1
2########################################################
3# Please file all bug reports, patches, and feature
4# requests under:
5#      https://sourceforge.net/p/logwatch/_list/tickets
6# Help requests and discusion can be filed under:
7#      https://sourceforge.net/p/logwatch/discussion/
8########################################################
9
10#############################################################################
11# rt314: logwatcher processing script for NetGear RT314 router syslog output.
12# Author: Daniel J. Barrett, dbarrett@blazemonger.com.
13#############################################################################
14
15#######################################################
16## Copyright (c) 2008 Daniel Barrett
17## Covered under the included MIT/X-Consortium License:
18##    http://www.opensource.org/licenses/mit-license.php
19## All modifications and contributions by other persons to
20## this script are assumed to have been donated to the
21## Logwatch project and thus assume the above copyright
22## and licensing terms.  If you want to make contributions
23## under your own copyright or a different license this
24## must be explicitly stated in the contribution an the
25## Logwatch project reserves the right to not accept such
26## contributions.  If you have made significant
27## contributions to this script and want to claim
28## copyright please contact logwatch-devel@lists.sourceforge.net.
29#########################################################
30
31use Socket;
32
33$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
34
35my $separator = "-------------------------------------------------------\n";
36
37### Partition the data into types
38
39my (@portscanlines, @genlines, @otherlines, $begin, $end);
40my $psl = 0;
41my $gl = 0;
42my $ol = 0;
43while (my $line = <STDIN>) {
44   $line =~ s/netgear RAS: //;
45   unless ($begin) {
46      $begin = substr($line, 0, 15);
47   }
48   $end = $line;
49   if ( $line =~ /dpo=/ ) {
50      $portscanlines[$psl++] = $line;
51   } elsif ( $line =~ / GEN/ ) {
52      $genlines[$gl++] = $line;
53   } elsif ( $line =~ /last message repeated/ ) {
54      ;
55   } else {
56      $otherlines[$ol++] = $line;
57   }
58}
59exit(0) unless ($end);
60$end = substr($end, 0, 15);
61
62### Print summary
63if ($Detail >= 10) {
64   print "=== Summary ===\n\n";
65}
66
67print "Begin:\t$begin\n";
68print "End:\t$end\n";
69print "\n";
70
71# Extract the port number and source IP address.
72my @portarray;
73my %ipaddrs;
74foreach my $line (@portscanlines) {
75   my $portnum;
76   my $ipaddr;
77   my $dup = $line;
78
79   $dup =~ s/^.*Src=([0-9.]+) .* dpo=([0-9]*).*$/\1/;
80   $ipaddr = $1;
81   $portnum = $2;
82
83   $portarray[$portnum]++;
84   if (exists($ipaddrs{$ipaddr})) {
85      $ipaddrs{$ipaddr}++;
86   } else {
87      $ipaddrs{$ipaddr} = 1;
88   }
89}
90
91# Summarize port scans by port number
92my $total = 0;
93print "Port #\t\tScans\tService Name\n";
94print $separator;
95for (my $i = 0; $i <= $#portarray; $i++) {
96   if ( $portarray[$i] > 0 ) {
97      print "$i\t\t" . $portarray[$i] . "\t" . getservbyport($i, "tcp") . "\n";
98      $total += $portarray[$i];
99   }
100}
101print $separator;
102print "Total\t\t$total\n";
103print "\n";
104
105# Summarize port scans by initiating host
106my @keys = sort {$a <=> $b} (keys %ipaddrs);
107print "Scanned by\tScans\tHostname Lookup\n";
108print $separator;
109$total = 0;
110foreach my $ip (@keys) {
111   print "$ip\t" . $ipaddrs{$ip} . "\t" . gethostbyaddr(inet_aton($ip), AF_INET) . "\n";
112   $total += $ipaddrs{$ip};
113}
114print $separator;
115print "Total\t\t$total\n";
116print "\n";
117
118# Summarize other rule firings
119if ( $#genlines > 0 ) {
120   print "Rules fired:\t" . $#genlines . "\n";
121   print "\n";
122}
123
124# Summarize remaining output
125if ( $#otherlines > 0 ) {
126   print "Uncategorized:\t" . $#otherlines . "!!!!!!!\n";
127   print "\n";
128}
129
130if ($Detail >= 10) {
131   ## Print all data
132   print "=== Raw Data ===\n\n";
133
134   if ( $#portscanlines > 0 ) {
135      print "Port scans:\n";
136      foreach my $line (@portscanlines) {
137         print $line;
138      }
139      print "\n";
140   }
141
142   if ( $#genlines > 0 ) {
143      print "Rule lines:\n";
144      foreach my $line (@genlines) {
145         print $line;
146      }
147      print "\n";
148   }
149
150   if ( $#otherlines > 0 ) {
151      print "Other lines:\n";
152      foreach my $line (@otherlines) {
153         print $line;
154      }
155      print "\n";
156   }
157
158}
159
160exit(0);
161
162# vi: shiftwidth=3 tabstop=3 syntax=perl et
163# Local Variables:
164# mode: perl
165# perl-indent-level: 3
166# indent-tabs-mode: nil
167# End:
168