#!/bin/sh ########################################### # Firewall-1 Summarizer # # Daniel Grahn # # daniel@spruce.se # # http://sec.spruce.se # ########################################### ########################################### # Tested On Checkpoint Firewall-1 NG FP2 # # Logfiles # # OS: Solaris8 # ########################################### # Known bugs: Output layout # ########################################### help1() { echo "" echo " Usage: [fw1_sum.sh logfile -num/-src/-dst/-prt/-act]" echo "" } if [ "$1" = "" ] ; then help1 exit 0 fi if test ! -f $1 then echo "" echo " $1 does not exist" echo "" exit 1 fi DATE=`date +%Y%m%d` VER=1.0 HOST=`hostname` SEP=";" # Change this to the delimiter in your logfile #v4x logfile format S2='num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;s_port;rule;reason:;len;xlatesrc;xlatedst;xlatesport;xlatedport;icmp-type;icmp-code;product;message;user;port:;IKE Log:;Negotiation Id:;srckeyid;dstkeyid;scheme:;methods:;encryption failure:;reason;sys_msgs' S3=`head -1 $1` #v5x logfile format S4='num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;src;s_port;dst;service;proto;rule;xlatesrc;xlatesport;th_flags;message_info;icmp-type;icmp-code;xlatedst;scheme:;dstkeyid;methods:;peer gateway;message;ip_id;ip_len;ip_offset;fragments_dropped;during_sec;rpc_prog;srckeyid;IKE:;CookieI;CookieR;msgid;IKE IDs:;user;encryption failure:;auth_method;reason;srcname;reason:;sys_message:;port;protocol;IP Pool:;sys_msgs' if [ "$S3" != "$S4" ] ; then echo "" echo " $1 has invalid logfile format" echo "" exit 1 fi case "$2" in -num) SORT_ORD="Number of hits" SORT_OPT1='sort -b -k 1' SORT_OPT2="uniq -c" SORT_OPT3='sort -k 1 -r' #sort -b -k 2,3|uniq -c|sort -k 2 -b ;; -src) SORT_ORD="Source ip" SORT_OPT1='sort -k 3 -n' SORT_OPT2='uniq -c' ;; -dst) SORT_ORD="Destination ip" SORT_OPT1='sort -k 4 -n' SORT_OPT2='uniq -c' ;; -prt) SORT_ORD="Port number" SORT_OPT1='sort -b -k 5' SORT_OPT2='uniq -c' ;; -act) SORT_ORD="Action" SORT_OPT1='sort -k 2' SORT_OPT2='uniq -c' ;; *) echo "" echo " Sortorder not specified" help1 exit 1 esac # Getting info from logfile FW=`tail -4 $1|awk -F$SEP '{ print $4 }'` # ORIGIN FW LINES=`cat $1|wc -l` LDATE=`tail -4 $1 | awk -F$SEP '{ print $2 }'` # DATE IN LOG STIME=`head -2 $1 | grep -v date | grep -v time| awk -F$SEP '{ print $2,$3 }'` ETIME=`tail -4 $1 | grep -v date | grep -v time| awk -F$SEP '{ print $2,$3 }' | sort -d | tail -1` echo "" echo " Firewall-1 Log Summarizer [$DATE]" echo "" echo " Log date: [$LDATE]" echo " Timeline: [$STIME] - [$ETIME]" echo " Host: [$HOST]" echo " Firewall: [$FW]" echo " File: [$1]" echo " Sort order: [$SORT_ORD]" echo " Total records: [$LINES]" echo " Delimiter: [$SEP]" echo " Version: [$VER]" echo "" echo "-[BOF]-" echo "" head -1 $1|awk -F$SEP '{ print "accur"," ",$6,"\t",$11,"\t",$13,"\t",$14,"\t",$15,"\t",$16,"\t",$20 }' echo "-----------------------------------------------------------------------------" echo "" if [ "$SORT_OPT3" = "" ] ; then cat -s $1|awk -F$SEP '{ print "[]",$6,"\t",$11,"\t",$13,"\t\t",$14,"\t\t",$15,"\t",$16,"\t",$20 }'|grep -v ctl|grep -v action|grep -v accept|grep -v decrypt|grep -v encrypt|grep -v authcrypt|grep -v keyinst|$SORT_OPT1|$SORT_OPT2 else cat -s $1|awk -F$SEP '{ print "[]",$6,"\t",$11,"\t",$13,"\t\t",$14,"\t\t",$15,"\t",$16,"\t",$20 }'|grep -v ctl|grep -v action|grep -v accept|grep -v decrypt|grep -v encrypt|grep -v authcrypt|grep -v keyinst|$SORT_OPT1|$SORT_OPT2|$SORT_OPT3 echo "" echo "-[EOF]-" echo "" fi exit 0