nfparser.py

1. #!/usr/bin/env python
2.  
3. import re
4. import sys
5. import getopt
6. import time
7. import hashlib
8. from collections import defaultdict
9.  
10. import platform
11. from dns import resolver,reversename
12.  
13. # define globally, with a proper timeout
14. dns_resolver = resolver.Resolver()
15. dns_resolver.lifetime = 2
16.  
17. def ptr_lookup(ip):
18.     # reverse DNS lookup
19.     rev_ip = reversename.from_address(ip)
20.     try:
21.         return str(dns_resolver.query(rev_ip,"PTR")[0])
22.     except (resolver.NXDOMAIN,
23.             resolver.Timeout,
24.             resolver.NoAnswer,
25.             IndexError):
26.         return "<no ptr>"
27.  
28. def get_ptr(key, item):
29.     if DO_DNS:
30.         splitted_key = key.split(" ")
31.         for log_item in splitted_key:
32.             if item in log_item:
33.                 ip = log_item.split("=")
34.                 return ptr_lookup(ip[1])
35.     return '-'
36.  
37. def usage():
38.     print '''
39. nfparser.py: parse Netfilter logs
40.    <-i>    input file (default to /var/log/kern.log)
41.    <-f>    filter regex
42.    <-o>    output format (comma separated, no space)
43.    <-l>    lower limit, display only result that have >= `-l` counts
44.    <-L>    upper limit, display only result that has <= `-L` counts
45.    <-v>    verbose
46.  
47.    example: nfparse -i kern.log -f "DROP.+PROTO=TCP.+DPT=80" -o "SRC,DST,DPT"
48. '''
49.     sys.exit()
50.  
51. INPUT_FILE = '/var/log/kern.log'
52. FILTER = ''
53. OUTPUT_FORMAT = []
54. STATS = defaultdict(int)
55. KEYS = {}
56. LOWER_LIMIT = 0
57. UPPER_LIMIT = 1000000000000000000
58. DO_DNS = False
59. counter = 0
60.  
61. # command line arguments
62. args_list, remainder = getopt.getopt(sys.argv[1:], 'i:f:o:vhrl:L:')
63.  
64. for argument, value in args_list:
65.     if argument in ('-i'):
66.         INPUT_FILE = str(value)
67.     elif argument in ('-f'):
68.         FILTER = str(value)
69.     elif argument in ('-o'):
70.         output = str(value).split(',')
71.         for o in output:
72.             OUTPUT_FORMAT.append(o)
73.     elif argument in ('-r'):
74.         DO_DNS = True
75.     elif argument in ('-l'):
76.         LOWER_LIMIT = int(value)
77.     elif argument in ('-L'):
78.         UPPER_LIMIT = int(value)
79.     else:
80.         print("Unknown option %s" % argument)
81.         usage()
82.  
83. if not FILTER or not OUTPUT_FORMAT:
84.     print("missing argument")
85.     usage()
86.  
87. logfile = ""
88. try:
89.     logfile = open(INPUT_FILE,"r")
90. except IOError:
91.     print("Can't open %s" % INPUT_FILE)
92.  
93. for logline in logfile:
94.     if re.search(FILTER, logline):
95.         logtuple = ""
96.         splitted_log = logline.split(' ')
97.         for log_item in splitted_log:
98.             for output_item in OUTPUT_FORMAT:
99.                 if output_item in log_item:
100.                     logtuple += log_item + " "
101.         key = hashlib.sha224(logtuple).hexdigest()
102.         STATS[key] += 1
103.         KEYS[key] = logtuple
104. for key in sorted(STATS, key=STATS.get, reverse=True):
105.     if STATS[key] >= LOWER_LIMIT and STATS[key] <= UPPER_LIMIT:
106.         print("%s hits for %s [SRC=%s  DST=%s]" % (STATS[key],
107.                                             KEYS[key],
108.                                             get_ptr(KEYS[key], 'SRC'),
109.                                             get_ptr(KEYS[key], 'DST')))