Advertisement
opexxx

nfparser.py

Apr 17th, 2014
162
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.08 KB | None | 0 0
  1. #!/usr/bin/env python
  2.  
  3. import re
  4. import sys
  5. import getopt
  6. import time
  7. import hashlib
  8. from collections import defaultdict
  9.  
  10. import platform
  11. from dns import resolver,reversename
  12.  
  13. # define globally, with a proper timeout
  14. dns_resolver = resolver.Resolver()
  15. dns_resolver.lifetime = 2
  16.  
  17. def ptr_lookup(ip):
  18.     # reverse DNS lookup
  19.     rev_ip = reversename.from_address(ip)
  20.     try:
  21.         return str(dns_resolver.query(rev_ip,"PTR")[0])
  22.     except (resolver.NXDOMAIN,
  23.             resolver.Timeout,
  24.             resolver.NoAnswer,
  25.             IndexError):
  26.         return "<no ptr>"
  27.  
  28. def get_ptr(key, item):
  29.     if DO_DNS:
  30.         splitted_key = key.split(" ")
  31.         for log_item in splitted_key:
  32.             if item in log_item:
  33.                 ip = log_item.split("=")
  34.                 return ptr_lookup(ip[1])
  35.     return '-'
  36.  
  37. def usage():
  38.     print '''
  39. nfparser.py: parse Netfilter logs
  40.    <-i>    input file (default to /var/log/kern.log)
  41.    <-f>    filter regex
  42.    <-o>    output format (comma separated, no space)
  43.    <-l>    lower limit, display only result that have >= `-l` counts
  44.    <-L>    upper limit, display only result that has <= `-L` counts
  45.    <-v>    verbose
  46.  
  47.    example: nfparse -i kern.log -f "DROP.+PROTO=TCP.+DPT=80" -o "SRC,DST,DPT"
  48. '''
  49.     sys.exit()
  50.  
  51. INPUT_FILE = '/var/log/kern.log'
  52. FILTER = ''
  53. OUTPUT_FORMAT = []
  54. STATS = defaultdict(int)
  55. KEYS = {}
  56. LOWER_LIMIT = 0
  57. UPPER_LIMIT = 1000000000000000000
  58. DO_DNS = False
  59. counter = 0
  60.  
  61. # command line arguments
  62. args_list, remainder = getopt.getopt(sys.argv[1:], 'i:f:o:vhrl:L:')
  63.  
  64. for argument, value in args_list:
  65.     if argument in ('-i'):
  66.         INPUT_FILE = str(value)
  67.     elif argument in ('-f'):
  68.         FILTER = str(value)
  69.     elif argument in ('-o'):
  70.         output = str(value).split(',')
  71.         for o in output:
  72.             OUTPUT_FORMAT.append(o)
  73.     elif argument in ('-r'):
  74.         DO_DNS = True
  75.     elif argument in ('-l'):
  76.         LOWER_LIMIT = int(value)
  77.     elif argument in ('-L'):
  78.         UPPER_LIMIT = int(value)
  79.     else:
  80.         print("Unknown option %s" % argument)
  81.         usage()
  82.  
  83. if not FILTER or not OUTPUT_FORMAT:
  84.     print("missing argument")
  85.     usage()
  86.  
  87. logfile = ""
  88. try:
  89.     logfile = open(INPUT_FILE,"r")
  90. except IOError:
  91.     print("Can't open %s" % INPUT_FILE)
  92.  
  93. for logline in logfile:
  94.     if re.search(FILTER, logline):
  95.         logtuple = ""
  96.         splitted_log = logline.split(' ')
  97.         for log_item in splitted_log:
  98.             for output_item in OUTPUT_FORMAT:
  99.                 if output_item in log_item:
  100.                     logtuple += log_item + " "
  101.         key = hashlib.sha224(logtuple).hexdigest()
  102.         STATS[key] += 1
  103.         KEYS[key] = logtuple
  104. for key in sorted(STATS, key=STATS.get, reverse=True):
  105.     if STATS[key] >= LOWER_LIMIT and STATS[key] <= UPPER_LIMIT:
  106.         print("%s hits for %s [SRC=%s  DST=%s]" % (STATS[key],
  107.                                             KEYS[key],
  108.                                             get_ptr(KEYS[key], 'SRC'),
  109.                                             get_ptr(KEYS[key], 'DST')))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement