Commit 0c024f12 authored by Cool Fire's avatar Cool Fire

New log format + IPv6 + tweak to mail

parent 449d1b8c
#!/usr/bin/env ruby #!/usr/bin/env ruby
require 'date' require 'date'
require 'ipaddr'
# Some configuration parameters # Some configuration parameters
fw_logfile = '/home/coolfire/fw_block.log' fw_logfile = '/home/coolfire/fw_block.log'
...@@ -10,12 +11,9 @@ iplist = Array.new ...@@ -10,12 +11,9 @@ iplist = Array.new
# Get the date # Get the date
date = Date.today.prev_day date = Date.today.prev_day
day = date.day
month = date.month
year = date.year
fw_date = "#{month}/#{day}/#{year}" fw_date = date.strftime('%m/%d/%Y')
f2b_date = "#{year}-#{month}-#{day}" f2b_date = date.strftime('%Y-%m-%d')
# Parse suricata firewall log # Parse suricata firewall log
fh = File.open(fw_logfile, 'r') fh = File.open(fw_logfile, 'r')
...@@ -25,9 +23,12 @@ fh.each_line do |line| ...@@ -25,9 +23,12 @@ fh.each_line do |line|
if(line =~ /brute/i) if(line =~ /brute/i)
# Parse out variables # Parse out variables
chunks = line.split(',') chunks = line.split('[')
date = chunks[0] date = chunks[0]
ip = chunks[9] ip = chunks[6].split('}')[1].split(':')
ip = ip.first ip.size - 1
ip = ip.join(':').strip
ip = IPAddr.new ip
# Check if line from yesterday # Check if line from yesterday
if(date =~ /^#{fw_date}/) if(date =~ /^#{fw_date}/)
...@@ -53,6 +54,7 @@ fh.each_line do |line| ...@@ -53,6 +54,7 @@ fh.each_line do |line|
chunks = line.split(' ') chunks = line.split(' ')
date = chunks[0] date = chunks[0]
ip = chunks[6] ip = chunks[6]
ip = IPAddr.new ip
end end
# Check if line from yesterday # Check if line from yesterday
...@@ -72,8 +74,8 @@ iplist.each do |ip| ...@@ -72,8 +74,8 @@ iplist.each do |ip|
if(!ip.nil?) if(!ip.nil?)
# Build DNS request # Build DNS request
quads = ip.split('.') rev = ip.reverse
dns_req = "#{quads[3]}.#{quads[2]}.#{quads[1]}.#{quads[0]}.abuse-contacts.abusix.org" dns_req = rev.gsub(/(\.in-addr\.arpa|\.ip6.arpa)/, '.abuse-contacts.abusix.org')
# Request abuse contact address from abusix.org # Request abuse contact address from abusix.org
abuse_contact = %x(dig -t TXT +short #{dns_req}).gsub!(/"/, '') abuse_contact = %x(dig -t TXT +short #{dns_req}).gsub!(/"/, '')
...@@ -86,20 +88,20 @@ iplist.each do |ip| ...@@ -86,20 +88,20 @@ iplist.each do |ip|
# Gather details about the IP # Gather details about the IP
# From suricata # From suricata
fw_details = %x(grep #{ip} #{fw_logfile} | grep #{fw_date}) fw_details = %x(grep #{ip.to_s} #{fw_logfile} | grep #{fw_date})
# From Fail2ban # From Fail2ban
f2b_details = %x(grep #{ip} #{f2b_logfile} | grep #{f2b_date}) f2b_details = %x(grep #{ip.to_s} #{f2b_logfile} | grep #{f2b_date})
# Build mail body # Build mail body
mail = <<MESSAGE_END mail = <<MESSAGE_END
Dear #{abuse_contact}, Dear #{abuse_contact},
We wish to inform we have been attacked from the following IP address: We wish to inform we have been attacked from the following IP address:
#{ip} #{ip.to_s}
At the bottom of this email you will find more details about this attack. At the bottom of this email you will find more details about this attack.
You are receiving this email because you are listed as the abuse contact for this IP address. If this is incorrect please contact your own IT department to have this corrected. This email was automatically generated. You are receiving this email because you are listed as the abuse contact for this IP address. If this is incorrect please contact your own IT department to have this corrected.
Kind regards, Kind regards,
The Insomnia 24/7 team The Insomnia 24/7 team
...@@ -112,10 +114,11 @@ Fail2ban hits: ...@@ -112,10 +114,11 @@ Fail2ban hits:
MESSAGE_END MESSAGE_END
# Send out mail # Send out mail
%x(echo '#{mail}' | mail -s "Abuse from #{ip}" "#{abuse_contact}" ) %x(echo '#{mail}' | mail -s "Abuse from #{ip.to_s}" "#{abuse_contact}" )
# Don't batter our upstram mail servers # Don't batter our upstram mail servers
sleep(2) sleep(2)
end end
end end
end end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment