id: Гость   вход   регистрация
текущее время 06:25 26/06/2017
Владелец: pgprubot (создано 18/10/2015 04:33), редакция от 20/10/2015 15:48 (автор: pgprubot) Печать
Категории: софт, анализ трафика, инфобезопасность, защита сети, tor, атаки
создать
просмотр
редакции
ссылки

Средства анализа логов iptables


В наборе имеется два скрипта: «IDS»-скрипт и «iptables-less»-скрипт.


«IDS»-скрипт


#!/bin/bash
# Analysis of activity in dmesg file (blocked packets).
 
CONSENSUS=/var/lib/tor/cached-microdesc-consensus
PREFIX="in,eth"
 
scans_list(){
  # The function returns sorted list of blocked packets in the form
  # 'IP SRC_PORT DST_PORT' for TCP and UDP packets, and only
  # sorted list of IP addresses for ICMP packets.
  local our_proto=$1
  case $our_proto in
    TCP|UDP)
      # Replace '\2 \4 \6' by '\2 \6' to exclude source port.
      dmesg |grep MAC |grep $PREFIX |sed 's/ \[.* \]//' |grep $our_proto \
|sed 's/^\(.*\)SRC=\([^ ]*\)\(.*\)SPT=\([^ ]*\)\(.*\)DPT=\([^ ]*\)\(.*\)/\2 \4 \6/' \
      |sort -n
      ;;
    ICMP)
      dmesg |grep MAC |grep $PREFIX |sed 's/ \[.* \]//' |grep ICMP \
      |sed 's/ \[.* \]//
            s/^\(.*\)SRC=\([^ ]*\)\(.*\)/\2/' |sort -n
      ;;
    all)
      # Only IP is selected.
      dmesg |grep MAC |grep $PREFIX |sed 's/ \[.* \]//
                                          s/^\(.*\)SRC=\([^ ]*\)\(.*\)/\2/' |sort -n
      ;;
    *)
      echo Wrong argument in function scans_list
      ;;
  esac
}
 
tor_nodes_list(){
  # The function returns sorted list of Tor nodes.
  cat $CONSENSUS |grep '^r ' |cut -d' ' -f6 |sort
}
 
echo TCP scans:
  # -k 4,4: sort by destination port.
  scans_list TCP |tr ' ' "\t" |uniq -c |sort -k 4 -n
echo ""
 
echo UDP scans:
  # -k 4,4: sort by destination port.
  scans_list UDP |tr ' ' "\t" |uniq -c |sort -k 4 -n
echo ""
 
echo ICMP scans:
  scans_list ICMP |tr ' ' "\t" |uniq -c |sort -n
echo ""
 
## Uncomment if you want to see this list too.
#echo More than one node on the same IP in Tor stat:
#  tor_nodes_list |uniq -d -c |sort -n
#echo ""
 
echo Tor nodes scans:
grep -F -x -f <(tor_nodes_list |sort -u) <(scans_list all |sort) |sort -n \
  |uniq -c |sort -n
echo ""
 
echo 'Report on blocked packets ("total" accounts only IP):'
echo -e \
  "\tProto"     "\tEvents"                    "\tUnique" 
echo -e \
  "\tTCP"  "\t$(scans_list TCP  |wc -l)" "\t$(scans_list TCP  |uniq -c |wc -l)"
echo -e \
  "\tUDP"  "\t$(scans_list UDP  |wc -l)" "\t$(scans_list UDP  |uniq -c |wc -l)"
echo -e \
  "\tICMP" "\t$(scans_list ICMP |wc -l)" "\t$(scans_list ICMP |uniq -c |wc -l)" 
echo -e \
  "\tTotal" "\t$(scans_list all |wc -l)" "\t$(scans_list all  |uniq -c |wc -l)" 
echo ""
 
echo Tor stat:
echo -e \
  "\tNodes: $(tor_nodes_list |wc -l)"
echo -e \
  "\tIPs with multiple nodes: $(tor_nodes_list |uniq -d -c |wc -l)"
echo -e \
  "\tDuplicated nodes: $(ipset list |sed '/^[^0-9]/d;/^$/d' |sort |uniq -d |wc -l)"
Пример вывода IDS-скрипта:
TCP scans:
      1 X.X.X.X         XXXXX   XXXX
      ..............................
      5 X.X.X.X         XXXXX   XXXX
      2 X.X.X.X         XXXXX   XXXX
 
UDP scans:
      3 X.X.X.X         XX      XXXXX
      1 X.X.X.X         XX      XXXXX
      ...............................
      1 X.X.X.X         XX      XXXXX
 
ICMP scans:
      1 X.X.X.X
      .........
      1 X.X.X.X
      4 X.X.X.X
 
Tor nodes scans:
      1 X.X.X.X
      .........
      4 X.X.X.X
 
Report on blocked packets ("total" accounts only IP):
        Proto   Events  Unique
        TCP     XXX     XXX
        UDP     XXX     XXX
        ICMP    XXX     XXX
        Total   XXX     XXX
 
Tor stat:
        Nodes: XXXX
        IPs with multiple nodes: XXX
        Duplicated nodes: X


iptables-less-скрипт


Обработка вывода iptables-save -c.

#!/bin/bash
 
listing(){
    # All logging rules with counters.
    iptables-save -c |grep LOGGING
}
 
listing_input(){
    # Rules with counters for INPUT.
    (listing |grep INPUT ; listing |grep -- '-i') |grep -v '\[0:0\]'
}
 
listing_output(){
    # Rules with counters for OUTPUT.
    (listing |grep OUTPUT ; listing |grep -- '-o') |grep -v '\[0:0\]'
}
 
listing_gen(){
    # Last line: -A LOGGING -j DROP
    listing |tail -n 1 |grep -v '\[0:0\]'
}
 
#listing
 
if [ $(listing_input |wc -l) -gt 0 ] ; then
    echo -e "\nBlocked at INPUT:\n"
    listing_input
fi
 
if [ $(listing_output |wc -l) -gt 0 ] ; then
    echo -e "\nBlocked at OUTPUT:\n"
    listing_output
fi
 
if [ $(listing_gen |wc -l) -gt 0 ] ; then
    echo -e "\nBlocked:\n"
    listing_gen
fi


 
Комментариев нет [показать комментарии/форму]
Ваша оценка документа [показать результаты]
-3-2-1 0+1+2+3