pratik/ufw-log-scan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
db7a6820af342e7afaac3247093f6d6db0ff2375
ufw-log-scan/ufw.awk
Pratik db7a6820af Added portnames to bash variable
2019-04-22 21:17:35 +05:30

102 lines
3.8 KiB
Awk
Executable File
Raw Blame History

#!/bin/bash
# Check pawn attempts
# Warn on blank log
# Incorrect timestamp - very old TS or latest TS older than older TS
# out of order or blocks of time are missing
# Combine info from "netstat" to determine who is listening on "SRC-PORT"
# Display it on another column - comma separated list of programs
# sudo ss -lpn | grep ":53\b" | awk -F "\"" '{programs[$2]=$2} END {for (name in programs) if(names!="")names=names","name; else names=name; print names}'
# sudo ss -lpntu | awk -F: 'NR>1&&$1!~"\\["{print $2, $4} NR>1&&$1~"\\["{print $4, $8}' | awk '{print $1, substr($3,index($3, "\"")+1,index($3, ",")-index($3,"\"")-2)}' | sort -nu
# Display the GEO-location for source & destination IP
# Combine it with system-log file
# Give options to process only a certain number of day's log
declare port_programs=$(ss -lpntu |
awk 'BEGIN {FS=":"} NR>1&&$1!~"\\["{print $2, $4} NR>1&&$1~"\\["{print $4, $8}' |
awk '{
print $1,
substr($3,
index($3, "\"")+1,
index($3, ",")-index($3,"\"")-2) | "sort -u"}' |
awk '{
if (port_programs[$1]==""){
port_programs[$1]=$2
}else{
port_programs[$1]=port_programs[$1]","$2
}
}
END {
for (port in port_programs)
print port, port_programs[port]
}'
)
LC_ALL=C cat /var/log/ufw.log | mawk '
function GetValue(currentColumnValue, stringToSearch) {
if(currentColumnValue~"^"stringToSearch){
sub(stringToSearch"=", "", currentColumnValue)
currentColumnValue=(currentColumnValue=="")?"-NA-":currentColumnValue
return currentColumnValue
}
}
$0~/BLOCK/{
# loop through each column
# Capture value of those that contain "IN", "OUT" "SRC", "DST", "SPT", "DPT" & "PROTO" capture
for (n=1;n<=NF;n++){
if($n=="[UFW" && $(n+1)~/]$/)
EVENT=$n "-" $(n+1)
if($n=="[UFW" && $(n+2)~/]$/)
EVENT=$n "-" $(n+1) "-" $(n+2)
if($n~/^IN/) IN = GetValue($n, "IN")
if($n~/^OUT/) OUT = GetValue($n, "OUT")
if($n~/^SRC/) SRC = GetValue($n, "SRC")
if($n~/^DST/) DST = GetValue($n, "DST")
if($n~/^SPT/) SRCPORT = GetValue($n, "SPT")
if($n~/^DPT/) DSTPORT = GetValue($n, "DPT")
if($n~/^PROTO/) PROTO = GetValue($n, "PROTO")
}
print EVENT, IN, OUT, SRC, DST, SRCPORT, DSTPORT, PROTO
}' | sort | uniq -c | sort -rn | column -t | awk -v port_programs_bash="$port_programs" '
BEGIN{
printf ("%6s %15s %10s %10s %15s %15s %8s %8s %8s %20s\n", "Count", "Event-Type", "IN-BOUND?", "OUT-BOUND?", "SRC-Addr", "DST-Addr", "SRC-PORT", "DST-PORT", "Protocol", "Listeners")
print "-----------------------------------------------------------------------------------------------------------------------------"
}
{
total+=$1
SRC_IPS[$5]+=$1
DST_IPS[$6]+=$1
printf ("%6d %15s %10s %10s %15s %15s %8d %8d %8s %20s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9,temp)
}
END {
print ""
print "Top 5 most blocked Destination IPs"
print "-----","-----", "-----", "-----", "-----", "-----"
printf ("%16s\t%5s \n", "IP", "Count")
PROCINFO["sorted_in"] = "@val_num_desc"
for (IP in DST_IPS){
printf ("%16s\t%5d \n", IP, DST_IPS[IP])
i++; if(i==5) break
}
print " "
print "Top 5 most blocked Source IPs"
print "-----","-----", "-----", "-----", "-----"
printf ("%16s\t%5s \n", "IP", "Count")
for (IP in SRC_IPS){
printf ("%16s\t%5d \n", IP, SRC_IPS[IP])
j++; if(j==5) break
}
print ""
print "Total records parsed = "total
}
'
Reference in New Issue View Git Blame Copy Permalink