extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-03 03:59:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Make the output of 'show event[2] understandable

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-07-12 16:07:22 -07:00
parent c7ad12177a
commit 51d5ec6b2b
2 changed files with 72 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
Shorewall-core/lib.cli
View File

@ -729,22 +729,60 @@ show_nfacct() {
fi fi
} }
show_event() {
local address
local ttl_label
local ttl
local last_seen
local last
local oldest_pkt
local oldest
local intimes
local outtimes1
local outtimes2
local time
local count
while read address ttl_label ttl last_seen last oldest_pkt oldest intimes; do
outtimes1=''
outtimes2=''
count=0
last=$((($currenttime - $last)/1000))
for time in $intimes; do
time=${time%,}
time=$((($currenttime - $time)/1000))
if [ $count -lt $oldest ]; then
outtimes2="$outtimes2 $time"
else
outtimes1="$outtimes1 $time"
fi
count=$(($count + 1))
done
echo " $address :${outtimes1}${outtimes2}"
done < /proc/net/xt_recent/$1
}
show_events() { show_events() {
local file local file
local base local base
local currenttime
if [ -f /proc/net/xt_recent/%CURRENTTIME ]; then if [ -f /proc/net/xt_recent/%CURRENTTIME ]; then
echo -127.0.0.1 > /proc/net/xt_recent/%CURRENTTIME echo -127.0.0.1 > /proc/net/xt_recent/%CURRENTTIME
echo +127.0.0.1 > /proc/net/xt_recent/%CURRENTTIME echo +127.0.0.1 > /proc/net/xt_recent/%CURRENTTIME
echo Current time: $(cat /proc/net/xt_recent/%CURRENTTIME | cut -d ' ' -f 5 -) currenttime=$(cat /proc/net/xt_recent/%CURRENTTIME | cut -d ' ' -f 5 -)
echo # echo Current time: $currenttime
# echo
else
currenttime=0
fi fi
if [ $# -gt 0 ]; then if [ $# -gt 0 ]; then
for event in $@ ; do for event in $@ ; do
if [ -f /proc/net/xt_recent/$event ]; then if [ -f /proc/net/xt_recent/$event ]; then
echo $event: echo $event:
cat /proc/net/xt_recent/$event show_event $event
echo echo
else else
error_message "WARNING: Event $event not found" error_message "WARNING: Event $event not found"
@ -755,8 +793,8 @@ show_events() {
base=$(basename $file) base=$(basename $file)
if [ $base != %CURRENTTIME ]; then if [ $base != %CURRENTTIME ]; then
echo $(basename $file) echo $base
cat $file show_event $base
echo echo
fi fi
done done

44
docs/Events.xml
View File

@ -421,28 +421,42 @@
the events listed in the command while <emphasis role="bold">show the events listed in the command while <emphasis role="bold">show
events</emphasis> lists the contents of all events.</para> events</emphasis> lists the contents of all events.</para>
<programlisting>root@gateway:~# shorewall show events <programlisting>root@gateway:/usr/src/linux-source-3.2/net/netfilter# shorewall show events
Shorewall 4.5.19-Beta2 events at gateway - Fri Jul 12 13:21:27 PDT 2013 Shorewall 4.5.19-Beta2 events at gateway - Fri Jul 12 15:57:20 PDT 2013
Current time: 4404787304 <emphasis role="bold">&lt;================ Times are 'milliseconds since boot'</emphasis> SSH
src=125.46.13.163 : 3453
src=200.59.55.50 : 3900 3900
src=65.182.111.112 : 2946
SSH <emphasis role="bold">&lt;================= This and the next event are created by the Autoblacklist example below</emphasis> SSH_COUNTER
src=125.46.13.163 ttl: 114 last_seen: 4403672214 oldest_pkt: 1 4403672214
src=200.59.55.50 ttl: 32 last_seen: 4403225346 oldest_pkt: 2 4403225096, 4403225346
src=65.182.111.112 ttl: 118 last_seen: 4404178828 oldest_pkt: 1 4404178828
SSH_COUNTER <emphasis role="bold">&lt;====================== This event has not occurred recently.</emphasis> sticky001
src=172.20.1.146 : 8 8 8 8 8 8 8 8 8 8 8 8 8 8 7 7 7 7 7 7
sticky001 <emphasis role="bold">&lt;================== This and the next events are generated by the Shorewall SAME rule target.</emphasis>
src=172.20.1.146 ttl: 64 last_seen: 4404774586 oldest_pkt: 9 4404731690, 4404731690, 4404731690, 4404731690, 4404731690, 4404731691, 4404750647, 4404774560, 4404774586, 4404731667, 4404731667, 4404731669, 4404731669, 4404731669, 4404731669, 4404731669, 4404731669, 4404731688, 4404731689, 4404731689
sticky002 sticky002
src=172.20.1.213 ttl: 128 last_seen: 4404785474 oldest_pkt: 6 4404785172, 4404785215, 4404785324, 4404785397, 4404785407, 4404785474, 4404767925, 4404767925, 4404767925, 4404767942, 4404768011, 4404768011, 4404768011, 4404768012, 4404768014, 4404768014, 4404768042, 4404768042, 4404768042, 4404768043 src=172.20.1.213 : 53 49 49 49 49 49 49 49 49 49 49 49 49 49 49 49 49 49 46 46
root@gateway:~# </programlisting> root@gateway:/usr/src/linux-source-3.2/net/netfilter# </programlisting>
<para>Note that the times of the recent events are recorded for each <para>The SSH and SSH_COUNTER events are created using the following
address.</para> Automatic Blacklisting example. The sticky001 and sticky002 events are
created by the SAME rule action.</para>
<para>Each line represents one event. The list of numbers following the
':' represent the number of seconds ago that a matching packet triggered
the event. The numbers are in chronological sequence, so In this event,
there were 20 packets from 172.20.1.213 that arrived between 53 and 46
seconds ago:</para>
<programlisting>sticky002
src=172.20.1.213 : <emphasis role="bold">53</emphasis> 49 49 49 49 49 49 49 49 49 49 49 49 49 49 49 49 49 46 <emphasis
role="bold">46</emphasis></programlisting>
<para>Note that there may have been earlier packets that also matched,
but the system where this example was captured used the default value of
the <emphasis role="bold">ip_pkt_list_tot</emphasis> xt_recent option
(20).</para>
</section> </section>
</section> </section>