#!/usr/bin/perl
#
# aclsumm.pl -- a script to summarize acls
# This started as a way for me to quickly figure out what services
# I would need to allow outbound through my border router
# You have to be logging to syslog for this to work.
#
# Jason Lewis
# http://www.packetnexus.com
#
use Getopt::Std;
getopt('pAFt');
if (!$opt_p || !$opt_F) {
print "Usage: ./aclsumm.pl <options= -pAFt>\n";
print "EX: ./aclsumm.pl -ptui -F/var/log/messages -A100 -t10\n\n";
print "protocol t = TCP u = UDP i = ICMP\n";
print "File <logfile>\n";
print "ACL <ACL number> (default = all)\n";
print "toplist <number of entries to display> (default =10)\n";
exit;
}
#set protocols from options
if ($opt_p =~ /t/) {
$tcp =1;
print "TCP on!\n";
}
if ($opt_p =~ /u/) {
$udp =1;
print "UDP on!\n";
}
if ($opt_p =~ /i/) {
$icmp =1;
print "ICMP on!\n";
}
if ($opt_A) {
$acl = $opt_A;
print "ACL filter for $acl on!\n";
}
#set top list
$toplist=$opt_t;
if ($toplist == "") {$toplist = "10"};
#set the log file to open
$file = $opt_F;
# if no acl set, get them all
if ($acl == "") {$acl = ".*"};
# open the log
open(LOGFILE, "$file");
# ist to convert port numbers to names
# add ports in this format to have the names displayed
my %portnames = (
20 => 'ftp-data',
21 => 'ftp',
22 => 'ssh',
23 => 'telnet',
25 => 'smtp',
37 => 'time',
53 => 'dns',
67 => 'bootps',
68 => 'bootpc',
80 => 'http',
110 => 'pop3',
113 => 'ident',
119 => 'nntp',
123 => 'ntp',
137 => 'netbiosns',
138 => 'netbiosdgm',
139 => 'netbiosssn',
143 => 'imap',
161 => 'snmp',
162 => 'snmptrap',
443 => 'https',
445 => 'microsoft-ds',
873 => 'rsync',
995 => 'pop3s',
1214 => 'kazaa',
2703 => 'razor/pyzor',
5190 => 'aim',
27666 => 'doom3',
);
#open the logfile
while (<LOGFILE>) {
# catch tcp acls
if ($tcp) {
if (/IPACCESSLOGP: list ($acl) denied (tcp) ([0-9.]+)\(([0-9]+)\) -> ([0-9.]+)\(([0-9]+)\), ([0-9]+) /) {
$x=$7;
$port = (defined $portnames{$6})? $portnames{$6} : $6;
$tcpdeniedsrc{$3}+=$x;
$tcpdeniedq=sprintf("%16s -> %16s %3s port %-6s (%s) - ACL %s",$3,$5,$2,$port,$6,$1);
$tcpdeniedp=sprintf("%3s port %-6s (%s) - ACL %s",$3,$port,$6,$1);
$tcpdeniedquad{$tcpdeniedq}+=$x;
$tcpdeniedsrcipport{$tcpdeniedp}+=$x;
$tcpdeniedport{$6}+=$x;
}
if (/IPACCESSLOGP: list ($acl) permitted (tcp) ([0-9.]+)\(([0-9]+)\) -> ([0-9.]+)\(([0-9]+)\), ([0-9]+) /) {
$x=$7;
$port = (defined $portnames{$6})? $portnames{$6} : $6;
$tcppermitsrc{$3}+=$x;
$tcppermitq=sprintf("%16s -> %16s %3s port %-6s (%s) - ACL %s",$3,$5,$2,$port,$6,$1);
$tcppermitp=sprintf("%3s port %-6s (%s) - ACL %s",$3,$port,$6,$1);
$tcppermitquad{$tcppermitq}+=$x;
$tcppermitsrcipport{$tcppermitp}+=$x;
$tcppermitport{$6}+=$x;
}
}
#catch udp acls
if ($udp) {
if (/IPACCESSLOGP: list ($acl) denied (udp) ([0-9.]+)\(([0-9]+)\) -> ([0-9.]+)\(([0-9]+)\), ([0-9]+) /) {
$x=$7;
$port = (defined $portnames{$6})? $portnames{$6} : $6;
$udpdeniedsrc{$3}+=$x;
$udpdeniedq=sprintf("%16s -> %16s %3s port %-6s (%s) - ACL %s",$3,$5,$2,$port,$6,$1);
$udpdeniedp=sprintf("%3s port %-6s (%s) - ACL %s",$2,$port,$6,$1);
$udpdeniedquad{$udpdeniedq}+=$x;
$udpdeniedport{$udpdeniedp}+=$x;
}
if (/IPACCESSLOGP: list ($acl) permitted (udp) ([0-9.]+)\(([0-9]+)\) -> ([0-9.]+)\(([0-9]+)\), ([0-9]+) /) {
$x=$7;
$port = (defined $portnames{$6})? $portnames{$6} : $6;
$udppermitsrc{$3}+=$x;
$udppermitq=sprintf("%16s -> %16s %3s port %-6s (%s) - ACL %s",$3,$5,$2,$port,$6,$1);
$udppermitp=sprintf("%3s port %-6s (%s) - ACL %s",$2,$port,$6,$1);
$udppermitquad{$udppermitq}+=$x;
$udppermitport{$udppermitp}+=$x;
}
}
#catch icmp acls
if ($icmp) {
#Aug 31 15:30:44 192.168.120.1 22665: 2d03h: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp 192.168.120.83 -> 68.54.80.6 (3/3), 1 packet
if (/IPACCESSLOGDP: list ($acl) permitted (icmp) ([0-9.]+) -> ([0-9.]+) \((\d+)\/(\d+)\), ([0-9]+) /) {
$x=$7;
$icmppermitsrc{$3}+=$x;
$icmppermitsrcq=sprintf("%16s -> %16s type %-6s code %-6s - ACL %s",$3,$4,$5,$6,$1);
$icmppermitsrcp=sprintf("%3s type %-6s code %-6s - ACL %s",$2,$5,$6,$1);
$icmppermitquad{$icmppermitsrcq}+=$x;
$icmppermitport{$icmppermitsrcp}+=$x;
}
#Aug 31 16:09:31 192.168.120.1 245: 00:06:04: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 165.87.194.244 (Ethernet0/0 0001.960c.fb54) -> 68.55.11.150 (3/3), 1 packet
if (/IPACCESSLOGDP: list ($acl) denied (icmp) ([0-9.]+) \((.*)\) -> ([0-9.]+) \((\d+)\/(\d+)\), ([0-9]+) /) {
$x=$8;
$int = $4;
$icmpdeniedsrc{$3}+=$x;
$icmpdeniedsrcq=sprintf("%16s -> %16s type %-6s code %-6s - ACL %s",$3,$5,$6,$7,$1);
$icmpdeniedsrcp=sprintf("%3s type %-6s code %-6s - ACL %s",$2,$6,$7,$1);
$icmpdeniedquad{$icmpdeniedsrcq}+=$x;
$icmpdeniedport{$icmpdeniedsrcp}+=$x;
}
}
}
if ($tcp) {
$n=0;
printf ("\nDenied TCP Connection Summary:\n");
foreach $i (sort { $tcpdeniedquad{$b} <=> $tcpdeniedquad{$a} } keys %tcpdeniedquad) {
if ($n++ >= $toplist) { last };
printf ("%6s:%s\n", $tcpdeniedquad{$i},$i);
}
$n=0;
printf ("\nDenied TCP Destination Port Summary:\n");
foreach $i ( sort { $tcpdeniedsrcipport{$b} <=> $tcpdeniedsrcipport{$a} } keys %tcpdeniedsrcipport) {
if ($n++ >= $toplist) { last };
printf ("%6s: %s\n", $tcpdeniedsrcipport{$i},$i);
}
$n=0;
printf ("\nDenied TCP Source Address Summary:\n");
foreach $i ( sort { $tcpdeniedsrc{$b} <=> $tcpdeniedsrc{$a} } keys %tcpdeniedsrc) {
if ($n++ >= $toplist) { last };
printf ("%6s: %s\n", $tcpdeniedsrc{$i},$i);
}
$n=0;
printf ("\nPermitted TCP Connection Summary:\n");
foreach $i (sort { $tcppermitquad{$b} <=> $tcppermitquad{$a} } keys %tcppermitquad) {
if ($n++ >= $toplist) { last };
printf ("%6s:%s\n", $tcppermitquad{$i},$i);
}
$n=0;
printf ("\nPermitted TCP Destination IP and Port Summary:\n");
foreach $i ( sort { $tcppermitsrcipport{$b} <=> $tcppermitsrcipport{$a} } keys %tcppermitsrcipport) {
if ($n++ >= $toplist) { last };
printf ("%6s: %s\n", $tcppermitsrcipport{$i},$i);
}
$n=0;
printf ("\nPermitted TCP Destination Port Summary:\n");
foreach $i ( sort { $tcppermitport{$b} <=> $tcppermitport{$a} } keys %tcppermitport) {
if ($n++ >= $toplist) { last };
printf ("%6s: %s\n", $tcppermitport{$i},$i);
}
$n=0;
printf ("\nPermitted TCP Source Address Summary:\n");
foreach $i ( sort { $tcppermitsrc{$b} <=> $tcppermitsrc{$a} } keys %tcppermitsrc) {
if ($n++ >= $toplist) { last };
printf ("%6s: %s\n", $tcppermitsrc{$i},$i);
}
print "\n===================================\n";
}
if ($udp) {
$n=0;
printf ("\nDenied UDP Connection Summary:\n");
foreach $i (sort { $udpdeniedquad{$b} <=> $udpdeniedquad{$a} } keys %udpdeniedquad) {
if ($n++ >= $toplist) { last };
printf ("%6s:%s\n", $udpdeniedquad{$i},$i);
}
$n=0;
printf ("\nDenied UDP Destination Port Summary:\n");
foreach $i ( sort { $udpdeniedport{$b} <=> $udpdeniedport{$a} } keys %udpdeniedport) {
if ($n++ >= $toplist) { last };
printf ("%6s: %s\n", $udpdeniedport{$i},$i);
}
$n=0;
printf ("\nDenied UDP Source Address Summary:\n");
foreach $i ( sort { $udpdeniedsrc{$b} <=> $udpdeniedsrc{$a} } keys %udpdeniedsrc) {
if ($n++ >= $toplist) { last };
printf ("%6s: %s\n", $udpdeniedsrc{$i},$i);
}
$n=0;
printf ("\nPermitted UDP Connection Summary:\n");
foreach $i (sort { $udppermitquad{$b} <=> $udppermitquad{$a} } keys %udppermitquad) {
if ($n++ >= $toplist) { last };
printf ("%6s:%s\n", $udppermitquad{$i},$i);
}
$n=0;
printf ("\nPermitted UDP Destination Port Summary:\n");
foreach $i ( sort { $udppermitport{$b} <=> $udppermitport{$a} } keys %udppermitport) {
if ($n++ >= $toplist) { last };
printf ("%6s: %s\n", $udppermitport{$i},$i);
}
$n=0;
printf ("\nPermitted UDP Source Address Summary:\n");
foreach $i ( sort { $udppermitsrc{$b} <=> $udppermitsrc{$a} } keys %udppermitsrc) {
if ($n++ >= $toplist) { last };
printf ("%6s: %s\n", $udppermitsrc{$i},$i);
}
print "\n===================================\n";
}
if ($icmp) {
$n=0;
printf ("\nPermitted ICMP Connection Summary:\n");
foreach $i (sort { $icmppermitquad{$b} <=> $icmppermitquad{$a} } keys %icmppermitquad) {
if ($n++ >= $toplist) { last };
printf ("%6s:%s\n", $icmppermitquad{$i},$i);
}
$n=0;
printf ("\nPermitted ICMP Destination Port Summary:\n");
foreach $i ( sort { $icmppermitport{$b} <=> $icmppermitport{$a} } keys %icmppermitport) {
if ($n++ >= $toplist) { last };
printf ("%6s: %s\n", $icmppermitport{$i},$i);
}
$n=0;
printf ("\nPermitted ICMP Source Address Summary:\n");
foreach $i ( sort { $icmppermitsrc{$b} <=> $icmppermitsrc{$a} } keys %icmppermitsrc) {
if ($n++ >= $toplist) { last };
printf ("%6s: %s\n", $icmppermitsrc{$i},$i);
}
$n=0;
printf ("\nDenied ICMP Connection Summary:\n");
foreach $i (sort { $icmpdeniedquad{$b} <=> $icmpdeniedquad{$a} } keys %icmpdeniedquad) {
if ($n++ >= $toplist) { last };
printf ("%6s:%s\n", $icmpdeniedquad{$i},$i);
}
$n=0;
printf ("\nDenied ICMP Destination Port Summary:\n");
foreach $i ( sort { $icmpdeniedport{$b} <=> $icmpdeniedport{$a} } keys %icmpdeniedport) {
if ($n++ >= $toplist) { last };
printf ("%6s: %s\n", $icmpdeniedport{$i},$i);
}
$n=0;
printf ("\nDenied ICMP Source Address Summary:\n");
foreach $i ( sort { $icmpdeniedsrc{$b} <=> $icmpdeniedsrc{$a} } keys %icmpdeniedsrc) {
if ($n++ >= $toplist) { last };
printf ("%6s: %s\n", $icmpdeniedsrc{$i},$i);
}
print "\n===================================\n";
}
