Hi,

I didn't find anything for immediate use to tabulate occurrences in
shorewall ulog files and so I wrote the below script after doing
similarly on the command line. I needed it to focus in on behavior that
showed up at a higher level. I offer it below for general use via GPL. I
believe there are no present bugs, however I keep polishing (revising)
it and don't do any systematic regression testing and so can offer no
guarantees, nor any particular coding standard.

-jeff

#!/bin/ksh

#
# Author: Jeff Green (2-1-09)
# nb: This cmd requires the input to be in ulog format
# License: GPLv3 or any later GPL license.
#

prog=`basename $0`
usage()
{
echo "Usage: [ zcat zipped_ulog_files | ] cat ulog_files [-] | $prog [-utsdnSDOh] pattern"
}

help()
{
echo -e "
-u restricted to UDP messages

-t restricted to TCP messages

-s tablulate source IP addresses

-d tablulate destination IP addresses

-S tablulate source PORT numbers

-D tablulate destination PORT numbers

-n do not output day tabulation table

-O output a sorted (Ordered) by count table

-h This message";
}

unset UDP TCP FKEY ENUM NODATE PORT PKEY
argcnt=0
while getopts utsdnSDOh opt ; do
case "$opt" in
u) UDP='| grep "PROTO=UDP" ' ; argcnt=$((argcnt+1)) ;;
t) TCP='| grep "PROTO=TCP" ' ; argcnt=$((argcnt+1)) ;;
s) ENUM=1 ; FKEY=9 ; argcnt=$((argcnt+1)) ;;
d) ENUM=1 ; FKEY=10 ; argcnt=$((argcnt+1)) ;;
n) NODATE=1 ; argcnt=$((argcnt+1)) ;;
S) ENUM=1 ; PORT=1 ; PKEY=1 ; argcnt=$((argcnt+1)) ;;
D) ENUM=1 ; PORT=1 ; PKEY=2 ; argcnt=$((argcnt+1)) ;;
O) ORDERED='sort -n -t":" -k2' ; argcnt=$((argcnt+1)) ;;
h) usage; help; exit 0 ;;
*) usage; exit 1 ;;
esac
done

if
[ ! -z "$UDP" -a ! -z "$TCP" ]
then
echo "$prog: both -u and -t cannot be set"
exit 1
fi

if
[ ! -z "$ORDERED" -a -z "$FKEY" -a -z "$PKEY" ]
then
echo "$prog: -O option is irrelevant w/o the -s, -d, -S, or -D option"
exit 1
fi

shift $argcnt

if
[ $# -ne 1 ]
then
usage
exit 1
fi

unset CNT CIP CPORT
[ -z "$NODATE" ] && typeset -A CNT
[ ! -z "$ENUM" ] && typeset -A CIP
[ ! -z "$ENUM" -a ! -z "$PORT" ] && typeset -A CPORT
ITER=0
CMD="grep "$1" ${UDP:-} ${TCP:-}"

cat - | sh -c "$CMD" | while read line
do
if
[ -z "$NODATE" ]
then
DATE=`echo $line | cut -d' ' -f1-2 | tr " " "_"`
CNT["$DATE"]=$((CNT["$DATE"] + 1))
fi
if
[ ! -z "$ENUM" -a ! -z "$FKEY" ]
then
DST=`echo $line | cut -d' ' -f${FKEY} | cut -d'=' -f2`
CIP[$DST]=$((CIP[$DST]+1))
fi
if
[ ! -z "$ENUM" -a ! -z "$PORT" ]
then
PT=`echo $line | sed -e 's/^.*SPT=/SPT=/' | cut -d' ' -f${PKEY} | cut -d'=' -f2`
CPORT[$PT]=$((CPORT[$PT]+1))
fi
done

if
[ -z "$NODATE" ]
then
for i in ${!CNT[*]}
do
echo $i - ${CNT["$i"]}
done | sort -t' ' -k1
fi

if
[ ! -z "$ENUM" -a ! -z "$FKEY" ]
then
for i in ${!CIP[*]}
do
echo "$i:${CIP[$i]}"
done | sh -c "${ORDERED:-cat -}"
fi

if
[ ! -z "$ENUM" -a ! -z "$PORT" ]
then
for i in ${!CPORT[*]}
do
echo "$i:${CPORT[$i]}"
done | sh -c "${ORDERED:-cat -}"
fi




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Hi,

I didn't find anything for immediate use to tabulate occurrences in
shorewall ulog files and so I wrote the below script after doing
similarly on the command line. I needed it to focus in on behavior that
showed up at a higher level. I offer it below for general use via GPL. I
believe there are no present bugs, however I keep polishing (revising)
it and don't do any systematic regression testing and so can offer no
guarantees, nor any particular coding standard.

-jeff

#!/bin/ksh

#
# Author: Jeff Green (2-1-09)
# nb: This cmd requires the input to be in ulog format
# License: GPLv3 or any later GPL license.
#

prog=`basename $0`
usage()
{
echo "Usage: [ zcat zipped_ulog_files | ] cat ulog_files [-] | $prog [-utsdnSDOh] pattern"
}

help()
{
echo -e "
-u restricted to UDP messages

-t restricted to TCP messages

-s tablulate source IP addresses

-d tablulate destination IP addresses

-S tablulate source PORT numbers

-D tablulate destination PORT numbers

-n do not output day tabulation table

-O output a sorted (Ordered) by count table

-h This message";
}

unset UDP TCP FKEY ENUM NODATE PORT PKEY
argcnt=0
while getopts utsdnSDOh opt ; do
case "$opt" in
u) UDP='| grep "PROTO=UDP" ' ; argcnt=$((argcnt+1)) ;;
t) TCP='| grep "PROTO=TCP" ' ; argcnt=$((argcnt+1)) ;;
s) ENUM=1 ; FKEY=9 ; argcnt=$((argcnt+1)) ;;
d) ENUM=1 ; FKEY=10 ; argcnt=$((argcnt+1)) ;;
n) NODATE=1 ; argcnt=$((argcnt+1)) ;;
S) ENUM=1 ; PORT=1 ; PKEY=1 ; argcnt=$((argcnt+1)) ;;
D) ENUM=1 ; PORT=1 ; PKEY=2 ; argcnt=$((argcnt+1)) ;;
O) ORDERED='sort -n -t":" -k2' ; argcnt=$((argcnt+1)) ;;
h) usage; help; exit 0 ;;
*) usage; exit 1 ;;
esac
done

if
[ ! -z "$UDP" -a ! -z "$TCP" ]
then
echo "$prog: both -u and -t cannot be set"
exit 1
fi

if
[ ! -z "$ORDERED" -a -z "$FKEY" -a -z "$PKEY" ]
then
echo "$prog: -O option is irrelevant w/o the -s, -d, -S, or -D option"
exit 1
fi

shift $argcnt

if
[ $# -ne 1 ]
then
usage
exit 1
fi

unset CNT CIP CPORT
[ -z "$NODATE" ] && typeset -A CNT
[ ! -z "$ENUM" ] && typeset -A CIP
[ ! -z "$ENUM" -a ! -z "$PORT" ] && typeset -A CPORT
ITER=0
CMD="grep "$1" ${UDP:-} ${TCP:-}"

cat - | sh -c "$CMD" | while read line
do
if
[ -z "$NODATE" ]
then
DATE=`echo $line | cut -d' ' -f1-2 | tr " " "_"`
CNT["$DATE"]=$((CNT["$DATE"] + 1))
fi
if
[ ! -z "$ENUM" -a ! -z "$FKEY" ]
then
DST=`echo $line | cut -d' ' -f${FKEY} | cut -d'=' -f2`
CIP[$DST]=$((CIP[$DST]+1))
fi
if
[ ! -z "$ENUM" -a ! -z "$PORT" ]
then
PT=`echo $line | sed -e 's/^.*SPT=/SPT=/' | cut -d' ' -f${PKEY} | cut -d'=' -f2`
CPORT[$PT]=$((CPORT[$PT]+1))
fi
done

if
[ -z "$NODATE" ]
then
for i in ${!CNT[*]}
do
echo $i - ${CNT["$i"]}
done | sort -t' ' -k1
fi

if
[ ! -z "$ENUM" -a ! -z "$FKEY" ]
then
for i in ${!CIP[*]}
do
echo "$i:${CIP[$i]}"
done | sh -c "${ORDERED:-cat -}"
fi

if
[ ! -z "$ENUM" -a ! -z "$PORT" ]
then
for i in ${!CPORT[*]}
do
echo "$i:${CPORT[$i]}"
done | sh -c "${ORDERED:-cat -}"
fi




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org