diff --git a/abck b/abck index 449a9da..c2e1beb 100755 --- a/abck +++ b/abck @@ -7,11 +7,11 @@ # # Build a report of all unauthorized access attempts # -# Usage: abck [-d date offset] -s [String To Match In Log Record] +# Usage: abck [-d date offset] -e [Except String] -s [Match String] ########## -VERSION = "$Id: abck,v 1.9 2001/07/18 22:18:56 tundra Exp $" +VERSION = "$Id: abck,v 1.91 2001/07/18 22:59:53 tundra Exp $" @@ -52,7 +52,10 @@ USAGE = "abck " + VERSION.split()[2] + " " + \ "Copyright (c) 2001, TundraWare Inc. All Rights Reserved.\n" + \ " usage:\n" + \ - " abck [-d # days to look back] [-s string to match]\n" + " abck [-d # days to look back]\n" + \ + " [-e except string]\n" + \ + " [-m match string]\n" + \ + " [-s Show, but do not process matching records]\n" #################### @@ -149,7 +152,7 @@ # skip this record. -def ProcessLogRecord(logrecord): +def ProcessLogRecord(logrecord, NOMATCH, SHOWONLY): # Check for each known attack keyword @@ -159,6 +162,17 @@ logfield = logrecord.split() if logrecord.count(attackkey): + # Even if it is a legitimate attack record, + # we do not process it if it contains text + # the user does not want matched. + + if NOMATCH and logrecord.count(NOMATCH): + break + + if SHOWONLY: + print logrecord + break + # Different attack records put the hostquad in different places hostquad = logfield[AttackKeys[attackkey]] if hostquad[-1] == ',': @@ -243,19 +257,25 @@ # Program entry and command line processing try: - opts, args = getopt.getopt(sys.argv[1:], '-d:s:') + opts, args = getopt.getopt(sys.argv[1:], '-d:e:m:s') except getopt.GetoptError: print USAGE sys.exit(2) -OLDEST = 0 -MATCHSTRING = "" +OLDEST = 0 +MATCH = "" +NOMATCH = "" +SHOWONLY = FALSE for opt, val in opts: if opt == "-d": OLDEST = time.time() - (int(val) * DLEN) + if opt == "-e": + NOMATCH = val + if opt == "-m": + MATCH = val if opt == "-s": - MATCHSTRING = val + SHOWONLY = TRUE # Loop through the log, processing matching records @@ -297,16 +317,15 @@ DOIT = FALSE # Did user specify a selection matching string? - if not logrecord.count(MATCHSTRING): + if not logrecord.count(MATCH): DOIT = FALSE # If we passed all those tests, it's time to process this record. if DOIT: - - sendto = ProcessLogRecord(logrecord) + sendto = ProcessLogRecord(logrecord, NOMATCH, SHOWONLY) if sendto: abuserfile.write("abnot \"" + logrecord + "\" " + - sendto + "\n") + sendto + "\n") logfile.close() abuserfile.close()