Hi,
I found this script that gets run on a unix box running CP at
So I installed it and configured
it on my Nokia IP mgmt station, and it partially works. What's supposed
to happen is a specific rule gets triggered that runs the script. the
script then grabs the information (source, destination, service, etc)
puts it in a logfile and send an email to a specifed user. However, on
the Nokia box when the script is run, it write the following:
03/01/17 14:28:48\tsrc:\tdst:\tproto:\ts_port:\tservice:
03/01/17 14:28:49\tsrc:\tdst:\tproto:\ts_port:\tservice:
as well it doesn't send the email, mail relay is already configured and
working. If any one has any scripting experience with Nokia IP devices
running IPSO 3.6 CP NG FP3, that could help correct the script that
would be much appreciated. I have attached the script. At the end of this posting
thanks in advance
John
Spike[rn4it]# more alert.sh
#!/bin/sh
#
# alert.sh: ver 2.1.1
# Last Modified 29 December, 2001
# Lance Spitzner <lance@spitzner.net>
#
# Parse, log, and react to FW-1 User Defined Alerts
# For more information, please review the README
#
#################################################################
# BEGIN CUSTOMIZING SCRIPT HERE #
#################################################################
# INSTALL DIRECTORY
# Define the directory that this script is in.
# Do NOT put a slash at the end.
# EXAMPLE: dir=/home/fwadmin/alert_2.1.1
dir=/var/admin/alert_2.1.1
# FW ADMIN
# Define the name of who gets the email alerts
# EXAMPLE: user=fwadmin@example.com
user=nma@aic.com
# SCAN LIMIT PER SOURCE
# Define maixmum number of scans/email alerts per source
limit=5
# SCAN LIMIT TOTAL
# Define the maximum number of scans/emails per day
total=500
# SAM
# Define as "true" if you want to autotmatically block
# the source if you reach your scan limit.
sam=false
# SAM TIMEOUT
# How long do you want the source blocked
# Default is 3600 seconds (1 hour).
timeout=3600
#################################################################
# FINISH CUSTOMIZING SCRIPT HERE #
#################################################################
#################################################################
# DEFINE SYSTEM VARIABLES HERE #
#################################################################
### Script variables
message=/tmp/.message_$$
send=/tmp/.send_$$
MAIL=mail
### Good code is secure code
umask=177
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
export PATH
if [ -f $message ];then
rm $message
fi
if [ -f $send ];then
rm $send
fi
### Set trap in case of abrupt exit
trap "rm $send $message ; exit 5" 1 2 15
### Grab User Defined Alert log, pipe to $message.
cat - | tail -1 > $message
# Okay, time to parse the log. First, determine log type
# TCP/UDP, ICMP, or rpc_prg
grep -c " proto icmp " $message
icmp_check=$?
grep " rpc_prog " $message
rpc_check=$?
if [ "$icmp_check" -eq 0 ];then
# Protocol is ICMP
date=`date '+%y/%m/%d%t%H:%M:%S'`
src=`awk '{print $11}' $message`
dst=`awk '{print $13}' $message`
proto=`awk '{print $15}' $message`
type=`awk '{print $17}' $message`
code=`awk '{print $19}' $message`
data="$date\$src\$dst\$proto\$type\$code"
elif [ "$rpc_check" -eq 0 ];then
# Protocol is rpc based
date=`date '+%y/%m/%d%t%H:%M:%S'`
src=`awk '{print $13}' $message`
dst=`awk '{print $17}' $message`
proto=`awk '{print $21}' $message`
s_prt=`awk '{print $15}' $message`
d_prt=`awk '{print $19}' $message`
rpc_prog=`awk '{print $11}' $message`
data="$date\t$src\t$dst\t$proto\t$s_prt\t$d_prt\t$rpc_prog"
RPC="RPC_Service: $rpc_prog"
else
# Protocol is TCP/UDP
date=`date '+%y/%m/%d%t%H:%M:%S'`
src=`awk '{print $11}' $message`
dst=`awk '{print $15}' $message`
proto=`awk '{print $19}' $message`
s_prt=`awk '{print $13}' $message`
d_prt=`awk '{print $17}' $message`
data="$date\t$src\t$dst\t$proto\t$s_prt\t$d_prt"
fi
### Determine number of scans.
number=`grep -c $src $dir/alert.log`
scan=`expr $number + 1`
### Check number of scans from source. If we have reached our limit,
### lets bail now and save CPU cycles.
if [ $scan -gt $limit ];then
echo $data >> $dir/alert.log
rm $message
exit 10
fi
### Check number of total scans. If we have reached our limit,
### lets bail now and save CPU cycles.
number=`cat $dir/alert.log | wc -l`
if [ $number -gt $total ];then
echo $data >> $dir/alert.log
rm $message
exit 15
fi
#################################################################
# FUNCTIONS #
# #
# Build your own modules here, such as paging or snmp_trap #
# alerts, then add them to Phase 3 in the script. #
#################################################################
## This function blocks the source IP scanning/probing our
## network. Edit 'fw sam' command to your taste. For more
## info, typte 'fw sam'.
Block () {
$FWDIR/bin/fw sam -t $timeout -i src $src
cat <<EOF >> $send
WARNING
Intruder $src has been temporarily blocked at the Firewall
$src will be blocked for the next $timeout seconds
To enable $src, type the following command on the Firewall
$FWDIR/bin/fw sam -t $timeout -C -i src $src
EOF
}
### Build Email Alert
if [ $proto = "icmp" ]; then
cat <<EOF > $send
You have received this message because someone is potentially
scanning your systems. The information below is the packet
that was denied and logged by the Firewall. This is email alert
number $scan, with a limit of $limit from $src.
----- CRITICAL INFORMATION -----
Date/Time: $date
Source: $src
Destination: $dst
Protocol: $proto
Type: $type
Code: $code
----- ACTUAL FW-1 LOG ENTRY -----
`cat $message`
EOF
else
cat <<EOF > $send
You have received this message because someone is potentially
scanning your systems. The information below is the packet
that was denied and logged by the Firewall. This is email alert
number $scan, with a limit of $limit from $src.
----- CRITICAL INFORMATION -----
Date/Time: $date
Source: $src
Destination: $dst
Protocol: $proto
S_Port: $s_prt
D_Port: $d_prt
$RPC
----- ACTUAL FW-1 LOG ENTRY -----
`cat $message`
EOF
fi
#################################################################
# THE SCRIPT #
#################################################################
### PHASES START:
### What to do in addition to email alerts, depending on
### the number of scans.
# ##### PHASE 1 #####
# First unauthorized connection from the remote system.
if [ $scan -eq 1 ]; then
## Add this system to our scan database file alert.uniq
echo $data >> $dir/alert.uniq
# ##### PHASE 2 #####
# Second to $limit connections from the remote system
elif [ $scan -gt 1 ] && [ $scan -lt $limit ]; then
## Add anything you would like for this.
:
# ##### PHASE 3 #####
# We are pretty sure this is a port scan or probe, since the
# same source has connected to us $limit number of times.
else
### Block source
if [ $sam = true ]; then
Block
fi
$MAIL -s "#### SCAN ALERT ####" $user < $send
echo ""
echo "This is alert number $scan, you have reached your" >> $send
echo "maximum threshold. You will not receive anymore alerts". >> $send
fi
### Save log to alert.log
echo $data >> $dir/alert.log
## All done, lets clean up after ourselves, just like Mom taught us
#rm $message
#rm $send
exit 0
I found this script that gets run on a unix box running CP at
So I installed it and configured
it on my Nokia IP mgmt station, and it partially works. What's supposed
to happen is a specific rule gets triggered that runs the script. the
script then grabs the information (source, destination, service, etc)
puts it in a logfile and send an email to a specifed user. However, on
the Nokia box when the script is run, it write the following:
03/01/17 14:28:48\tsrc:\tdst:\tproto:\ts_port:\tservice:
03/01/17 14:28:49\tsrc:\tdst:\tproto:\ts_port:\tservice:
as well it doesn't send the email, mail relay is already configured and
working. If any one has any scripting experience with Nokia IP devices
running IPSO 3.6 CP NG FP3, that could help correct the script that
would be much appreciated. I have attached the script. At the end of this posting
thanks in advance
John
Spike[rn4it]# more alert.sh
#!/bin/sh
#
# alert.sh: ver 2.1.1
# Last Modified 29 December, 2001
# Lance Spitzner <lance@spitzner.net>
#
# Parse, log, and react to FW-1 User Defined Alerts
# For more information, please review the README
#
#################################################################
# BEGIN CUSTOMIZING SCRIPT HERE #
#################################################################
# INSTALL DIRECTORY
# Define the directory that this script is in.
# Do NOT put a slash at the end.
# EXAMPLE: dir=/home/fwadmin/alert_2.1.1
dir=/var/admin/alert_2.1.1
# FW ADMIN
# Define the name of who gets the email alerts
# EXAMPLE: user=fwadmin@example.com
user=nma@aic.com
# SCAN LIMIT PER SOURCE
# Define maixmum number of scans/email alerts per source
limit=5
# SCAN LIMIT TOTAL
# Define the maximum number of scans/emails per day
total=500
# SAM
# Define as "true" if you want to autotmatically block
# the source if you reach your scan limit.
sam=false
# SAM TIMEOUT
# How long do you want the source blocked
# Default is 3600 seconds (1 hour).
timeout=3600
#################################################################
# FINISH CUSTOMIZING SCRIPT HERE #
#################################################################
#################################################################
# DEFINE SYSTEM VARIABLES HERE #
#################################################################
### Script variables
message=/tmp/.message_$$
send=/tmp/.send_$$
MAIL=mail
### Good code is secure code
umask=177
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
export PATH
if [ -f $message ];then
rm $message
fi
if [ -f $send ];then
rm $send
fi
### Set trap in case of abrupt exit
trap "rm $send $message ; exit 5" 1 2 15
### Grab User Defined Alert log, pipe to $message.
cat - | tail -1 > $message
# Okay, time to parse the log. First, determine log type
# TCP/UDP, ICMP, or rpc_prg
grep -c " proto icmp " $message
icmp_check=$?
grep " rpc_prog " $message
rpc_check=$?
if [ "$icmp_check" -eq 0 ];then
# Protocol is ICMP
date=`date '+%y/%m/%d%t%H:%M:%S'`
src=`awk '{print $11}' $message`
dst=`awk '{print $13}' $message`
proto=`awk '{print $15}' $message`
type=`awk '{print $17}' $message`
code=`awk '{print $19}' $message`
data="$date\$src\$dst\$proto\$type\$code"
elif [ "$rpc_check" -eq 0 ];then
# Protocol is rpc based
date=`date '+%y/%m/%d%t%H:%M:%S'`
src=`awk '{print $13}' $message`
dst=`awk '{print $17}' $message`
proto=`awk '{print $21}' $message`
s_prt=`awk '{print $15}' $message`
d_prt=`awk '{print $19}' $message`
rpc_prog=`awk '{print $11}' $message`
data="$date\t$src\t$dst\t$proto\t$s_prt\t$d_prt\t$rpc_prog"
RPC="RPC_Service: $rpc_prog"
else
# Protocol is TCP/UDP
date=`date '+%y/%m/%d%t%H:%M:%S'`
src=`awk '{print $11}' $message`
dst=`awk '{print $15}' $message`
proto=`awk '{print $19}' $message`
s_prt=`awk '{print $13}' $message`
d_prt=`awk '{print $17}' $message`
data="$date\t$src\t$dst\t$proto\t$s_prt\t$d_prt"
fi
### Determine number of scans.
number=`grep -c $src $dir/alert.log`
scan=`expr $number + 1`
### Check number of scans from source. If we have reached our limit,
### lets bail now and save CPU cycles.
if [ $scan -gt $limit ];then
echo $data >> $dir/alert.log
rm $message
exit 10
fi
### Check number of total scans. If we have reached our limit,
### lets bail now and save CPU cycles.
number=`cat $dir/alert.log | wc -l`
if [ $number -gt $total ];then
echo $data >> $dir/alert.log
rm $message
exit 15
fi
#################################################################
# FUNCTIONS #
# #
# Build your own modules here, such as paging or snmp_trap #
# alerts, then add them to Phase 3 in the script. #
#################################################################
## This function blocks the source IP scanning/probing our
## network. Edit 'fw sam' command to your taste. For more
## info, typte 'fw sam'.
Block () {
$FWDIR/bin/fw sam -t $timeout -i src $src
cat <<EOF >> $send
WARNING
Intruder $src has been temporarily blocked at the Firewall
$src will be blocked for the next $timeout seconds
To enable $src, type the following command on the Firewall
$FWDIR/bin/fw sam -t $timeout -C -i src $src
EOF
}
### Build Email Alert
if [ $proto = "icmp" ]; then
cat <<EOF > $send
You have received this message because someone is potentially
scanning your systems. The information below is the packet
that was denied and logged by the Firewall. This is email alert
number $scan, with a limit of $limit from $src.
----- CRITICAL INFORMATION -----
Date/Time: $date
Source: $src
Destination: $dst
Protocol: $proto
Type: $type
Code: $code
----- ACTUAL FW-1 LOG ENTRY -----
`cat $message`
EOF
else
cat <<EOF > $send
You have received this message because someone is potentially
scanning your systems. The information below is the packet
that was denied and logged by the Firewall. This is email alert
number $scan, with a limit of $limit from $src.
----- CRITICAL INFORMATION -----
Date/Time: $date
Source: $src
Destination: $dst
Protocol: $proto
S_Port: $s_prt
D_Port: $d_prt
$RPC
----- ACTUAL FW-1 LOG ENTRY -----
`cat $message`
EOF
fi
#################################################################
# THE SCRIPT #
#################################################################
### PHASES START:
### What to do in addition to email alerts, depending on
### the number of scans.
# ##### PHASE 1 #####
# First unauthorized connection from the remote system.
if [ $scan -eq 1 ]; then
## Add this system to our scan database file alert.uniq
echo $data >> $dir/alert.uniq
# ##### PHASE 2 #####
# Second to $limit connections from the remote system
elif [ $scan -gt 1 ] && [ $scan -lt $limit ]; then
## Add anything you would like for this.
:
# ##### PHASE 3 #####
# We are pretty sure this is a port scan or probe, since the
# same source has connected to us $limit number of times.
else
### Block source
if [ $sam = true ]; then
Block
fi
$MAIL -s "#### SCAN ALERT ####" $user < $send
echo ""
echo "This is alert number $scan, you have reached your" >> $send
echo "maximum threshold. You will not receive anymore alerts". >> $send
fi
### Save log to alert.log
echo $data >> $dir/alert.log
## All done, lets clean up after ourselves, just like Mom taught us
#rm $message
#rm $send
exit 0