#!/bin/bash # # Questa procedura si basa su LOGCHECK del progetto PSIONIC e lista gli attacchi per host # mittente e per porta di destinazione # Creation date: 26/04/2001 # Modification Record: # v1.0 26/04/2001 OM/Makers Creazione procedura # v2.0 25/07/2002 OM/Makers Aggiunta la parte che lista le porte di destinazione # nella directory /usr/local/portd # v2.1 26/07/2002 OM/Makers Corretta la parte che lista le porte di destinazione # inserendo uno spazio dopo la parentesi ( nel file risultati.$$ # v2.2 28/11/2002 OM/Makers Modifica per gestione DNS 9.2.1 # # v3.0 03/12/2002 OM/Makers Modifica per gestione log del PIX Firewall # # v3.1 10/09/2003 OM/Makers Modifica per gestione log del Netfilter/IPTABLES Firewall # # v5.0 31/10/2005 OM/Sansec Modifica per sanare IP address sbagliati # # v5.1 16/12/2008 OM/Sansec Modifica per includere i log dei PIX/ASA # PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin # Logcheck is pre-configured to work on most BSD like systems, however it # is a rather dumb program and may need some help to work on other # systems. Please check the following command paths to ensure they are # correct. # Person to send log activity to. SYSADMIN=root # Full path to logtail program. # This program is required to run this script and comes with the package. LOGTAIL=/usr/local/bin/scantail ROOTD=/usr/local/etc SCAND=/usr/local/FW/scan TMPDIR=/usr/local/FW/tmp PORTD=/usr/local/FW/portd # SCREEND=0 CISCO=1 SNORT=1 PIX=1 NETFILTER=1 # OSF=0 LINUX=1 # # Full path to SECURED (non public writable) /tmp directory. # Prevents Race condition and potential symlink problems. I highly # recommend you do NOT make this a publically writable/readable directory. # You would also be well advised to make sure all your system/cron scripts # use this directory for their "scratch" area. # Linux, FreeBSD, BSDI, Sun, HPUX, etc. GREP=egrep # Digital OSF/1, Irix MAIL=Mail HACKING_FILE=/usr/local/etc/scancheck.hacking # Again, be careful what you put in here and DO NOT LEAVE IT EMPTY! VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore # This is the name of a file that contains patterns that we should # ignore if found in a log file. If you have repeated false alarms # or want specific errors ignored, you should put them in here. # Once again, be as specific as possible, and go easy on the wildcards IGNORE_FILE=/usr/local/etc/scancheck.ignore # The files are reported in the order of hacking, security # violations, and unusual system events. Notice that this # script uses the principle of "That which is not explicitely # ignored is reported" in that the script will report all items # that you do not tell it to ignore specificially. Be careful # how you use wildcards in the logcheck.ignore file or you # may miss important entries. # Make sure we really did clean up from the last run. # Also this ensures that people aren't trying to trick us into # overwriting files that we aren't supposed to. This is still a race # condition, but if you are in a temp directory that does not have # generic luser access it is not a problem. Do not allow this program # to write to a generic /tmp directory where others can watch and/or # create files!! # Shouldn't need to touch these... HOSTNAME=`hostname` DATE=`date +%m/%d/%y:%H.%M` umask 077 rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$ if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then echo "Log files exist in $TMPDIR directory that cannot be removed. This may be an attempt to spoof the log checker." \ | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN exit 1 fi if [ -f /var/log/messages ] then $LOGTAIL /var/log/messages >> $TMPDIR/check.$$ fi if [ -f /var/log/router.log ] then $LOGTAIL /var/log/router.log >> $TMPDIR/check.$$ fi if [ -f /var/log/snort/alert ] then $LOGTAIL /var/log/snort/alert >> $TMPDIR/check.$$ fi if [ "$PIX" -eq 1 ]; then if [ -f /var/log/pix.log ] then $LOGTAIL /var/log/pix.log >> $TMPDIR/check.$$ fi fi # END CONFIGURATION SECTION. YOU SHOULDN'T HAVE TO EDIT ANYTHING # BELOW THIS LINE. # Set the flag variables FOUND=0 ATTACK=0 HACK=0 # See if the tmp file exists and actually has data to check, # if it doesn't we should erase it and exit as our job is done. if [ ! -s $TMPDIR/check.$$ ]; then rm -f $TMPDIR/check.$$ exit 0 fi # Perform Searches # Check for blatant hacking attempts if [ -f "$HACKING_FILE" ]; then if $GREP -i -f $HACKING_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then FOUND=1 ATTACK=1 fi fi # Do reverse grep on patterns we want to ignore #if [ -f "$IGNORE_FILE" ]; then # if $GREP -v -f $IGNORE_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then # FOUND=1 # fi #fi # If there are results, mail them to sysadmin if [ "$ATTACK" -eq 1 ]; then ### ### Rilevazione tcp/udp sui log di SCREEND ### if [ "$SCREEND" -eq 1 ]; then awk '$6 ~ /REJECT:/ && $7 !~/ICMP/ {print substr($8,2,(index($8,"]")-2))}' $TMPDIR/checkoutput.$$ > $TMPDIR/prova.$$ fi ### ### Rilevazione icmp sui log di SCREEND ### if [ "$SCREEND" -eq 1 ]; then awk '$6 ~ /REJECT:/ && $7 ~/ICMP/ {print substr($9,2,(index($9,"]")-2))}' $TMPDIR/checkoutput.$$ >> $TMPDIR/prova.$$ fi ### ### Rilevazione tcp/udp sui log del router ### if [ "$CISCO" -eq 1 ]; then awk '$12 ~ /denied/ && $13 !~/icmp/ {print substr($14,1,(index($14,"("))-1 ) }' $TMPDIR/checkoutput.$$ >> $TMPDIR/prova.$$ ### ### Rilevazione icmp sui log del router OM/12-Oct-2001 ### awk '$12 ~ /denied/ && $13 ~/icmp/ {print $14 }' $TMPDIR/checkoutput.$$ >> $TMPDIR/prova.$$ fi ### ### ### Rilevazione records con denied da log del named ### awk '$NF ~ /denied/ {print $0 }' $TMPDIR/checkoutput.$$ | cut -d " " -f5 |cut -d \# -f1 >> $TMPDIR/prova.$$ ### ### Rilevazione attacchi tramite alert file di snort OM/28-Aug-2001 ### if [ "$SNORT" -eq 1 ]; then awk 'NF>0 { for (i=1;i<=NF; i++) if ($i == "{TCP}" || $i == "{UDP}") print substr($(i+1),1,(index($(i+1),":")-1)) }' $TMPDIR/checkoutput.$$ >> $TMPDIR/prova.$$ awk 'NF>0 { for (i=1;i<=NF; i++) if ( $i == "{ICMP}" ) print $(i+1) }' $TMPDIR/checkoutput.$$ >> $TMPDIR/prova.$$ ### ### Aggiunta rilevazione portscan tramite snort: check su "End of portscan" OM/28-08-2001 ### awk '$5 ~ /End/ {print substr($9,1,(length($9)-1 )) }' $TMPDIR/checkoutput.$$ >> $TMPDIR/prova.$$ fi ### ### Aggiunta rilevazione tramite Netfilter: OM/09-09-2003 ### if [ "$NETFILTER" -eq 1 ]; then awk '$6 ~ /DROP/{print $12}' $TMPDIR/checkoutput.$$ |grep SRC |cut -d "=" -f2 >> $TMPDIR/prova.$$ awk '$6 ~ /DROP/{print $11}' $TMPDIR/checkoutput.$$ |grep SRC |cut -d "=" -f2 >> $TMPDIR/prova.$$ fi ### ### Aggiunta rilevazione su log del PIX Firewall ### if [ "$PIX" -eq 1 ]; then # grep \%PIX $TMPDIR/checkoutput.$$ | \ grep -E '(\%PIX|\%ASA)' $TMPDIR/checkoutput.$$ | \ sed 's/<154>//g' | \ sed 's/<155>//g' | \ sed 's/from /< /g' | \ sed 's/to /> /g' | \ sed 's/src inside:/< /g' | \ sed 's/dst inside:/> /g' | \ sed 's/src outside:/< /g' | \ sed 's/dst outside:/> /g' | \ sed 's/src LAN-DMZ1:/< /g' | \ sed 's/dst LAN-DMZ1:/> /g' | \ sed 's/src LAN-DMZ2:/< /g' | \ sed 's/dst LAN-DMZ2:/> /g' | cut -d \< -f2 |cut -d \> -f1 |cut -d \/ -f1 | \ sed 's/(//g' | sed 's/)//g'>> $TMPDIR/prova.$$ fi # # Aggiunte variabili di individuazione host sorgente: OM/06-06-2002 # host1 : individua host intercettati da SCREEND # host2 : individua host intercettati da router CISCO (TCP) # host3 : individua host intercettati da router CISCO (UDP) # host4 : individua host intercettati da snort (TCP) # host5 : individua host intercettati da snort (UDP) # host6 : individua host intercettati da snort (End of portscan) # host7 : individua host intercettati da router CISCO e da snort con protocollo (ICMP) # host8 : individua host intercettati da named daemon v 9.2.1 # host9 : individua host intercettati da PIX # hostA : individua host intercettati da PIX # hostB : individua host intercettati da PIX # hostC : individua host intercettati da Netfilter/IPTABLES # sed 's/\ //g' $TMPDIR/prova.$$ > $TMPDIR/prova3.$$ # # Sanitize IP addresses found in prova3 # grep -E '^([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5])$' $TMPDIR/prova3.$$ >> $TMPDIR/prova5.$$ sort -u $TMPDIR/prova5.$$ -o $TMPDIR/prova2.$$ # while read var do if [ "$var" != "" ]; then host1=$var"]->" host2="tcp "$var"(" host3="udp "$var"(" host4="{TCP} "$var":" host5="{UDP} "$var":" host6="End of portscan from "$var":" host7=$var" ->" host8="client "$var host9=":"$var hostA="from "$var hostB="from ("$var")" hostC="SRC="$var"" echo $host1 > $TMPDIR/host.$$ echo $host2 >> $TMPDIR/host.$$ echo $host3 >> $TMPDIR/host.$$ echo $host4 >> $TMPDIR/host.$$ echo $host5 >> $TMPDIR/host.$$ echo $host6 >> $TMPDIR/host.$$ echo $host7 >> $TMPDIR/host.$$ echo $host8 >> $TMPDIR/host.$$ echo $host9 >> $TMPDIR/host.$$ echo $hostA >> $TMPDIR/host.$$ echo $hostB >> $TMPDIR/host.$$ echo $hostC >> $TMPDIR/host.$$ touch $SCAND/$var #### # echo 'created file ' $SCAND/$var chmod 700 $SCAND/$var grep -f $TMPDIR/host.$$ $TMPDIR/checkoutput.$$ >> $SCAND/$var HACK=`grep -f $TMPDIR/host.$$ $TMPDIR/checkoutput.$$| wc -l` if [ "$HACK" -gt 10 ]; then # echo $var $HACK $ROOTD/scanlogit $var $HACK >/dev/null 2>&1 HACK=0 fi rm $TMPDIR/host.$$ fi done < $TMPDIR/prova2.$$ ### ### Destination ports ### grep -i ICMP $TMPDIR/checkoutput.$$ >> $PORTD/icmp # #grep -E -v "(\%PIX|\%ASA)" ### grep -v "%PIX" $TMPDIR/checkoutput.$$ | awk -F"->" 'NF>2 {print "( "substr($3,1,index($3,")")-1)") " $0}' > $TMPDIR/risultati.$$ grep -E -v "(\%PIX|\%ASA)" $TMPDIR/checkoutput.$$ | awk -F"->" 'NF>2 {print "( "substr($3,1,index($3,")")-1)") " $0}' > $TMPDIR/risultati.$$ grep -E -v "(\%PIX|\%ASA)" $TMPDIR/checkoutput.$$ | awk 'NF>0 { for (i=1;i<=NF; i++) if ($i == "{TCP}" || $i == "{UDP}") print "( "substr($(i+3),(index($(i+3),":")+1),5)") " $0 }' >>$TMPDIR/risultati.$$ grep -E -v "(\%PIX|\%ASA)" $TMPDIR/checkoutput.$$ | awk 'NF>0 { for (i=1;i<=NF; i++) if ($i == "tcp" || $i == "udp") print "( "substr($(i+3),(index($(i+3),"(")+1),index($(i+3),"),")-(index($(i+3),"(")+1))") " $0}' >>$TMPDIR/risultati.$$ grep -E -v "(\%PIX|\%ASA)" $TMPDIR/checkoutput.$$ |awk 'NF>0 { for (i=1;i<=NF; i++) if ($i ~ /DPT=/ ) print"( "substr($i,5)") " $0 }' >>$TMPDIR/risultati.$$ ### grep -E -v "(\%PIX|\%ASA)" $TMPDIR/checkoutput.$$ | awk -F"->" 'NF>2 {print substr($3,1,index($3,")")-1)}' > $TMPDIR/porte.$$ grep -E -v "(\%PIX|\%ASA)" $TMPDIR/checkoutput.$$ | awk 'NF>0 { for (i=1;i<=NF; i++) if ($i == "{TCP}" || $i == "{UDP}") print substr($(i+3),(index($(i+3),":")+1),5)}' >>$TMPDIR/porte.$$ grep -E -v "(\%PIX|\%ASA)" $TMPDIR/checkoutput.$$ | awk 'NF>0 { for (i=1;i<=NF; i++) if ($i == "tcp" || $i == "udp") print substr($(i+3),(index($(i+3),"(")+1),index($(i+3),"),")-(index($(i+3),"(")+1))}' >>$TMPDIR/porte.$$ grep -E -v "(\%PIX|\%ASA)" $TMPDIR/checkoutput.$$ |awk 'NF>0 { for (i=1;i<=NF; i++) if ($i ~ /DPT=/ ) print substr($i,5) }' >>$TMPDIR/porte.$$ # # PIX destination ports # grep -v "icmp" $TMPDIR/checkoutput.$$ | grep -E '(\%PIX|\%ASA)' |\ awk 'NF>2 { for (i=1;i<=NF; i++) if ($i == "dst" || $i == "to") \ print "( "substr($(i+1),index($(i+1),"/")+1) ") " $0}' >>$TMPDIR/risultati.$$ # grep -E '(\%PIX|\%ASA)' $TMPDIR/checkoutput.$$ | \ grep -v icmp | \ sed 's/from /< /g' | \ sed 's/to /> /g' | \ sed 's/src inside:/< /g' | \ sed 's/dst inside:/> /g' | \ sed 's/src outside:/< /g' | \ sed 's/dst outside:/> /g' | \ sed 's/src LAN-DMZ1:/< /g' | \ sed 's/dst LAN-DMZ1:/> /g' | \ sed 's/src LAN-DMZ2:/< /g' | \ sed 's/dst LAN-DMZ2:/> /g' | cut -d \< -f2 |awk '{print $3 }'|cut -s -d \/ -f2 >> $TMPDIR/porte.$$ ### sort -u $TMPDIR/porte.$$ -o $TMPDIR/porte2.$$ ### while read var do if [ "$var" != "" ]; then touch $PORTD/$var ### echo 'created file ' $PORTD/$var chmod 700 $PORTD/$var grep "( "$var")" $TMPDIR/risultati.$$ > $TMPDIR/ris.$$ awk ' {print substr($0, (index($0,")")+2),length($0))}' $TMPDIR/ris.$$ >> $PORTD/$var fi done < $TMPDIR/porte2.$$ fi ## Clean Up rm -f $TMPDIR/porte.$$ $TMPDIR/porte2.$$ $TMPDIR/risultati.$$ $TMPDIR/ris.$$ rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$ rm -f $TMPDIR/prova.$$ $TMPDIR/prova1.$$ $TMPDIR/prova2.$$ $TMPDIR/prova3.$$ $TMPDIR/prova5.$$ #if [ "$ATTACK" -eq 1 ]; then # find $SCAND -type f -exec ls -l {} \; | sort -r -k 6,8 | $MAIL -s "SECURITY: Active system probe on $DATE" $SYSADMIN # ls -lt $SCAND | $MAIL -s "SECURITY: SUMMARY system probe on $DATE" $SYSADMIN #fi