In honor of LinuxFest Northwest 2009, which I attended at Bellingham Technical College today, I submit a BASH script to parse my Firewall Log. There were great speakers today. I really appreciated PNNL's Gary Smith excellent presentation on his archictecture of sensors that feed PreludeIDS. Seth Schoen delivered an excellent talk on physical security, side-channel attacks , and cold-boot attack vectors. Local consultant Derek Simkowiak delivered a comprehensive presentation on Open Source Virtual Machines.
# Checks NetGear Firewall syslog output or tcpdump -vvveX of syslog port thereof
# This Bash shell script needs full path to log file as its only args
# Apr24213621PDT2009 rferrisx
newdir=`date "+%b%e%H%M%S%Z%Y"`
mkdir $newdir
cd $newdir
echo City: > whois.search
echo descr: >> whois.search
echo NET >> whois.search
echo owner: >> whois.search
echo NetName >> whois.search
echo Copyright >> whois.search
logfile=$BASH_ARGV
grep -A 1 "Severity alert" $logfile | grep "Msg:" > ./attackers.txt
awk -F":" '{ print $4 "," $6 $7 }' ./attackers.txt > ./SipDipPortDesc.txt
SIP=`awk -F"," '{ print $1 }' ./SipDipPortDesc.txt`
DIP=`awk -F"," '{ print $2 }' ./SipDipPortDesc.txt`
PORT=`awk -F" " '{ print $2 }' ./SipDipPortDesc.txt`
DESC=`awk -F" " '{ print $3 "," $4 }' ./SipDipPortDesc.txt`
WHOIS=`for i in $SIP; do whois $i | grep -m 1 -f whois.search;done;`
echo "$SIP" > SIP
echo "$DIP" > DIP
echo "$PORT" > PORT
echo "$DESC" > DESC
echo "$WHOIS" > WHOIS
for i in $SIP;do traceroute -I -d $i;done > ICMPtraceroute.txt
