1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
#!/bin/sh -e
# This script creates a daily report of firewall activity with wflogs
#This script was written by Jean-Michel Kelbert <kelbert@debian.org>, for
#the Debian project (but may be used by others)
export LC_ALL="C"
WFLOGS=/usr/bin/wflogs
CONFIG=/etc/default/wflogs
test -x $WFLOGS || exit 0
test -r $CONFIG || exit 0
. $CONFIG
test $REPORT_GENERATE || exit 0
test -r $INPUT_FILE || exit 0
mymkdir() {
if [ ! -d "$1" ]; then
mkdir -p "$1"
if [ "$REPORT_PERMISSIONS" = "true" -a "$REPORT_DIRECTORY" = "/var/www/wflogs" ]; then
chown root:www-data "$1"
else
chown root:adm "$1"
fi
chmod 750 "$1"
fi
}
if [ -z "$INPUT_TYPE" ]; then
INPUT_TYPE="netfilter"
fi
INPUT_TYPE=`echo $INPUT_TYPE | tr -d " "`
# Here we create the directory where reports should be put.
# I choose /var/www/ for xml report according to an answer on a Debian
# mailing-list.
if [ "$REPORT_DIRECTORY" = "" ]; then
if [ "$REPORT_OUTPUT_TYPE" = "html" -o "$REPORT_OUTPUT_TYPE" = "xml" ]; then
if [ -f "/etc/apache-ssl/httpd.conf" ]; then
REPORT_DIRECTORY="`grep -m1 ^\b*DocumentRoot /etc/apache-ssl/httpd.conf | cut -f2 -d\ `/wflogs"
elif [ -f "/etc/apache/httpd.conf" ]; then
REPORT_DIRECTORY="`grep -m1 ^\b*DocumentRoot /etc/apache/httpd.conf | cut -f2 -d\ `/wflogs"
else
REPORT_DIRECTORY=/var/www/wflogs
fi
else
REPORT_DIRECTORY=/var/log/wflogs
fi
fi
mymkdir "$REPORT_DIRECTORY"
# wflogs options.
case "$REPORT_SORT" in
"Yes default order")
OPTIONS="--sort"
;;
"Yes custom order")
OPTIONS="--sort=$REPORT_SORT_OPTIONS"
;;
esac
OPTIONS="$OPTIONS --strict-parsing=loose \
-i $INPUT_TYPE -o $REPORT_OUTPUT_TYPE --summary=$REPORT_OUTPUT_SUMMARY"
if [ "$REPORT_OBFUSCATE" != "nothing" ]; then
OPTIONS="--obfuscate=$REPORT_OBFUSCATE $OPTIONS"
fi
case "$REPORT_OUTPUT_WHOIS" in
"no whois lookups")
REPORT_OUTPUT_WHOIS=0
;;
"always do whois lookups")
REPORT_OUTPUT_WHOIS=1
;;
"do whois lookups only if no DNS name could be found")
REPORT_OUTPUT_WHOIS=2
;;
esac
case "$REPORT_OUTPUT_TYPE" in
html|text|human|xml)
OPTIONS="$OPTIONS --whois_lookup=$REPORT_OUTPUT_WHOIS --mac_vendor=$REPORT_OUTPUT_MAC_VENDOR"
if [ "$OUTPUT_TYPE" != "xml" ]; then
OPTIONS="$OPTIONS --src_mac=$REPORT_OUTPUT_MAC --dst_mac=$REPORT_OUTPUT_MAC --duration=$REPORT_OUTPUT_DURATION"
fi
;;
esac
# Here we determine the date when log begin.
DATE_BEGIN_LOG=`head -n 1 $INPUT_FILE | awk '{print $1,$2}'`
DATE_TODAY=`date +"%b %d"`
DATE_TODAY_UNIX=`date +%s`
while [ `date -d "$DATE_BEGIN_LOG" +%s` -gt $DATE_TODAY_UNIX ]; do
DATE_BEGIN_LOG=`date -d "$DATE_BEGIN_LOG 1 year ago"`
done
DATE_TMP="$DATE_BEGIN_LOG"
#Now we generate reports for each day since the beginning of the logs
# Reports are placed in such a structure
#DIRECTORY
#`--YEAR
# `-- MONTH
# `-- wflogs_DATE.EXTENSION
while [ `date -d "$DATE_TMP" +%s` -le $DATE_TODAY_UNIX ]; do
YEAR=`date -d "$DATE_TMP" +"%Y"`
MONTH=`date -d "$DATE_TMP" +"%Y/%m"`
for DIRECTORY in $YEAR $MONTH ; do
mymkdir "$REPORT_DIRECTORY/$DIRECTORY"
done
FINAL_REPORT_DIRECTORY="$REPORT_DIRECTORY/$MONTH"
OUTPUT_FILE=$FINAL_REPORT_DIRECTORY/wflogs_`date -d "$DATE_TMP" +%F`.$REPORT_OUTPUT_TYPE
if [ ! -r $OUTPUT_FILE ]; then
FILTER="\$start_time >= [$DATE_TMP] && \$start_time < [$DATE_TMP 1 day]"
COMMAND="$WFLOGS -f '$FILTER' $OPTIONS -- $INPUT_FILE"
eval $COMMAND > $OUTPUT_FILE
if [ "$REPORT_PERMISSIONS" = "true" -a "$REPORT_DIRECTORY" = "/var/www/wflogs" ]; then
chown root:www-data $OUTPUT_FILE
else
chown root:adm $OUTPUT_FILE
fi
chmod 640 $OUTPUT_FILE
fi
DATE_TMP=`date -d "$DATE_TMP 1 day"`
done
|
