>>> On 5/9/2007 at 1:39 AM, Giacomo Fazio <[EMAIL PROTECTED]>
wrote:
> Here is some help:
>
> I inserted some print to debug after "split" :
>
>
> # Read the standard input from Check Point Firewall-1 NG
> $message = <STDIN>;
>
> open(DEBUG, ">>/var/home/fwadmin/scan/debug.log");
> print DEBUG "$message\n";
>
>
> # Manipulate the standard input and put the information to the
corresponding
>
> variables
> @message = split / src /, $message;
> @message1 = split /[ ]+/, @message[0];
> @message2 = split /[ ]+/, @message[1];
>
> print DEBUG "After split src : $message\n";
> print DEBUG "message1 : &message1\n";
> print DEBUG "message2 : &message2\n";
>
>
> Here is the output:
> 9May2007 10:31:05 accept 194.119.212.2 >eth4 useralert product:
VPN-1 &
> FireWall-1; src: 10.10.2.230; s_port: 60647; dst: 194.119.212.
> 15; service: ssh; proto: tcp; xlatesrc: 194.119.212.58; xlatedst:
> 172.30.1.15; NAT_rulenum: 14; NAT_addtnl_rulenum: 25; rule: 22;
>
> After split src : 9May2007 10:31:05 accept 194.119.212.2 >eth4
useralert
> product: VPN-1 & FireWall-1; src: 10.10.2.230; s_port: 60647;
> dst: 194.119.212.15; service: ssh; proto: tcp; xlatesrc:
194.119.212.58;
> xlatedst: 172.30.1.15; NAT_rulenum: 14; NAT_addtnl_rulenum: 2
> 5; rule: 22;
>
> message1 : &message1
> message2 : &message2
>
> I m using this perl, v5.6.1 built for i386-linux installed on Secure
> Platform.
Well, the point is, that the script is getting the stdin from
FW-1 just fine. The Perl script doesn't seem to be parsing
the messages correctly.
First off, in your new debug lines, you don't want to be looking
at "&message1" and "&message2". What I would do is take that
existing raw debug data and use that as input to the script while
running it in debug mode,
$ perl -d scanalert.pl debug.log
And see what is going on that way.
That said, if you are using the scanalert.pl from Spitzner's site,
it looks like it is not going to parse the alerts correctly. That
first split is looking for " src " which doesn't exist. It should
probably be looking for " src: ". Looking at the stuff that follows,
it will take a little work to get that script to parse your alerts
correctly.
But it's your lucky day. A ways back, I made up a script that sent
SNMP traps from things it pulled out of alerts. Some of the regexs
in there might be helpful. (Watch for line-break damage from my
lame GroupWise MUA.)
#!/usr/bin/perl
open(STDOUT, ">>$ARGV[0]") || die("could not write to $ARGV[0]\n");
$_ = <STDIN>;
chomp;
$t = time();
if (/\d+\w{3}\d{4}\s+[\d:]+\s(\w+)\s+([\d\.]+)\s+([><\w]+) useralert
product: VPN-1 & FireWall-1; src: ([\d\.]+); s_port: ([\w_-]+); dst:
([\d\.]+); service: ([\w_-]+); proto: (\w+); message_info: ([^;]*)/) {
$action = $1;
$fw_ip = $2;
$fw_if = $3;
$ip_src = $4;
$sport = $5;
$ip_dst = $6;
$dport = $7;
$ip_p = $8;
$info = $9;
`snmptrap -v 1 -c public gemini.example.com
enterprises.2620.1.1 trantor 6 0 $t \\
enterprises.2620.1.1.12.1 s "$action" \\
enterprises.2620.1.1.12.2 a "$fw_ip" \\
enterprises.2620.1.1.12.3 s "$fw_if" \\
enterprises.2620.1.1.12.4 a "$ip_src" \\
enterprises.2620.1.1.12.5 s "$sport" \\
enterprises.2620.1.1.12.6 a "$ip_dst" \\
enterprises.2620.1.1.12.7 s "$dport" \\
enterprises.2620.1.1.12.8 s "$ip_p" \\
enterprises.2620.1.1.12.9 s "$info"`;
print " match: $_\n";
} elsif (/\d+\w{3}\d{4}\s+[\d:]+\s(\w+)\s+([\d\.]+)\s+([><\w]+)
useralert product: VPN-1 & FireWall-1; src: ([\d\.]+); s_port:
([\w_-]+); dst: ([\d\.]+); service: ([\w_-]+); proto: (\w+); rule:
([^;]*)/) {
$action = $1;
$fw_ip = $2;
$fw_if = $3;
$ip_src = $4;
$sport = $5;
$ip_dst = $6;
$dport = $7;
$ip_p = $8;
$rule = $9;
# `snmptrap -v 1 -c public gemini.example.com
enterprises.2620.1.1 trantor 6 0 $t \\
# enterprises.2620.1.1.12.1 s "$action" \\
# enterprises.2620.1.1.12.2 a "$fw_ip" \\
# enterprises.2620.1.1.12.3 s "$fw_if" \\
# enterprises.2620.1.1.12.4 a "$ip_src" \\
# enterprises.2620.1.1.12.5 s "$sport" \\
# enterprises.2620.1.1.12.6 a "$ip_dst" \\
# enterprises.2620.1.1.12.7 s "$dport" \\
# enterprises.2620.1.1.12.8 s "$ip_p" \\
# enterprises.2620.1.1.12.12 i "$rule"`;
print " match: $_\n";
} elsif (/\d+\w{3}\d{4}\s+[\d:]+\s(\w+)\s+([\d\.]+)\s+([><\w]+)
useralert product: SmartDefense; URL filter pattern detected: (.+);
attack: ([^;]+); src: ([\d\.]+); s_port: ([\w_-]+); dst: ([\d\.]+);
service: ([\w_-]+); proto: (\w+);/) {
$action = $1;
$fw_ip = $2;
$fw_if = $3;
$pattern = $4;
$attack = $5;
$ip_src = $6;
$sport = $7;
$ip_dst = $8;
$dport = $9;
$ip_p = $10;
`snmptrap -v 1 -c public gemini.example.com
enterprises.2620.1.1 trantor 6 0 $t \\
enterprises.2620.1.1.12.1 s "$action" \\
enterprises.2620.1.1.12.2 a "$fw_ip" \\
enterprises.2620.1.1.12.3 s "$fw_if" \\
enterprises.2620.1.1.12.4 a "$ip_src" \\
enterprises.2620.1.1.12.5 s "$sport" \\
enterprises.2620.1.1.12.6 a "$ip_dst" \\
enterprises.2620.1.1.12.7 s "$dport" \\
enterprises.2620.1.1.12.8 s "$ip_p" \\
enterprises.2620.1.1.12.10 s "$pattern" \\
enterprises.2620.1.1.12.11 s "$attack"`;
print " match: $_\n";
} else {
print "mismatch: $_\n";
}
> ----- Original Message -----
> From: "Giacomo Fazio" <[EMAIL PROTECTED]>
> To: <[email protected]>
> Sent: Wednesday, May 09, 2007 9:57 AM
> Subject: Re: [FW-1] read input from fw1
>
>
>> Ciao Crist,
>>
>> this is one line from the debug.log file:
>>
>> [EMAIL PROTECTED] more debug.log
>> 9May2007 9:55:52 accept 194.119.212.2 >eth4 useralert product:
VPN-1 &
>> FireWall-1; src: 10.10.2.230; s_port: 58011; dst: 194.119.212.15;
service:
>> ssh; proto: tcp; xlatesrc: 194
>> .119.212.58; xlatedst: 172.30.1.15; NAT_rulenum: 14;
NAT_addtnl_rulenum:
>> 25; rule: 22;
>>
>> Any idea?
>> Giacomo
>>
>>
>> ----- Original Message -----
>> From: "Crist Clark" <[EMAIL PROTECTED]>
>> To: <[email protected]>
>> Sent: Tuesday, May 08, 2007 6:33 PM
>> Subject: Re: [FW-1] read input from fw1
>>
>>
>>>>>> On 5/8/2007 at 1:36 AM, Giacomo Fazio
<[EMAIL PROTECTED]>
>>> wrote:
>>>> I would like to use the scanalert.pl script.
>>>>
>>>> But it do not read the source, destination,etc from the output of
>>> fw1.
>>>>
>>>> Is this line of the perl script correct ?
>>>> $message = <STDIN>;
>>>
>>> Yes.
>>>
>>> After that line try a,
>>>
>>> open(DEBUG, ">>debug.log");
>>> print DEBUG "$message";
>>>
>>> To see exactly what the script is receiving.
BĀ¼information contained in this e-mail message is confidential, intended
only for the use of the individual or entity named above. If the reader
of this e-mail is not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that any review, dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this e-mail
in error, please contact [EMAIL PROTECTED]
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
