#!/usr/bin/perl -w # # fw_log_view.pl: a simple script to view the output of your firewall.log # # Copyright (C) 2002 Fritz Berger # email: wizard@zirkon.at # # released under the GNU GPL - Licence # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # # ************************************************ # # fw_log_view.pl: a simple script to view the output of your firewall.log # # for detailed info look at: http://www.zirkon.at/zirkon/scripts/fwlog/fw_log_view.html # # # release v2.0 - 14.12.2002 # - rewrote the script (extensive use of loops) ;-) # - select in the header of the script WHICH colums you want to view! # # release v1.1 - 11.12.2002 # - added the protocol to output (TCP / UDP ) # - added a "help=yes" parameter # - corrected not working "raw" - parameter # - corrected verbal logoutput to be displayed correctly # - some parameters configureable at top of script # # release v1.0 - 28.07.2002 # initial release # # ************************************************ # # This script is optimised for SuSEfirewall2 # # NOT TESTED WITH ANY OTHER !!! # # ************************************************ use CGI qw(param); # Please define the path and name of your logfile here # i will NOT make it as a parameter, because if someone knows the url of this script # he/she would be able to read (more or less) EVERY file on your server!! # So this path MUST be hardcoded for security reasons! # Location of the firewall log file $log = "/var/log/firewall"; # if DF not set -> record is in italic # values are 0 / 1 $df_italic = 1; # All DROPped packets will be RED $drop="DROP"; $drop_color="RED"; # All Mail-requests (port 25) will be GREEN # if DST (destinationport = ? $dst_port1="25"; $dst_port1_color="GREEN"; # another color for another destinationport? just give the portnumber you want! $dst_port2=""; $dst_port2_color="VIOLET"; # another color for another destinationport? just give the portnumber you want! $dst_port3=""; $dst_port3_color="PINK"; # If you have more than one card in your server # All eth0 requests will be BLUE $card="eth0"; $card_color="BLUE"; # This is the format of the SuSEfirewall2 # $month,$date,$time,$compname,$kernel,$rule,$in,$out,$mac,$src,$dst,$len,$tos,$prec,$ttl,$id,$df,$proto,$spt,$dpt,$window,$res,$syn,$urgp,$opt,$opt2 # df 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 # no df 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 # select here the parts you want to have displayed # # set to 1 if you want it diplayed # set to 0 to omit it # # display the month $display_item[0] = 0; # display the date $display_item[1] = 0; # display the time $display_item[2] = 1; # display the computer name $display_item[3] = 0; # display the logging source (mostly "kernel") $display_item[4] = 0; # display the used firewall rule $display_item[5] = 1; # display the card in $display_item[6] = 1; # display the card out $display_item[7] = 0; # display the MAC adress of the card $display_item[8] = 0; # display the source IP adress (you will want this) $display_item[9] = 1; # display the destination IP adress $display_item[10] = 0; # display the "LEN" $display_item[11] = 0; # display the "TOS" $display_item[12] = 0; # display the "PREC" $display_item[13] = 0; # display the "TTL" $display_item[14] = 0; # display the "ID" $display_item[15] = 0; # display the "DF" $display_item[16] = 0; # display the "PROTOCOL" (TCP / UDP) $display_item[17] = 1; # display the source Port $display_item[18] = 0; # display the destination Port (you will want THIS!) $display_item[19] = 1; # display the "WINDOW" $display_item[20] = 0; # display the "RES" $display_item[21] = 0; # display the "SYN" $display_item[22] = 0; # display the "URGP" $display_item[23] = 0; # display the "OPT" $display_item[24] = 0; # display the "OPT2" $display_item[25] = 0; # ************************************************ # # There should be NO changes from here on ;-) # # ************************************************ print "Content-type: text/html\n\n"; my $maxlines = param("lines"); if ($maxlines le 0) { $maxlines = 250; } my $counter_request = param("counter"); if ($counter_request eq "off") { $counter = 0; } else { $counter = 1; } if (param("help")) { print "fw_log_view: Firewall View Utility"; print ""; print ""; print ""; print ""; print ""; print ""; print ""; print ""; print "
parameterexplanationdefault
?lines=250display the last 250 lines of the log250
?counter=offstops accumalation of similar lineson
?view=rawthe raw log displayoff
?help=yesthis display
?lines=250&counter=offdisplay the last 250 lines of the log AND no lineaccumulation-
"; print ""; exit; } my $raw_display = param("view"); if ($raw_display eq "raw") { $raw = "true"; } else { $raw = "false"; } $tail = $ENV{'QUERY_STRING'}; $tail = $maxlines; # ----------------- sub ReadLog { $LOG=shift; open (LOG,"tail -$tail $LOG |") || print "ERROR: Couldn't open the log file: $LOG"; $lineerrors=0; while () { $initial = $_; $initial =~ s| | |g; ($month,$date,$time,$compname,$kernel,$rule,$in,$out,$mac,$src,$dst,$len,$tos,$prec,$ttl,$id,$df,$proto,$spt,$dpt,$window,$res,$syn,$urgp,$opt,$opt2)=split(/ /,$initial); # Update array for complete $complete = join(" ",$month,$date,$time,$compname,$kernel,$rule,$in,$out,$mac,$src,$dst,$len,$tos,$prec,$ttl,$id,$df,$proto,$spt,$dpt,$window,$res,$syn,$urgp,$opt,$opt2); unshift(@{$tutticomplete},$complete); } close(LOG); } # ----------------- &ReadLog($log); # ----------------- print <<"MARKER_HEAD"; Firewall LogView Utility MARKER_HEAD if ($raw eq "true") { foreach (@{$tutticomplete}) { print "$_
"; } print "\n\n"; exit; } # ----------------- print ""; # ----------------- $displaycount = 0; print ""; if ($display_item[0] eq 1) { $displaycount++; print ""; } if ($display_item[1] eq 1) { $displaycount++; print ""; } if ($display_item[2] eq 1) { $displaycount++; print ""; } if ($display_item[3] eq 1) { $displaycount++; print ""; } if ($display_item[4] eq 1) { $displaycount++; print ""; } if ($display_item[5] eq 1) { $displaycount++; print ""; } if ($display_item[6] eq 1) { $displaycount++; print ""; } if ($display_item[7] eq 1) { $displaycount++; print ""; } if ($display_item[8] eq 1) { $displaycount++; print ""; } if ($display_item[9] eq 1) { $displaycount++; print ""; } if ($display_item[10] eq 1) { $displaycount++; print ""; } if ($display_item[11] eq 1) { $displaycount++; print ""; } if ($display_item[12] eq 1) { $displaycount++; print ""; } if ($display_item[13] eq 1) { $displaycount++; print ""; } if ($display_item[14] eq 1) { $displaycount++; print ""; } if ($display_item[15] eq 1) { $displaycount++; print ""; } if ($display_item[16] eq 1) { $displaycount++; print ""; } if ($display_item[17] eq 1) { $displaycount++; print ""; } if ($display_item[18] eq 1) { $displaycount++; print ""; } if ($display_item[19] eq 1) { $displaycount++; print ""; } if ($display_item[20] eq 1) { $displaycount++; print ""; } if ($display_item[21] eq 1) { $displaycount++; print ""; } if ($display_item[22] eq 1) { $displaycount++; print ""; } if ($display_item[23] eq 1) { $displaycount++; print ""; } if ($display_item[24] eq 1) { $displaycount++; print ""; } if ($display_item[25] eq 1) { $displaycount++; print ""; } if ($counter eq 1) { $displaycount++; print ""; } print ""; # ----------------- $durchgang = 0; $count = 1; foreach (@{$tutticomplete}) { @logline = split(/ /,$_); $logline_count = @logline; # if logentry "DF" is missing # sort all entries behind the missing "DF" if ($logline[16] =~ /PROTO/) { for ($i=25; $i >= 17; $i--) { $logline[$i] = $logline[$i-1]; } $logline[16] = "-"; # if you parametered that loglines with missing "DF" should be kursive if ($df_italic eq 1) { $lcount = 0; while ($lcount < $logline_count) { $logline[$lcount] = "" . $logline[$lcount] . ""; $lcount++; } } } # $month,$date,$time,$compname,$kernel,$rule,$in,$out,$mac,$src,$dst,$len,$tos,$prec,$ttl,$id,$df,$proto,$spt,$dpt,$window,$res,$syn,$urgp,$opt,$opt2 # df 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 # no df 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 # no syn 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 # reformat logentries $logline[6] =~ s|IN=||g; $logline[7] =~ s|OUT=||g; #$logline[8] =~ s|MAC=||g; $logline[9] =~ s|SRC=||g; $logline[10] =~ s|DST=||g; $logline[11] =~ s|LEN=||g; $logline[12] =~ s|TOS=||g; $logline[13] =~ s|PREC=||g; $logline[14] =~ s|TTL=||g; $logline[15] =~ s|ID=||g; $logline[17] =~ s|PROTO=||g; $logline[18] =~ s|SPT=||g; $logline[19] =~ s|DPT=||g; $logline[20] =~ s|WINDOW=||g; $logline[21] =~ s|RES=||g; $logline[23] =~ s|URGP=||g; if ($logline[19] =~ /$dst_port1/) { $lcount = 0; while ($lcount <= $logline_count) { $logline[$lcount] = "" . $logline[$lcount] . ""; $lcount++; } } if ($dst_port2) { if ($logline[19] =~ /$dst_port2/) { $lcount = 0; while ($lcount <= $logline_count) { $logline[$lcount] = "" . $logline[$lcount] . ""; $lcount++; } } } if ($dst_port3) { if ($logline[19] =~ /$dst_port3/) { $lcount = 0; while ($lcount <= $logline_count) { $logline[$lcount] = "" . $logline[$lcount] . ""; $lcount++; } } } if ($logline[5] =~ /$drop/) { $lcount = 0; while ($lcount <= $logline_count) { $logline[$lcount] = "" . $logline[$lcount] . ""; $lcount++; } } if ($logline[6] =~ /$card/) { $lcount = 0; while ($lcount <= $logline_count) { $logline[$lcount] = "" . $logline[$lcount] . ""; $lcount++; } } if ($counter eq 1) { if ($durchgang eq 0) { @logline_tracking = @logline; $durchgang = 1; $count = 1; next; } else { # if sourceport & destinationport are the same if (($logline[9] eq $logline_tracking[9]) and ($logline[19] eq $logline_tracking[19])) { $count++; next; } } } # if equal logentries-counter is enabled if ($counter eq 1) { if ($logline[8] =~ /MAC/ ) { $logline[8] =~ s|MAC=||g; $logline_tracking[8] =~ s|MAC=||g; $count = $count . "x"; if ($logline_tracking[19] =~ /$dst_port1/) { $count = "" . $count . ""; } if ($dst_port2) { if ($logline_tracking[19] =~ /$dst_port2/) { $count = "" . $count . ""; } } if ($dst_port3) { if ($logline_tracking[19] =~ /$dst_port3/) { $count = "" . $count . ""; } } if ($logline_tracking[5] =~ /$drop/) { $count = "" . $count . ""; } if ($logline_tracking[6] =~ /$card/) { $count = "" . $count . ""; } print ""; $lcount = 0; while ($lcount <= $logline_count) { if ($display_item[$lcount] eq 1) { print ""; } $lcount++; } print ""; print ""; @logline_tracking = @logline; $count = 1; } else { print ""; } } else { print ""; $logline[8] =~ s|MAC=||g; $lcount = 0; while ($lcount <= $logline_count) { if ($display_item[$lcount] eq 1) { print ""; } $lcount++; } print ""; } } # the last one - if it is only one count if ($counter eq 1) { $count = $count . "x"; print ""; $lcount = 0; while ($lcount <= $logline_count) { if ($display_item[$lcount] eq 1) { print ""; } $lcount++; } print ""; print ""; } print "
MonthDateTime of AccessName of ComputerLogging ProgramApplied RuleCard INCard OUTMAC AdressSource IPDestination IPLENTOSPRECTTLIDDFProtocolSource PortDestination PortWINDOWRESSYNURGPOPTOPT2Counter
$logline_tracking[$lcount]$count
"; $lcount = 0; while ($lcount <= $logline_count) { print $logline[$lcount]; print " "; $lcount++; } print "
$logline[$lcount]
$logline_tracking[$lcount]$count
\n\n";