#!/usr/bin/ksh # (c) August 29, 1997 by Peter Beckman # Written for: CheckPoint FW-1 v3.0 # # This script attempts to go through a FW-1 formatted alert from a reject on # the firewall, look at the trusted machines, and if they are trusted, just # log and e-mail the alert. If not, page a specified user. # # If the machine is trusted, then the alert is logged and e-mailed. # If the machine is untrusted, but the service is trusted, the alert is # logged and e-mailed. # If the machine AND service are untrusted, the alert is logged and paged. ######################################################################### # USER DEFINED VARIABLES ######################################################################### # The file you want logs to be put in LOGFILE='/var/log/fw-pager.log' # The e-mail addresses of the people who should get paged with alerts PAGEES='fw-page' # The e-mail addresses of the people who should get e-mail warnings EMAILEES='admin' # Define trusted machines, so pages won't go out about them # Use the names defined in the object file of the FW-1 object list TRUSTED="Beckman1 Beckman2 Beckman3 BeckmanLaptop BeckmanHome1 PeterB1 Rick1 Router MailServer SecuritySupport1 cache00.ns.uu.net cache01.ns.uu.net cache02.ns.uu.net 208.218.3.250 206.18.91" # What is the last entry in your TRUSTED machine list? LAST="206.18.91" # Trusted services, or services you don't want to get pages about SERVICES="smtp domain-udp" ######################################################################### # END USER DEFINED STUFF : DO NOT EDIT BELOW THIS LINE # ######################################################################### # Grab info from FW-1 (like echo "gunk" | $0) read STUFF # Parse the data, grab the pertinant stuff DATE=`echo $STUFF | awk -F" " '{print $1}'` PRETIME=`echo $STUFF | awk -F" " '{print $2}'` ACTION=`echo $STUFF | awk -F" " '{print $3}'` MACHINE=`echo $STUFF | awk -F" " '{print $4}'` INTERFACE=`echo $STUFF | awk -F" " '{print $5}'` PROTOCOL=`echo $STUFF | awk -F" " '{print $8}'` SOURCE=`echo $STUFF | awk -F" " '{print $10}'` DESTINATION=`echo $STUFF | awk -F" " '{print $12}'` SERVICE=`echo $STUFF | awk -F" " '{print $14}'` S_PORT=`echo $STUFF | awk -F" " '{print $16}'` # Re-format time before 1000 hours [ x:xx:xx -> 0x:xx:xx ] foo=`echo $PRETIME | grep "^[0-9][0-9]:"` if [ "x"$foo = "x" ]; then TIME=`echo $PRETIME | sed -e 's/^/0/'` else TIME=$PRETIME fi # Set variables PAGE=0 ALERT=0 # Go through each trusted host to see if the source of the alert # is from a trusted machine for host in $TRUSTED do if [ $SOURCE = $host ]; then PAGE=0 ALERT=1 break else if [ $host = $LAST ]; then for port in $SERVICES do if [ $SERVICE = $port ] || [ $S_PORT = $port ]; then PAGE=0 ALERT=1 break else PAGE=1 ALERT=0 fi done fi fi done # If machine is not trusted, then page the PAGEES if [ $PAGE = 1 ]; then echo "$DATE $TIME : PROBLEM : $SOURCE to $DESTINATION using $SERVICE/$S_PORT">> $LOGFILE echo $STUFF | /usr/bin/mailx -s "ALERT: $SOURCE|$DESTINATION|$SERVICE/$S_PORT" $PAGEES # If the machine IS trusted, OR the service is trusted, send mail elif [ $ALERT = 1 ]; then echo "$DATE $TIME : Host OK : $SOURCE to $DESTINATION using $SERVICE/$S_PORT">> $LOGFILE echo $STUFF | /usr/bin/mailx -s "FW: $SOURCE|$DESTINATION|$SERVICE/$S_PORT" $EMAILEES # Else just log it. else echo "$DATE $TIME : Host OK : $SOURCE to $DESTINATION using $SERVICE/$S_PORT">> $LOGFILE fi exit