Commit 97425d51 authored by root's avatar root

Changed to allow new suricata log format & correctly process IPv6 addresses.

parent 449d1b8c
#!/usr/bin/env ruby
require 'date'
require 'ipaddr'
# Some configuration parameters
fw_logfile = '/home/coolfire/fw_block.log'
......@@ -10,12 +11,9 @@ iplist = Array.new
# Get the date
date = Date.today.prev_day
day = date.day
month = date.month
year = date.year
fw_date = "#{month}/#{day}/#{year}"
f2b_date = "#{year}-#{month}-#{day}"
fw_date = date.strftime('%m/%d/%Y')
f2b_date = date.strftime('%Y-%m-%d')
# Parse suricata firewall log
fh = File.open(fw_logfile, 'r')
......@@ -25,9 +23,12 @@ fh.each_line do |line|
if(line =~ /brute/i)
# Parse out variables
chunks = line.split(',')
chunks = line.split('[')
date = chunks[0]
ip = chunks[9]
ip = chunks[6].split('}')[1].split(':')
ip = ip.first ip.size - 1
ip = ip.join(':').strip
ip = IPAddr.new ip
# Check if line from yesterday
if(date =~ /^#{fw_date}/)
......@@ -53,6 +54,7 @@ fh.each_line do |line|
chunks = line.split(' ')
date = chunks[0]
ip = chunks[6]
ip = IPAddr.new ip
end
# Check if line from yesterday
......@@ -72,8 +74,8 @@ iplist.each do |ip|
if(!ip.nil?)
# Build DNS request
quads = ip.split('.')
dns_req = "#{quads[3]}.#{quads[2]}.#{quads[1]}.#{quads[0]}.abuse-contacts.abusix.org"
rev = ip.reverse
dns_req = rev.gsub(/(\.in-addr\.arpa|\.ip6.arpa)/, '.abuse-contacts.abusix.org')
# Request abuse contact address from abusix.org
abuse_contact = %x(dig -t TXT +short #{dns_req}).gsub!(/"/, '')
......@@ -86,20 +88,20 @@ iplist.each do |ip|
# Gather details about the IP
# From suricata
fw_details = %x(grep #{ip} #{fw_logfile} | grep #{fw_date})
fw_details = %x(grep #{ip.to_s} #{fw_logfile} | grep #{fw_date})
# From Fail2ban
f2b_details = %x(grep #{ip} #{f2b_logfile} | grep #{f2b_date})
f2b_details = %x(grep #{ip.to_s} #{f2b_logfile} | grep #{f2b_date})
# Build mail body
mail = <<MESSAGE_END
Dear #{abuse_contact},
We wish to inform we have been attacked from the following IP address:
#{ip}
#{ip.to_s}
At the bottom of this email you will find more details about this attack.
You are receiving this email because you are listed as the abuse contact for this IP address. If this is incorrect please contact your own IT department to have this corrected.
This email was automatically generated. You are receiving this email because you are listed as the abuse contact for this IP address. If this is incorrect please contact your own IT department to have this corrected.
Kind regards,
The Insomnia 24/7 team
......@@ -112,7 +114,7 @@ Fail2ban hits:
MESSAGE_END
# Send out mail
%x(echo '#{mail}' | mail -s "Abuse from #{ip}" "#{abuse_contact}" )
%x(echo '#{mail}' | mail -s "Abuse from #{ip.to_s}" "#{abuse_contact}" )
# Don't batter our upstram mail servers
sleep(2)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment