#!/usr/bin/perl # # aclsumm.pl -- a script to summarize acls # This started as a way for me to quickly figure out what services # I would need to allow outbound through my border router # You have to be logging to syslog for this to work. # # Jason Lewis # http://www.packetnexus.com # use Getopt::Std; getopt('pAFt'); if (!$opt_p || !$opt_F) { print "Usage: ./aclsumm.pl \n"; print "EX: ./aclsumm.pl -ptui -F/var/log/messages -A100 -t10\n\n"; print "protocol t = TCP u = UDP i = ICMP\n"; print "File \n"; print "ACL (default = all)\n"; print "toplist (default =10)\n"; exit; } #set protocols from options if ($opt_p =~ /t/) { $tcp =1; print "TCP on!\n"; } if ($opt_p =~ /u/) { $udp =1; print "UDP on!\n"; } if ($opt_p =~ /i/) { $icmp =1; print "ICMP on!\n"; } if ($opt_A) { $acl = $opt_A; print "ACL filter for $acl on!\n"; } #set top list $toplist=$opt_t; if ($toplist == "") {$toplist = "10"}; #set the log file to open $file = $opt_F; # if no acl set, get them all if ($acl == "") {$acl = ".*"}; # open the log open(LOGFILE, "$file"); # ist to convert port numbers to names # add ports in this format to have the names displayed my %portnames = ( 20 => 'ftp-data', 21 => 'ftp', 22 => 'ssh', 23 => 'telnet', 25 => 'smtp', 37 => 'time', 53 => 'dns', 67 => 'bootps', 68 => 'bootpc', 80 => 'http', 110 => 'pop3', 113 => 'ident', 119 => 'nntp', 123 => 'ntp', 137 => 'netbiosns', 138 => 'netbiosdgm', 139 => 'netbiosssn', 143 => 'imap', 161 => 'snmp', 162 => 'snmptrap', 443 => 'https', 445 => 'microsoft-ds', 873 => 'rsync', 995 => 'pop3s', 1214 => 'kazaa', 2703 => 'razor/pyzor', 5190 => 'aim', 27666 => 'doom3', ); #open the logfile while () { # catch tcp acls if ($tcp) { if (/IPACCESSLOGP: list ($acl) denied (tcp) ([0-9.]+)\(([0-9]+)\) -> ([0-9.]+)\(([0-9]+)\), ([0-9]+) /) { $x=$7; $port = (defined $portnames{$6})? $portnames{$6} : $6; $tcpdeniedsrc{$3}+=$x; $tcpdeniedq=sprintf("%16s -> %16s %3s port %-6s (%s) - ACL %s",$3,$5,$2,$port,$6,$1); $tcpdeniedp=sprintf("%3s port %-6s (%s) - ACL %s",$3,$port,$6,$1); $tcpdeniedquad{$tcpdeniedq}+=$x; $tcpdeniedsrcipport{$tcpdeniedp}+=$x; $tcpdeniedport{$6}+=$x; } if (/IPACCESSLOGP: list ($acl) permitted (tcp) ([0-9.]+)\(([0-9]+)\) -> ([0-9.]+)\(([0-9]+)\), ([0-9]+) /) { $x=$7; $port = (defined $portnames{$6})? $portnames{$6} : $6; $tcppermitsrc{$3}+=$x; $tcppermitq=sprintf("%16s -> %16s %3s port %-6s (%s) - ACL %s",$3,$5,$2,$port,$6,$1); $tcppermitp=sprintf("%3s port %-6s (%s) - ACL %s",$3,$port,$6,$1); $tcppermitquad{$tcppermitq}+=$x; $tcppermitsrcipport{$tcppermitp}+=$x; $tcppermitport{$6}+=$x; } } #catch udp acls if ($udp) { if (/IPACCESSLOGP: list ($acl) denied (udp) ([0-9.]+)\(([0-9]+)\) -> ([0-9.]+)\(([0-9]+)\), ([0-9]+) /) { $x=$7; $port = (defined $portnames{$6})? $portnames{$6} : $6; $udpdeniedsrc{$3}+=$x; $udpdeniedq=sprintf("%16s -> %16s %3s port %-6s (%s) - ACL %s",$3,$5,$2,$port,$6,$1); $udpdeniedp=sprintf("%3s port %-6s (%s) - ACL %s",$2,$port,$6,$1); $udpdeniedquad{$udpdeniedq}+=$x; $udpdeniedport{$udpdeniedp}+=$x; } if (/IPACCESSLOGP: list ($acl) permitted (udp) ([0-9.]+)\(([0-9]+)\) -> ([0-9.]+)\(([0-9]+)\), ([0-9]+) /) { $x=$7; $port = (defined $portnames{$6})? $portnames{$6} : $6; $udppermitsrc{$3}+=$x; $udppermitq=sprintf("%16s -> %16s %3s port %-6s (%s) - ACL %s",$3,$5,$2,$port,$6,$1); $udppermitp=sprintf("%3s port %-6s (%s) - ACL %s",$2,$port,$6,$1); $udppermitquad{$udppermitq}+=$x; $udppermitport{$udppermitp}+=$x; } } #catch icmp acls if ($icmp) { #Aug 31 15:30:44 192.168.120.1 22665: 2d03h: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp 192.168.120.83 -> 68.54.80.6 (3/3), 1 packet if (/IPACCESSLOGDP: list ($acl) permitted (icmp) ([0-9.]+) -> ([0-9.]+) \((\d+)\/(\d+)\), ([0-9]+) /) { $x=$7; $icmppermitsrc{$3}+=$x; $icmppermitsrcq=sprintf("%16s -> %16s type %-6s code %-6s - ACL %s",$3,$4,$5,$6,$1); $icmppermitsrcp=sprintf("%3s type %-6s code %-6s - ACL %s",$2,$5,$6,$1); $icmppermitquad{$icmppermitsrcq}+=$x; $icmppermitport{$icmppermitsrcp}+=$x; } #Aug 31 16:09:31 192.168.120.1 245: 00:06:04: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 165.87.194.244 (Ethernet0/0 0001.960c.fb54) -> 68.55.11.150 (3/3), 1 packet if (/IPACCESSLOGDP: list ($acl) denied (icmp) ([0-9.]+) \((.*)\) -> ([0-9.]+) \((\d+)\/(\d+)\), ([0-9]+) /) { $x=$8; $int = $4; $icmpdeniedsrc{$3}+=$x; $icmpdeniedsrcq=sprintf("%16s -> %16s type %-6s code %-6s - ACL %s",$3,$5,$6,$7,$1); $icmpdeniedsrcp=sprintf("%3s type %-6s code %-6s - ACL %s",$2,$6,$7,$1); $icmpdeniedquad{$icmpdeniedsrcq}+=$x; $icmpdeniedport{$icmpdeniedsrcp}+=$x; } } } if ($tcp) { $n=0; printf ("\nDenied TCP Connection Summary:\n"); foreach $i (sort { $tcpdeniedquad{$b} <=> $tcpdeniedquad{$a} } keys %tcpdeniedquad) { if ($n++ >= $toplist) { last }; printf ("%6s:%s\n", $tcpdeniedquad{$i},$i); } $n=0; printf ("\nDenied TCP Destination Port Summary:\n"); foreach $i ( sort { $tcpdeniedsrcipport{$b} <=> $tcpdeniedsrcipport{$a} } keys %tcpdeniedsrcipport) { if ($n++ >= $toplist) { last }; printf ("%6s: %s\n", $tcpdeniedsrcipport{$i},$i); } $n=0; printf ("\nDenied TCP Source Address Summary:\n"); foreach $i ( sort { $tcpdeniedsrc{$b} <=> $tcpdeniedsrc{$a} } keys %tcpdeniedsrc) { if ($n++ >= $toplist) { last }; printf ("%6s: %s\n", $tcpdeniedsrc{$i},$i); } $n=0; printf ("\nPermitted TCP Connection Summary:\n"); foreach $i (sort { $tcppermitquad{$b} <=> $tcppermitquad{$a} } keys %tcppermitquad) { if ($n++ >= $toplist) { last }; printf ("%6s:%s\n", $tcppermitquad{$i},$i); } $n=0; printf ("\nPermitted TCP Destination IP and Port Summary:\n"); foreach $i ( sort { $tcppermitsrcipport{$b} <=> $tcppermitsrcipport{$a} } keys %tcppermitsrcipport) { if ($n++ >= $toplist) { last }; printf ("%6s: %s\n", $tcppermitsrcipport{$i},$i); } $n=0; printf ("\nPermitted TCP Destination Port Summary:\n"); foreach $i ( sort { $tcppermitport{$b} <=> $tcppermitport{$a} } keys %tcppermitport) { if ($n++ >= $toplist) { last }; printf ("%6s: %s\n", $tcppermitport{$i},$i); } $n=0; printf ("\nPermitted TCP Source Address Summary:\n"); foreach $i ( sort { $tcppermitsrc{$b} <=> $tcppermitsrc{$a} } keys %tcppermitsrc) { if ($n++ >= $toplist) { last }; printf ("%6s: %s\n", $tcppermitsrc{$i},$i); } print "\n===================================\n"; } if ($udp) { $n=0; printf ("\nDenied UDP Connection Summary:\n"); foreach $i (sort { $udpdeniedquad{$b} <=> $udpdeniedquad{$a} } keys %udpdeniedquad) { if ($n++ >= $toplist) { last }; printf ("%6s:%s\n", $udpdeniedquad{$i},$i); } $n=0; printf ("\nDenied UDP Destination Port Summary:\n"); foreach $i ( sort { $udpdeniedport{$b} <=> $udpdeniedport{$a} } keys %udpdeniedport) { if ($n++ >= $toplist) { last }; printf ("%6s: %s\n", $udpdeniedport{$i},$i); } $n=0; printf ("\nDenied UDP Source Address Summary:\n"); foreach $i ( sort { $udpdeniedsrc{$b} <=> $udpdeniedsrc{$a} } keys %udpdeniedsrc) { if ($n++ >= $toplist) { last }; printf ("%6s: %s\n", $udpdeniedsrc{$i},$i); } $n=0; printf ("\nPermitted UDP Connection Summary:\n"); foreach $i (sort { $udppermitquad{$b} <=> $udppermitquad{$a} } keys %udppermitquad) { if ($n++ >= $toplist) { last }; printf ("%6s:%s\n", $udppermitquad{$i},$i); } $n=0; printf ("\nPermitted UDP Destination Port Summary:\n"); foreach $i ( sort { $udppermitport{$b} <=> $udppermitport{$a} } keys %udppermitport) { if ($n++ >= $toplist) { last }; printf ("%6s: %s\n", $udppermitport{$i},$i); } $n=0; printf ("\nPermitted UDP Source Address Summary:\n"); foreach $i ( sort { $udppermitsrc{$b} <=> $udppermitsrc{$a} } keys %udppermitsrc) { if ($n++ >= $toplist) { last }; printf ("%6s: %s\n", $udppermitsrc{$i},$i); } print "\n===================================\n"; } if ($icmp) { $n=0; printf ("\nPermitted ICMP Connection Summary:\n"); foreach $i (sort { $icmppermitquad{$b} <=> $icmppermitquad{$a} } keys %icmppermitquad) { if ($n++ >= $toplist) { last }; printf ("%6s:%s\n", $icmppermitquad{$i},$i); } $n=0; printf ("\nPermitted ICMP Destination Port Summary:\n"); foreach $i ( sort { $icmppermitport{$b} <=> $icmppermitport{$a} } keys %icmppermitport) { if ($n++ >= $toplist) { last }; printf ("%6s: %s\n", $icmppermitport{$i},$i); } $n=0; printf ("\nPermitted ICMP Source Address Summary:\n"); foreach $i ( sort { $icmppermitsrc{$b} <=> $icmppermitsrc{$a} } keys %icmppermitsrc) { if ($n++ >= $toplist) { last }; printf ("%6s: %s\n", $icmppermitsrc{$i},$i); } $n=0; printf ("\nDenied ICMP Connection Summary:\n"); foreach $i (sort { $icmpdeniedquad{$b} <=> $icmpdeniedquad{$a} } keys %icmpdeniedquad) { if ($n++ >= $toplist) { last }; printf ("%6s:%s\n", $icmpdeniedquad{$i},$i); } $n=0; printf ("\nDenied ICMP Destination Port Summary:\n"); foreach $i ( sort { $icmpdeniedport{$b} <=> $icmpdeniedport{$a} } keys %icmpdeniedport) { if ($n++ >= $toplist) { last }; printf ("%6s: %s\n", $icmpdeniedport{$i},$i); } $n=0; printf ("\nDenied ICMP Source Address Summary:\n"); foreach $i ( sort { $icmpdeniedsrc{$b} <=> $icmpdeniedsrc{$a} } keys %icmpdeniedsrc) { if ($n++ >= $toplist) { last }; printf ("%6s: %s\n", $icmpdeniedsrc{$i},$i); } print "\n===================================\n"; }