#!/usr/bin/perl # # mail-dshield # DSHIELD Parsing code for Compatible Systems MicroRouter # (now sold by CISCO) # Ross E. Bergman, 2/18/2002 (rbergman@vividusa.com) # Create a crontab entry like this: # 25 5 * * * /opt/etc/mail-dshield /var/log/logfile.0 # which runs after syslog resets your current router log. # If you're running on Solaris, look for comments in this script # indicating where changes are required. # Change these three variables to be appropriate for your site. $userid=12345678; $tz="-05:00"; $from="username\@domain.com"; $subject="FORMAT DSHIELD USERID $userid TZ $tz"; %mon= (Jan=>1,Feb=>2,Mar=>3,Apr=>4,May=>5,Jun=>6,Jul=>7,Aug=>8,Sep=>9,Oct=>10,Nov=>11,Dec=>12); $proto[0]="IP"; $proto[1]="ICMP"; $proto[6]="TCP"; $proto[17]="UDP"; $proto[47]="GRE"; $proto[50]="ESP"; $proto[51]="AH"; $proto[89]="OSPF"; (undef,undef,undef,undef,$cur_month,$year,undef) = localtime(time); $cur_month++; $year+=1900; $tmp="/tmp/dshield"; open(OUT,">$tmp"); while(<>) { next if ($_ !~ /deny:/); chomp; $first++; ($mon,$dd,$time,undef,undef,undef,undef,undef,undef,undef,undef,undef,undef,$sip,$dip,$proto)=split; # Solaris wants: ($mon,$dd,$time,undef,undef,undef,undef,undef,undef,undef,$sip,$dip,$proto)=split; $mon=$mon{$mon}; if ($mon > $cur_month) { $printyear=$year-1; } else { $printyear=$year; } if ($mon < 10) { $mon="0".$mon; } if ($dd < 10) { $dd="0".$dd; } $date = "$printyear-$mon-$dd $time $tz"; $sip =~ s/src=(.*)\((.*)\)/$1:$2/; $dip =~ s/dst=(.*)\((.*)\)/$1:$2/; ($sip,$sp)=split(/:/,$sip); ($dip,$dp)=split(/:/,$dip); $proto =~ s/proto=//; $proto = $proto[$proto]; print OUT "$date\t$userid\t1\t$sip\t$sp\t$dip\t$dp\t$proto\n"; } close(OUT); if ( -s $tmp) { open (MAIL,"| /usr/sbin/sendmail -t -oi"); # Solaris wants: open (MAIL,"| /usr/lib/sendmail -t -oi"); print MAIL "To: report\@dshield.org\n"; print MAIL "From: $from\n"; print MAIL "Subject: $subject\n\n"; print MAIL `cat $tmp`; close MAIL; }