp)
|
||||
for (i=2;i<=length(temp);i+=2) {
|
||||
port_programs[temp[i-1]]=temp[i]
|
||||
}
|
||||
i=0
|
||||
}
|
||||
{
|
||||
total+=$1
|
||||
SRC_IPS[$5]+=$1
|
||||
DST_IPS[$6]+=$1
|
||||
printf ("%6d %15s %10s %10s %15s %15s %8d %8d %8s %20s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9,port_programs[$7])
|
||||
}
|
||||
END {
|
||||
print ""
|
||||
print "Top-5 Most-blocked Destination-IPs"
|
||||
print "-----","-----", "-----", "-----", "-----", "-----"
|
||||
printf ("%16s\t%5s \n", "IP", "Count")
|
||||
|
||||
print ""
|
||||
print "Total records parsed = "total
|
||||
PROCINFO["sorted_in"] = "@val_num_desc"
|
||||
for (IP in DST_IPS){
|
||||
printf ("%16s\t%5d \n", IP, DST_IPS[IP])
|
||||
i++; if(i==5) break
|
||||
}
|
||||
|
||||
}
|
||||
print " "
|
||||
print "Top-5 Most-blocked Source-IPs"
|
||||
print "-----","-----", "-----", "-----", "-----"
|
||||
printf ("%16s\t%5s \n", "IP", "Count")
|
||||
for (IP in SRC_IPS){
|
||||
printf ("%16s\t%5d \n", IP, SRC_IPS[IP])
|
||||
j++; if(j==5) break
|
||||
}
|
||||
|
||||
print ""
|
||||
print "Total records parsed = "total
|
||||
}
|
||||
'
|
||||
Reference in New Issue
Block a user