brendan@cs.widener.edu (Brendan Kehoe) (12/04/90)
Recently wswietse@win.tue.nl (Wietse Venema) posted a "wrapper" of sorts to log TCP connections to syslog. They show up of the form: Dec 2 01:24:34 laverne in.rlogind[1538]: connect from tattoo.cs.widener.edu Dec 2 11:06:12 laverne in.fingerd[2693]: connect from CHEM.BU.EDU Dec 2 13:53:59 laverne in.telnetd[3129]: connect from tattoo.cs.widener.edu What follows is my little hack to parse these down into a nice clean report using Perl. This is my first attempt with the language, so please excuse any programming gaffs. The more I use it, the more I like it. Anyway, this thing will make a report that looks like: -- cut -- The Tally: Finger: 18 Telnet: 37 Rlogin: 15 Rexec: 0 Rsh: 3 Finger Connections: [ 11] ashley.cs.widener.edu [ 5] CHEM.BU.EDU [ 2] tattoo.cs.widener.edu Telnet Connections: [ 1] 35.204.113.2 [ 1] ashley.cs.widener.edu [ 4] xyplex4.cs.widener.edu [ 11] xyplex2.cs.widener.edu [ 1] 128.174.130.6 [ 1] BASS.BU.EDU [ 7] tattoo.cs.widener.edu [ 4] 128.174.130.104 [ 1] TERMINUS.LCS.MIT.EDU [ 6] wid_gdi_5e1.widener.edu Rlogin Connections: [ 6] cs.widener.edu [ 8] tattoo.cs.widener.edu [ 1] ashley.cs.widener.edu Rsh Connections: [ 1] cs.widener.edu [ 2] ashley.cs.widener.edu -- cut -- Which is considerably easier to read, in my humble opinion. You might also want to do something like egrep -v my_domain | perl inet.pl to make it not get loaded with connections from your local systems (which are supposed to be "trusted", right?). Had I done that above, it'd shorten it to about 8 lines. I didn't make the tcp logger do ftp connections...it should be easy enough to just add "in.ftpd" to consrch, "in.ftpd" and 5 to ind, and "f" to conhead. Oh, one other thing .. to make it cleaner, I have syslog.conf set up so that all local1.info messages are sent to the file /var/log/inetlog on the loghost. To do it I just changed (void) openlog(argv[0], LOG_PID); in tcpd.c to be: (void) openlog(argv[0], LOG_PID, LOG_LOCAL1); so that it gets logged with the local1 facility (and edited syslog.conf of course). Anyway, here's the program...it's been a fun hack. Any and all comments, suggestions, etc. are welcome. -- cut -- #!/usr/local/bin/perl # # A program to parse down the inetlog files # Brendan Kehoe (brendan@cs.widener.edu) - 12/03/90 # # increment the # of times this $act for this system has happened sub logit { local($act) = @_; $action{$act . (split(/ /))[8]}++; } # write out a line sub rep { if (@_[0] =~ /@_[2]/) { $syslen[$syscnt] = @_[1]; # there *must* be a way to chop at the top $systems[$syscnt++] = substr(@_[0], 1, length(@_[0])-1); if ($syscnt == 2) { write; $syscnt = 0; } } } @conhead = ('f', 't', 'r', 'e', 'h'); @contype = ("Finger", "Telnet", "Rlogin", "Rexec", "Rsh" ); @consrch = ("in.fingerd", "in.telnetd", "in.rlogind", "in.rexecd", "in.rshd"); # there must be a way to shuffle 2 arrays together for this instead %ind = ("in.fingerd", 0, "in.telnetd", 1, "in.rlogind", 2, "in.rexecd", 3, "in.rshd", 4); while (<>) { chop; foreach $type (@consrch) { # if there's a line mentioning the daemon, keep a count of what system # it was from & how many times that system did it total /$type/ && do { $concnt[$ind{$type}]++; do logit(@conhead[$ind{$type}]); }; } } print " The Tally:\n"; $~ = repline; write; $~ = sysline; foreach $type (@consrch) { # if there was at least one entry (can't do != 0 cuz it could be NULL) if (@concnt[$ind{$type}]) { print "\n $contype[$ind{$type}] Connections: \n\n"; # Ok, report it while (($sys,$n) = each %action) { # we're working from the first character, e.g. ^f do rep ($sys, $n, '^' . $conhead[$ind{$type}]); } # if there was only one system, rep wouldn't do it, so finish it here if ($syscnt == 1) { $~ = onesysline; write; $~ = sysline; $syscnt = 0; } } } print "\n"; exit; # # Formats # format repline = Finger: @<<<<<< Telnet: @<<<<< Rlogin: @<<<<< Rexec: @<<<<< Rsh: @<<<<< $concnt[0] ? $concnt[0] : 0, $concnt[1] ? $concnt[1] : 0, $concnt[2] ? $concnt[2] : 0, $concnt[3] ? $concnt[3] : 0, $concnt[4] ? $concnt[4] : 0 . format sysline = [@>>>>] @<<<<<<<<<<<<<<<<<<<<<<<<<<<< [@>>>>] @<<<<<<<<<<<<<<<<<<<<<<<<<<<< $syslen[0], $systems[0], $syslen[1], $systems[1] . format onesysline = [@>>>>] @<<<<<<<<<<<<<<<<<<<<<<<<<<<< $syslen[0], $systems[0] . -- Brendan Kehoe - Widener Sun Network Manager - brendan@cs.widener.edu Widener University in Chester PA A Bloody Sun-vs-Dec War Zone "Hi there! Did you know that the very same technology that cleaned up the Alaskan oil spill can be used to suck the fat out of your thighs & upper lip?"