[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sidewinder
Subject:    [Sidewinder] Firewall Log Scripts
From:       Blahut Randall M SSgt 83 CS/SCNN <randall.blahut () langley ! af ! mil>
Date:       2001-08-27 18:18:01
[Download RAW message or body]

Attached, you'll find a few scripts I wrote to count proxy connections,
bytes-transferred per-proxy, and ACL hits (Sidewinder 5.1.x).  Also, I
should note that just because a proxy passes alot of traffic doesn't
necessarily mean that it taxes the ACL the most.  Recall that the Sidewinder
ACL is only consulted once per "connection", not per packet.  For UDP
sessions, this could be almost every packet.  For TCP sessions, the ACL is
checked after the TCP connection is completed by NSS.  Dedicated proxies may
consult the ACL even less because they handle the nuances of a protocol
internally.  Every other packet in the session is handled by the proxy and
does not necessarily consult the ACL.  For this reason, it might be wise not
to structure your ACL order solely on volume (bytes transferred), but to
consider connection totals.  The second Perl script will do just that
(ACL_T_NETTRAFFIC event types).  Save these scripts on your firewall and
make them executable.  Here's an example:

	chown root connect-counter.pl traffic-counter.pl acl-counter.pl
	chmod +x connect-counter.pl traffic-counter.pl acl-counter.pl

If you're running Sidewinder 5.1.x, you will also have to change their type
enforcement settings:

	chtype Admn:scrp connect-counter.pl traffic-counter.pl
acl-counter.pl

Here's how to run the script to count per-port connection totals:

	acat -ae "type AUDIT_T_NETTRAFFIC" /var/log/audit.raw |
./connect-counter.pl > connect.txt

Here's how to run it for per-port byte totals:

	acat -ae "type AUDIT_T_NETTRAFFIC" /var/log/audit.raw |
./traffic-counter.pl > traffic.txt

If you're running Sidewinder 5.1.x, you can get specific ACL stats by
enabling ACL logging.  Note that this is not recommended if your firewall is
already short on system resources or log disk space.  Do this to enable ACL
logging:

	cf acl setloglevel 3

Now run the script to parse ACL hits:

	acat -ae 'type AUDIT_T_ACLALLOW || type AUDIT_T_ACLDENY'
/var/log/audit.raw | ./acl-counter.pl > acl.txt

When you're done, you should change the log level back to its default of 2.

	cf acl setloglevel 2

I'm no whiz at scripting, but a few people have asked me, so I thought I
would share.


SSgt Randy Blahut
ACC NOSC Network Security Team
83 CS/SCNN
Langley AFB, Virginia
DSN:  312-574-6563 or 4968
Commercial: 757-764-6563 or 4968
randall.blahut@langley.af.mil
 <<connect-counter.pl>>  <<traffic-counter.pl>>  <<acl-counter.pl>> 

["connect-counter.pl" (application/octet-stream)]

#!/usr/bin/perl5

$eol = "\n";
$tab = "\t";

%info_hash = ();

$/ = '';
while (<STDIN>) {
	s/$eol/ /go;
	if (/^\s*(\w+)\s+(\d+)\s+(\d+:\d+:\d+)\s+(\d+)\s+(\w+)\s+(\w+)\s+(\w+)\s+(\w+)\s+(\w+)\s+(.+)\s*$/o) {
		$month = $1;
		$mday = $2;
		$time = $3;
		$year = $4;
		$zone = $5;
		$facility = $6;
		$area = $7;
		$type = $8;
		$priority = $9;
		$data = $10;

		next unless ($type eq 't_nettraffic');

		if ($data =~ /protocol:\s+(\d+)/o) {
			$proto = $1;
		} else {
			next;
		}

		if ($data =~ /dstport:\s+(\d+)/o) {
			$port = $1;
			if (! defined ($info_hash{$proto}{$port})) {
				$info_hash{$proto}{$port}{'connections'} = 0;
			}

			if ($data =~ /status:\s+conn_open/o) {
				$info_hash{$proto}{$port}{'connections'} ++;
			} else {
				next;
			}
		} else {
			next;
		}

	} else {
		next;
	}
}

print STDOUT join (
	$tab,
	'protocol',
	'port',
	'connections',
),
$eol;

foreach $protocol (sort (keys (%info_hash))) {
	if ($protocol == 1) {
		$this_proto = 'ICMP';
	} elsif ($protocol == 6) {
		$this_proto = 'TCP';
	} elsif ($protocol == 17) {
		$this_proto = 'UDP';
	}
	foreach $service (sort { $a <=> $b } (keys (%{$info_hash{$protocol}}))) {
		print STDOUT join (
			$tab,
			$this_proto,
			$service,
			$info_hash{$protocol}{$service}{'connections'},
		),
		$eol;
	}
}

# end

["traffic-counter.pl" (application/octet-stream)]

#!/usr/bin/perl5

$eol = "\n";
$tab = "\t";

%info_hash = ();

$/ = '';
while (<STDIN>) {
	s/$eol/ /go;
	if (/^\s*(\w+)\s+(\d+)\s+(\d+:\d+:\d+)\s+(\d+)\s+(\w+)\s+(\w+)\s+(\w+)\s+(\w+)\s+(\w+)\s+(.+)\s*$/o) \
{  $month = $1;
		$mday = $2;
		$time = $3;
		$year = $4;
		$zone = $5;
		$facility = $6;
		$area = $7;
		$type = $8;
		$priority = $9;
		$data = $10;

		next unless ($type eq 't_nettraffic');

		if ($data =~ /protocol:\s+(\d+)/o) {
			$proto = $1;
		} else {
			next;
		}

		if ($data =~ /dstport:\s+(\d+)/o) {
			$port = $1;
			if (! defined ($info_hash{$proto}{$port})) {
				$info_hash{$proto}{$port}{'bytes_written_to_client'} = 0;
				$info_hash{$proto}{$port}{'bytes_written_to_server'} = 0;
			}

			if ($data =~ /bytes_written_to_client:\s+(\d+)/o) {
				$bytes = $1;
				$info_hash{$proto}{$port}{'bytes_written_to_client'} += $bytes;
			} else {
				next;
			}

			if ($data =~ /bytes_written_to_server:\s+(\d+)/o) {
				$bytes = $1;
				$info_hash{$proto}{$port}{'bytes_written_to_server'} += $bytes;
			} else {
				next;
			}
		} else {
			next;
		}

	} else {
		next;
	}
}

print STDOUT join (
	$tab,
	'protocol',
	'port',
	'bytes sent to client',
	'bytes sent to server',
	'total',
),
$eol;

foreach $protocol (sort (keys (%info_hash))) {
	if ($protocol == 1) {
		$this_proto = 'ICMP';
	} elsif ($protocol == 6) {
		$this_proto = 'TCP';
	} elsif ($protocol == 17) {
		$this_proto = 'UDP';
	}

	foreach $service (sort { $a <=> $b } (keys (%{$info_hash{$protocol}}))) {
		print STDOUT join (
			$tab,
			$this_proto,
			$service,
			$info_hash{$protocol}{$service}{'bytes_written_to_client'},
			$info_hash{$protocol}{$service}{'bytes_written_to_server'},
			$info_hash{$protocol}{$service}{'bytes_written_to_client'} + \
$info_hash{$protocol}{$service}{'bytes_written_to_server'},  ),
		$eol;
	}
}

# end


["acl-counter.pl" (application/octet-stream)]

#!/usr/bin/perl5

$eol = "\n";
$tab = "\t";

%info_hash = ();
$acl_type = '';

#Aug 27 13:33:56 2001 EDT  f_wwwproxy a_server t_aclallow p_major
#pid: 278 ruid: 0 euid: 0 pgid: 278 fid: 2000001 logid: 0 cmd: 'httpp'
#domain: htpp edomain: htpp srcip: 131.6.15.38 dstip: 209.225.32.5 protocol: 6 
#service_name: http agent_type: proxy user_name: (null) 
#acl_id: Unrestricted-LAFB-Outbound acl_position: 20 

#Aug 27 13:35:36 2001 EDT  f_generic_tcppproxy a_server t_acldeny p_major
#pid: 394 ruid: 0 euid: 0 pgid: 394 fid: 2000001 logid: 0 cmd: 'tcpgsp'
#domain: Genx edomain: Genx srcip: 131.6.154.66 dstip: 131.107.25.7 protocol: 6 
#service_name: TCP-389 agent_type: proxy user_name: (null) acl_id: deny_all 
#acl_position: 112

$/ = '';
while (<STDIN>) {
	s/$eol/ /go;
	if (/^\s*(\w+)\s+(\d+)\s+(\d+:\d+:\d+)\s+(\d+)\s+(\w+)\s+(\w+)\s+(\w+)\s+(\w+)\s+(\w+)\s+(.+)\s*$/o) {
		$month = $1;
		$mday = $2;
		$time = $3;
		$year = $4;
		$zone = $5;
		$facility = $6;
		$area = $7;
		$type = $8;
		$priority = $9;
		$data = $10;

		if ($type eq 't_aclallow') {
			$acl_type = 'allow';
		} elsif ($type eq 't_acldeny') {
			$acl_type = 'deny';
		} else {
			next;
		}

		if ($data =~ /acl_id:\s+(\S+)/o) {
			$acl_id = $1;
		} else {
			next;
		}

		if ($data =~ /acl_position:\s+(\d+)/o) {
			$acl_position = $1;
		} else {
			next;
		}

		if (! defined ($info_hash{$acl_type}{$acl_id})) {
			%{$info_hash{$acl_type}{$acl_id}} = (
				'pos'	=>	$acl_position,
				'count'	=>	1,
			);
		} else {
			$info_hash{$acl_type}{$acl_id}{'count'} ++;
		}

	} else {
		next;
	}
}

print STDOUT join (
	$tab,
	'action',
	'name',
	'position',
	'count',
),
$eol;

foreach $action (sort (keys (%info_hash))) {
	foreach $name (sort { $a <=> $b } (keys (%{$info_hash{$action}}))) {
		print STDOUT join (
			$tab,
			$action,
			$name,
			$info_hash{$action}{$name}{'pos'},
			$info_hash{$action}{$name}{'count'},
		),
		$eol;
	}
}

# end


[prev in list] [next in list] [prev in thread] [next in thread]