| |
|---|
| | # for Licensing Terms |
|---|
| | # |
|---|
| | # Build a report of all unauthorized access attempts |
|---|
| | # |
|---|
| | # Usage: abck [-d date offset] -s [String To Match In Log Record] |
|---|
| | # Usage: abck [-d date offset] -e [Except String] -s [Match String] |
|---|
| | |
|---|
| | ########## |
|---|
| | |
|---|
| | VERSION = "$Id: abck,v 1.9 2001/07/18 22:18:56 tundra Exp $" |
|---|
| | VERSION = "$Id: abck,v 1.91 2001/07/18 22:59:53 tundra Exp $" |
|---|
| | |
|---|
| | |
|---|
| | |
|---|
| | #################### |
|---|
| |
|---|
| | |
|---|
| | USAGE = "abck " + VERSION.split()[2] + " " + \ |
|---|
| | "Copyright (c) 2001, TundraWare Inc. All Rights Reserved.\n" + \ |
|---|
| | " usage:\n" + \ |
|---|
| | " abck [-d # days to look back] [-s string to match]\n" |
|---|
| | " abck [-d # days to look back]\n" + \ |
|---|
| | " [-e except string]\n" + \ |
|---|
| | " [-m match string]\n" + \ |
|---|
| | " [-s Show, but do not process matching records]\n" |
|---|
| | |
|---|
| | |
|---|
| | #################### |
|---|
| | # Data Structures |
|---|
| |
|---|
| | # the instrusion attempt. A null return means the user want to |
|---|
| | # skip this record. |
|---|
| | |
|---|
| | |
|---|
| | def ProcessLogRecord(logrecord): |
|---|
| | def ProcessLogRecord(logrecord, NOMATCH, SHOWONLY): |
|---|
| | |
|---|
| | # Check for each known attack keyword |
|---|
| | |
|---|
| | sendto = "" |
|---|
| |
|---|
| | |
|---|
| | logfield = logrecord.split() |
|---|
| | if logrecord.count(attackkey): |
|---|
| | |
|---|
| | # Even if it is a legitimate attack record, |
|---|
| | # we do not process it if it contains text |
|---|
| | # the user does not want matched. |
|---|
| | |
|---|
| | if NOMATCH and logrecord.count(NOMATCH): |
|---|
| | break |
|---|
| | |
|---|
| | if SHOWONLY: |
|---|
| | print logrecord |
|---|
| | break |
|---|
| | |
|---|
| | # Different attack records put the hostquad in different places |
|---|
| | hostquad = logfield[AttackKeys[attackkey]] |
|---|
| | if hostquad[-1] == ',': |
|---|
| | hostquad = hostquad[:-1] # Strip trailing dots |
|---|
| |
|---|
| | |
|---|
| | # Program entry and command line processing |
|---|
| | |
|---|
| | try: |
|---|
| | opts, args = getopt.getopt(sys.argv[1:], '-d:s:') |
|---|
| | opts, args = getopt.getopt(sys.argv[1:], '-d:e:m:s') |
|---|
| | except getopt.GetoptError: |
|---|
| | print USAGE |
|---|
| | sys.exit(2) |
|---|
| | |
|---|
| | OLDEST = 0 |
|---|
| | MATCHSTRING = "" |
|---|
| | OLDEST = 0 |
|---|
| | MATCH = "" |
|---|
| | NOMATCH = "" |
|---|
| | SHOWONLY = FALSE |
|---|
| | |
|---|
| | for opt, val in opts: |
|---|
| | if opt == "-d": |
|---|
| | OLDEST = time.time() - (int(val) * DLEN) |
|---|
| | if opt == "-e": |
|---|
| | NOMATCH = val |
|---|
| | if opt == "-m": |
|---|
| | MATCH = val |
|---|
| | if opt == "-s": |
|---|
| | MATCHSTRING = val |
|---|
| | SHOWONLY = TRUE |
|---|
| | |
|---|
| | |
|---|
| | # Loop through the log, processing matching records |
|---|
| | |
|---|
| |
|---|
| | "%Y %b %d %H %M %S")) < OLDEST: |
|---|
| | DOIT = FALSE |
|---|
| | |
|---|
| | # Did user specify a selection matching string? |
|---|
| | if not logrecord.count(MATCHSTRING): |
|---|
| | if not logrecord.count(MATCH): |
|---|
| | DOIT = FALSE |
|---|
| | |
|---|
| | # If we passed all those tests, it's time to process this record. |
|---|
| | if DOIT: |
|---|
| | |
|---|
| | sendto = ProcessLogRecord(logrecord) |
|---|
| | sendto = ProcessLogRecord(logrecord, NOMATCH, SHOWONLY) |
|---|
| | if sendto: |
|---|
| | abuserfile.write("abnot \"" + logrecord + "\" " + |
|---|
| | sendto + "\n") |
|---|
| | sendto + "\n") |
|---|
| | |
|---|
| | logfile.close() |
|---|
| | abuserfile.close() |
|---|
| | |
|---|
| | |
tundra
authored
on 18 Jul 2001