#!/usr/bin/perl ######################################################################## # This Perl script is a D-Shield client for Netscreen Firewalls. # # It has been tested on Netscreen 5.x screenOS. If you find errors # # Please report them to me at: epeek@arenetworks.com # # # # Its a very ugly script but it works so far. I'll make improvments # # and clean the script up when I have alittle more time # # # # A recent version of Perl and Net::SMTP are the only requirments # # # # 10/07/2004 Written by Eric Peek - ARE Networks, INC # ######################################################################## use Net::SMTP; $VERSION = "0.1"; ################### # USER VARIABLES # ################### #Change this value to point to your Netscreen syslog data $FWLOG = "/var/log/NS.log"; #TIMEZONE For example: -04:00 for EDT (Eastern Daylight Savings) -00:00 for GMT -05:00 for EST (Eastern Standard) $TIMEZONE = '-04:00'; #YOUR E-mail address $FROM = 'youraddres@yourdomain.com'; #D-Shield's E-mail address $TO = 'reports@dshield.org'; #Add your address here if you wish to be copied on the report. Otherwise leave blank. $CC = ''; #Your D-Shield User-ID. Leave 0 (zero) for anonymous $USERID = "0"; #IP addres of your SMTP server $SMTPSERVER = "10.0.0.1"; #TEMP File used to store last log time. This is to eliminate duplicate reports #IF this file does not exist or is deleted the script will send all logs $NSLASTLINE = "/var/tmp/ns.lastline"; #Do you want your target addressed hidden? If so set this variable to "YES". #If you wish to use your real address set this variable to: "NO". $HIDDENTARGET = "NO"; ############################# # End of User Configuration # ############################# #OPEN Firewall Log and parse the whole file open (SYSLOG, "<$FWLOG"); #$LASTDATEANDTIME = `touch $NSLASTLINE\; tail -1 $NSLASTLINE`; #chomp $LASTDATEANDTIME; open (LASTLINE, "<$NSLASTLINE"); $LASTDATEANDTIME = ; #Run through entire log until (eof(SYSLOG)){ $input = ; #SPLIT each line by whitespace @line = split /\s+/, $input; #DETERMINE IF LOG is TCP, UDP or ICMP @PROTOCOL = split(/=/, $line[14]); #Turn Month names into numerical values if ($line[0] =~ Jan) { $MONTH = "01"; } elsif ($line[0] =~ Feb) { $MONTH = "02"; } elsif ($line[0] =~ Mar) { $MONTH = "03"; } elsif ($line[0] =~ Apr) { $MONTH = "04"; } elsif ($line[0] =~ May) { $MONTH = "05"; } elsif ($line[0] =~ Jun) { $MONTH = "06"; } elsif ($line[0] =~ Jul) { $MONTH = "07"; } elsif ($line[0] =~ Aug) { $MONTH = "08"; } elsif ($line[0] =~ Sep) { $MONTH = "09"; } elsif ($line[0] =~ Oct) { $MONTH = "10"; } elsif ($line[0] =~ Nov) { $MONTH = "11"; } elsif ($line[0] =~ Dec) { $MONTH = "12"; } #Add 0 (zeros) to make single digit numbers two digit numbers if ($line[1] == 1) { $DAY = "01"; } elsif ($line[1] == 2) { $DAY = "02"; } elsif ($line[1] == 3) { $DAY = "03"; } elsif ($line[1] == 4) { $DAY = "04"; } elsif ($line[1] == 5) { $DAY = "05"; } elsif ($line[1] == 6) { $DAY = "06"; } elsif ($line[1] == 7) { $DAY = "07"; } elsif ($line[1] == 8) { $DAY = "08"; } elsif ($line[1] == 9) { $DAY = "09"; } else { $DAY = $line[1]; } #TCP if ($PROTOCOL[1] eq 6) { @SRCIP = split(/=/, $line[22]); @SRCPORT = split(/=/, $line[24]); @DSTIP = split(/=/, $line[23]); @DSTIPSPLIT = split(/\./, $DSTIP[1]); @DSTPORT = split(/=/, $line[25]); @PROTOCOL = split(/=/, $line[14]); @ICMPTYPE = split(/=/, $line[25]); @YEARq = split(/"/, $line[9]); @YEAR = split(/-/, $YEARq[1]); if ($HIDDENTARGET eq "NO") { $LOGLINE = "$MONTH-$DAY-$YEAR[0] $line[2] $TIMEZONE\t$USERID\t1\t$SRCIP[1]\t$SRCPORT[1]\t$DSTIPSPLIT[0].$DSTIPSPLIT[1].$DSTIPSPLIT[2].$DSTIPSPLIT[3]\t$DSTPORT[1]\t$PROTOCOL[1]\t???"; } if ($HIDDENTARGET eq "YES") { $LOGLINE = "$MONTH-$DAY-$YEAR[0] $line[2] $TIMEZONE\t$USERID\t1\t$SRCIP[1]\t$SRCPORT[1]\t10.$DSTIPSPLIT[1].$DSTIPSPLIT[2].$DSTIPSPLIT[3]\t$DSTPORT[1]\t$PROTOCOL[1]\t???"; } } #UDP elsif ($PROTOCOL[1] eq 17) { @SRCIP = split(/=/, $line[22]); @SRCPORT = split(/=/, $line[24]); @DSTIP = split(/=/, $line[23]); @DSTIPSPLIT = split(/\./, $DSTIP[1]); @DSTPORT = split(/=/, $line[25]); @PROTOCOL = split(/=/, $line[14]); @ICMPTYPE = split(/=/, $line[25]); @YEARq = split(/"/, $line[9]); @YEAR = split(/-/, $YEARq[1]); if ($HIDDENTARGET eq "NO") { $LOGLINE = "$MONTH-$DAY-$YEAR[0] $line[2] $TIMEZONE\t$USERID\t1\t$SRCIP[1]\t$SRCPORT[1]\t$DSTIP[1]\t$DSTPORT[1]\t$PROTOCOL[1]\t???"; } if ($HIDDENTARGET eq "YES") { $LOGLINE = "$MONTH-$DAY-$YEAR[0] $line[2] $TIMEZONE\t$USERID\t1\t$SRCIP[1]\t$SRCPORT[1]\t10.$DSTIPSPLIT[1].$DSTIPSPLIT[2].$DSTIPSPLIT[3]\t$DSTPORT[1]\t$PROTOCOL[1]\t???"; } } #ICMP elsif ($PROTOCOL[1] eq 1) { @SRCIP = split(/=/, $line[22]); @SRCPORT = split(/=/, $line[24]); @DSTIP = split(/=/, $line[23]); @DSTIPSPLIT = split(/\./, $DSTIP[1]); @DSTPORT = split(/=/, $line[25]); @PROTOCOL = split(/=/, $line[14]); @ICMPTYPE = split(/=/, $line[25]); @YEARq = split(/"/, $line[9]); @YEAR = split(/-/, $YEARq[1]); if ($HIDDENTARGET eq "NO") { $LOGLINE = "$MONTH-$DAY-$YEAR[0] $line[2] $TIMEZONE\t$USERID\t1\t$SRCIP[1]\t$ICMPTYPE[1]\t$DSTIP[1]\t???\t$PROTOCOL[1]\t???"; } if ($HIDDENTARGET eq "YES") { $LOGLINE = "$MONTH-$DAY-$YEAR[0] $line[2] $TIMEZONE\t$USERID\t1\t$SRCIP[1]\t$ICMPTYPE[1]\t10.$DSTIPSPLIT[1].$DSTIPSPLIT[2].$DSTIPSPLIT[3]\t???\t$PROTOCOL[1]\t???"; } } #Determine if event has been reported on before @LINETIME = split(/:/, $line[2]); $LINEDATEANDTIME = "$YEAR[0]$MONTH$DAY$LINETIME[0]$LINETIME[1]$LINETIME[2]"; #This statement is so only deny entries are submitted if ($line[19] eq "action\=Deny") { #If Event has not been reported report it. if ($LINEDATEANDTIME > $LASTDATEANDTIME) { push(@LOG, $LOGLINE); } } #End of Log file Loop } close SYSLOG; #If new data is present send it if (@LOG) { #E-mail subject $SUBJECT = "FORMAT DSHIELD USERID $USERID TZ $TIMEZONE Netscreen $VERSION"; $smtp = Net::SMTP->new($SMTPSERVER, ); $smtp->mail("$FROM"); $smtp->to("$TO"); $smtp->cc("$CC"); $smtp->data(); $smtp->datasend("To:$TO\n"); $smtp->datasend("From:$FROM\n"); $smtp->datasend("Subject: $SUBJECT\n"); foreach (@LOG) { $smtp->datasend("$_\n"); } $smtp->dataend(); $smtp->quit; #Add last parsed line's date and time to temp file $POPLASTLINE = pop(@LOG); @LASTLINESPLIT = split(/\s/, $POPLASTLINE); @LASTDATE = split(/-/, $LASTLINESPLIT[0]); @LASTTIME = split(/:/, $LASTLINESPLIT[1]); $LASTLOGENTRY = "$LASTDATE[2]$LASTDATE[0]$LASTDATE[1]$LASTTIME[0]$LASTTIME[1]$LASTTIME[2]"; if ( $LASTLOGENTRY > $LASTDATEANDTIME) { unlink($NSLASTLINE); open (NSLAST, ">$NSLASTLINE"); print NSLAST "$LASTLOGENTRY\n"; } }