scraper.rb 2.53 KB
Newer Older
1 2
#!/usr/bin/env ruby

Cool Fire (HN)'s avatar
Cool Fire (HN) committed
3 4 5
require 'date'

# Some configuration parameters
6 7 8
fw_logfile  = '/home/coolfire/fw_block.log'
f2b_logfile = '/var/log/fail2ban.log'

Cool Fire (HN)'s avatar
Cool Fire (HN) committed
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
iplist      = Array.new

# Get the date
date  = Date.today.prev_day
day   = date.day
month = date.month
year  = date.year

fw_date  = "#{month}/#{day}/#{year}"
f2b_date = "#{year}-#{month}-#{day}"

# Parse suricata firewall log
fh = File.open(fw_logfile, 'r')

fh.each_line do |line|
	# Check if it's a brute force attempt
	if(line =~ /brute/i)

		# Parse out variables
		chunks = line.split(',')
		date   = chunks[0]
		ip     = chunks[9]

		# Check if line from yesterday
		if(date =~ /^#{fw_date}/)

			# Check if we have this IP in the list already
Cool Fire (HN)'s avatar
Cool Fire (HN) committed
36
			if(!iplist.include?(ip))
Cool Fire (HN)'s avatar
Cool Fire (HN) committed
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61
				iplist.push(ip)
			end
		end
	end
end

fh.close

# Parse Fail2ban log
fh = File.open(f2b_logfile, 'r')

fh.each_line do |line|
	# Check if it's a ban action
	if(line =~ /Ban /)

		# Parse out variables
		chunks = line.split(' ')
		date   = chunks[0]
		ip     = chunks[6]
	end

	# Check if line from yesterday
	if(date =~ /^#{f2b_date}/)

	# Check if we have this IP in the list already
Cool Fire (HN)'s avatar
Cool Fire (HN) committed
62
                        if(!iplist.include?(ip))
Cool Fire (HN)'s avatar
Cool Fire (HN) committed
63 64 65 66 67 68 69 70
                                iplist.push(ip)
                        end
	end
end

fh.close

# Process list of agragated IP addresses
Cool Fire (HN)'s avatar
Cool Fire (HN) committed
71 72 73 74 75 76 77 78
iplist.each do |ip|

	if(!ip.nil?)
		# Build DNS request
		quads   = ip.split('.')
		dns_req = "#{quads[3]}.#{quads[2]}.#{quads[1]}.#{quads[0]}.abuse-contacts.abusix.org"

		# Request abuse contact address from abusix.org
79
		abuse_contact = %x(dig -t TXT +short #{dns_req}).gsub!(/"/, '').gsub!(/\n/, '')
Cool Fire (HN)'s avatar
Cool Fire (HN) committed
80 81 82 83 84 85 86 87 88 89 90 91
		
		# Check if we have in fact receive an abuse contact
		if(!abuse_contact.nil? && abuse_contact != "")

			# Gather details about the IP
			# From suricata
			fw_details = %x(grep #{ip} #{fw_logfile} | grep #{fw_date})

			# From Fail2ban
			f2b_details = %x(grep #{ip} #{f2b_logfile} | grep #{f2b_date})

			# Build mail body
Cool Fire (HN)'s avatar
Cool Fire (HN) committed
92
			mail = <<MESSAGE_END
93
Dear #{abuse_contact},
Cool Fire (HN)'s avatar
Cool Fire (HN) committed
94 95 96 97

We wish to inform we have been attacked from the following IP address:
#{ip}
At the bottom of this email you will find more details about this attack.
98

Cool Fire (HN)'s avatar
Cool Fire (HN) committed
99 100 101 102 103 104 105 106 107 108
You are receiving this email because you are listed as the abuse contact for this IP address. If this is incorrect please contact your own IT department to have this corrected.

Kind regards,
The Insomnia 24/7 team

Suricata hits:
#{fw_details}

Fail2ban hits:
#{f2b_details}
Cool Fire (HN)'s avatar
Cool Fire (HN) committed
109
MESSAGE_END
Cool Fire (HN)'s avatar
Cool Fire (HN) committed
110 111

			# Send out mail
112 113 114 115
			%x(echo '#{mail}' | mail -s "Abuse from #{ip}" "#{abuse_contact}" )

			# Don't batter our upstram mail servers
			sleep(2)
Cool Fire (HN)'s avatar
Cool Fire (HN) committed
116 117 118
		end
	end
end