#!/usr/bin/perl -w # # fw_log_view.pl: a simple script to view the output of your firewall.log # # Copyright (C) 2002 Fritz Berger # email: wizard@zirkon.at # # released under the GNU GPL - Licence # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # # ************************************************ # # fw_log_view.pl: a simple script to view the output of your firewall.log # # for detailed info look at: http://www.zirkon.at/zirkon/scripts/fwlog/fw_log_view.html # # # release v1.1 - 11.12.2002 # - added the protocol to output (TCP / UDP ) # - added a "help=yes" parameter # - corrected not working "raw" - parameter # - corrected verbal logoutput to be displayed correctly # - some parameters configureable at top of script # # release v1.0 - 28.07.2002 # initial release # # ************************************************ # # This script is opimised for SuSEfirewall2 # # NOT TESTED WITH ANY OTHER !!! # # ************************************************ use CGI qw(param); # Please define the path and name of your logfile here # i will NOT make it as a parameter, because if someone knows the url of this script # he/she would be able to read (more or less) EVERY file on your server!! # So this path MUST be hardcoded for security reasons! # Location of the firewall log file $log = "/var/log/firewall"; # if DF not seet -> record is in italic # (no parameter for this) # All DROPped packets will be RED $drop="DROP"; $drop_color="RED"; # All Mail-requests (port 25) will be GREEN # if DST (destinationport = ? $dst_port1="25"; $dst_port1_color="GREEN"; # another color for another destinationport? just give the portnumber you want! $dst_port2=""; $dst_port2_color="VIOLET"; # another color for another destinationport? just give the portnumber you want! $dst_port3=""; $dst_port3_color="PINK"; # If you have more than one card in your server # All eth0 requests will be BLUE $card="eth0"; $card_color="BLUE"; # ************************************************ # # There should be NO changes from here on ;-) # # ************************************************ print "Content-type: text/html\n\n"; my $maxlines = param("lines"); if ($maxlines le 0) { $maxlines = 250; } my $counter_request = param("counter"); if ($counter_request eq "off") { $counter = 0; } else { $counter = 1; } if (param("help")) { print "fw_log_view: Firewall View Utility"; print ""; print ""; print ""; print ""; print ""; print ""; print ""; print ""; print "
parameterexplanationdefault
?lines=250display the last 250 lines of the log250
?counter=offstops accumalation of similar lineson
?view=rawthe raw log displayoff
?help=yesthis display
?lines=250&counter=offdisplay the last 250 lines of the log AND no lineaccumulation-
"; print ""; exit; } my $raw_display = param("view"); if ($raw_display eq "raw") { $raw = true; } else { $raw = false; } $tail = $ENV{'QUERY_STRING'}; $tail = $maxlines; # ----------------- sub ReadLog { $LOG=shift; open (LOG,"tail -$tail $LOG |") || print "ERROR: Couldn't open the log file: $LOG"; $lineerrors=0; while () { $initial = $_; $initial =~ s| | |g; ($month,$date,$time,$compname,$kernel,$rule,$in,$out,$mac,$src,$dst,$len,$tos,$prec,$ttl,$id,$df,$proto,$spt,$dpt,$window,$res,$syn,$urgp,$opt,$opt2)=split(/ /,$initial); # Update the array for src $line = join(" ",$date,$time,$rule,$in,$src,$dst,$df,$proto,$spt,$dpt); unshift(@{$sessions},$line); # Update array for complete $complete = join(" ",$month,$date,$time,$compname,$kernel,$rule,$in,$out,$mac,$src,$dst,$len,$tos,$prec,$ttl,$id,$df,$proto,$spt,$dpt,$window,$res,$syn,$urgp,$opt,$opt2); unshift(@{$tutticomplete},$complete); } close(LOG); } # ----------------- &ReadLog($log); # ----------------- print <<"MARKER"; Firewall LogView Utility MARKER if ($raw eq "true") { foreach (@{$tutticomplete}) { print "$_
"; } print "\n\n"; exit; } # ----------------- print <<"MARKER"; MARKER # ----------------- if ($counter eq 1) { print <<"MARKER_COUNT"; MARKER_COUNT } else { print <<"MARKER_NOCOUNT"; MARKER_NOCOUNT } # ----------------- $durchgang = 0; $count = 1; # foreach (@{$sessions}) { # ($date,$time,$rule,$in,$src,$dst,$df,$proto,$spt,$dpt) = split(/ /,$_); foreach (@{$tutticomplete}) { ($month,$date,$time,$compname,$kernel,$rule,$in,$out,$mac,$src,$dst,$len,$tos,$prec,$ttl,$id,$df,$proto,$spt,$dpt,$window,$res,$syn,$urgp,$opt,$opt2) = split(/ /,$_); if ($df =~ /PROTO/) { $dpt = $spt; $proto = $df; $rule = "" . $rule . ""; $proto = "" . $proto . ""; $in = "" . $in . ""; $dpt = "" . $dpt . ""; $time = "" . $time . ""; $src = "" . $src . ""; } $in =~ s|IN=||g; $src =~ s|SRC=||g; $dpt =~ s|DPT=||g; $proto =~ s|PROTO=||g; if ($dpt =~ /$dst_port1/) { $rule = "" . $rule . ""; $proto = "" . $proto . ""; $in = "" . $in . ""; $dpt = "" . $dpt . ""; $time = "" . $time . ""; $src = "" . $src . ""; } if ($dst_port2) { if ($dpt =~ /$dst_port2/) { $rule = "" . $rule . ""; $proto = "" . $proto . ""; $in = "" . $in . ""; $dpt = "" . $dpt . ""; $time = "" . $time . ""; $src = "" . $src . ""; } } if ($dst_port3) { if ($dpt =~ /$dst_port3/) { $rule = "" . $rule . ""; $proto = "" . $proto . ""; $in = "" . $in . ""; $dpt = "" . $dpt . ""; $time = "" . $time . ""; $src = "" . $src . ""; } } if ($rule =~ /$drop/) { $rule = "" . $rule . ""; $proto = "" . $proto . ""; $in = "" . $in . ""; $dpt = "" . $dpt . ""; $time = "" . $time . ""; $src = "" . $src . ""; } if ($in =~ /$card/) { $rule = "" . $rule . ""; $proto = "" . $proto . ""; $in = "" . $in . ""; $dpt = "" . $dpt . ""; $time = "" . $time . ""; $src = "" . $src . ""; } if ($counter eq 1) { if ($durchgang eq 0) { $src_tracking = $src; $rule_tracking = $rule; $in_tracking = $in; $dpt_tracking = $dpt; $time_tracking = $time; $proto_tracking = $proto; $durchgang = 1; $count = 1; next; } else { if (($src eq $src_tracking) and ($dpt eq $dpt_tracking)) { $count++; next; } } } if ($counter eq 1) { if ($mac =~ /MAC/ ) { $count = $count . "x"; if ($dpt_tracking =~ /$dst_port1/) { $count = "" . $count . ""; } if ($dst_port2) { if ($dpt_tracking =~ /$dst_port2/) { $count = "" . $count . ""; } } if ($dst_port3) { if ($dpt_tracking =~ /$dst_port3/) { $count = "" . $count . ""; } } if ($rule_tracking =~ /$drop/) { $count = "" . $count . ""; } if ($in_tracking =~ /$card/) { $count = "" . $count . ""; } print <<"MARKER_COUNT"; MARKER_COUNT $src_tracking = $src; $rule_tracking = $rule; $in_tracking = $in; $dpt_tracking = $dpt; $time_tracking = $time; $proto_tracking = $proto; $count = 1; } else { print ""; print ""; } } else { print <<"MARKER_NOCOUNT"; MARKER_NOCOUNT } } # the last one - if it is only one count if ($counter eq 1) { $count = $count . "x"; print <<"MARKER_COUNT"; MARKER_COUNT } print "
Time of Access Source IP Adress FW Rule Card IN Destination Port Protocol Counter
Time of Access Source IP Adress FW Rule Card IN Destination Port Protocol
$time_tracking $src_tracking $rule_tracking $in_tracking $dpt_tracking $proto_tracking $count
$time_tracking$rule $in $out $mac $src $dst $len $tos $prec $ttl $id $df $proto $spt $dpt $window $res $syn $urgp $opt $opt2
$time $src $rule $in $dpt $proto
$time_tracking $src_tracking $rule_tracking $in_tracking $dpt_tracking $proto_tracking $count
\n\n";