Средства анализа логов iptables
В наборе имеется два скрипта: «IDS»-скрипт и «iptables-less»-скрипт.
«IDS»-скрипт
#!/bin/bash # Analysis of activity in dmesg file (blocked packets). CONSENSUS=/var/lib/tor/cached-microdesc-consensus PREFIX="in,eth" scans_list(){ # The function returns sorted list of blocked packets in the form # 'IP SRC_PORT DST_PORT' for TCP and UDP packets, and only # sorted list of IP addresses for ICMP packets. local our_proto=$1 case $our_proto in TCP|UDP) # Replace '\2 \4 \6' by '\2 \6' to exclude source port. dmesg |grep MAC |grep $PREFIX |sed 's/ \[.* \]//' |grep $our_proto \ |sed 's/^\(.*\)SRC=\([^ ]*\)\(.*\)SPT=\([^ ]*\)\(.*\)DPT=\([^ ]*\)\(.*\)/\2 \4 \6/' \ |sort -n ;; ICMP) dmesg |grep MAC |grep $PREFIX |sed 's/ \[.* \]//' |grep ICMP \ |sed 's/ \[.* \]// s/^\(.*\)SRC=\([^ ]*\)\(.*\)/\2/' |sort -n ;; all) # Only IP is selected. dmesg |grep MAC |grep $PREFIX |sed 's/ \[.* \]// s/^\(.*\)SRC=\([^ ]*\)\(.*\)/\2/' |sort -n ;; *) echo Wrong argument in function scans_list ;; esac } tor_nodes_list(){ # The function returns sorted list of Tor nodes. cat $CONSENSUS |grep '^r ' |cut -d' ' -f6 |sort } echo TCP scans: # -k 4,4: sort by destination port. scans_list TCP |tr ' ' "\t" |uniq -c |sort -k 4 -n echo "" echo UDP scans: # -k 4,4: sort by destination port. scans_list UDP |tr ' ' "\t" |uniq -c |sort -k 4 -n echo "" echo ICMP scans: scans_list ICMP |tr ' ' "\t" |uniq -c |sort -n echo "" ## Uncomment if you want to see this list too. #echo More than one node on the same IP in Tor stat: # tor_nodes_list |uniq -d -c |sort -n #echo "" echo Tor nodes scans: grep -F -x -f <(tor_nodes_list |sort -u) <(scans_list all |sort) |sort -n \ |uniq -c |sort -n echo "" echo 'Report on blocked packets ("total" accounts only IP):' echo -e \ "\tProto" "\tEvents" "\tUnique" echo -e \ "\tTCP" "\t$(scans_list TCP |wc -l)" "\t$(scans_list TCP |uniq -c |wc -l)" echo -e \ "\tUDP" "\t$(scans_list UDP |wc -l)" "\t$(scans_list UDP |uniq -c |wc -l)" echo -e \ "\tICMP" "\t$(scans_list ICMP |wc -l)" "\t$(scans_list ICMP |uniq -c |wc -l)" echo -e \ "\tTotal" "\t$(scans_list all |wc -l)" "\t$(scans_list all |uniq -c |wc -l)" echo "" echo Tor stat: echo -e \ "\tNodes: $(tor_nodes_list |wc -l)" echo -e \ "\tIPs with multiple nodes: $(tor_nodes_list |uniq -d -c |wc -l)" echo -e \ "\tDuplicated nodes: $(ipset list |sed '/^[^0-9]/d;/^$/d' |sort |uniq -d |wc -l)"
TCP scans: 1 X.X.X.X XXXXX XXXX .............................. 5 X.X.X.X XXXXX XXXX 2 X.X.X.X XXXXX XXXX UDP scans: 3 X.X.X.X XX XXXXX 1 X.X.X.X XX XXXXX ............................... 1 X.X.X.X XX XXXXX ICMP scans: 1 X.X.X.X ......... 1 X.X.X.X 4 X.X.X.X Tor nodes scans: 1 X.X.X.X ......... 4 X.X.X.X Report on blocked packets ("total" accounts only IP): Proto Events Unique TCP XXX XXX UDP XXX XXX ICMP XXX XXX Total XXX XXX Tor stat: Nodes: XXXX IPs with multiple nodes: XXX Duplicated nodes: X
iptables-less-скрипт
Обработка вывода iptables-save -c.
#!/bin/bash listing(){ # All logging rules with counters. iptables-save -c |grep LOGGING } listing_input(){ # Rules with counters for INPUT. (listing |grep INPUT ; listing |grep -- '-i') |grep -v '\[0:0\]' } listing_output(){ # Rules with counters for OUTPUT. (listing |grep OUTPUT ; listing |grep -- '-o') |grep -v '\[0:0\]' } listing_gen(){ # Last line: -A LOGGING -j DROP listing |tail -n 1 |grep -v '\[0:0\]' } #listing if [ $(listing_input |wc -l) -gt 0 ] ; then echo -e "\nBlocked at INPUT:\n" listing_input fi if [ $(listing_output |wc -l) -gt 0 ] ; then echo -e "\nBlocked at OUTPUT:\n" listing_output fi if [ $(listing_gen |wc -l) -gt 0 ] ; then echo -e "\nBlocked:\n" listing_gen fi
Комментариев нет [показать комментарии/форму]
Ваша оценка документа [показать результаты]