#!/usr/local/bin/perl #---------------------------------------------------------------------------- # # fwconwatch.pl - Monitor FireWall-1 connection table # # www.sabernet.net # # # By default this script checks the status of the connection table every # 60 seconds. The administrator will be notified by page/email if the # connection table has reached the warning percentage. # # The -f switch causes an output line to be displayed for each check. # The -F switch causes an output line to be logged via syslogd. # # Distributed under the terms of this General Public License # http://www.gnu.org/copyleft/gpl.html # # Revision History: # 11-Jun-2000 1.3 Added switch info for fwtable.pl ver1.1beta # 08-Sep-1999 1.2 Added features provided by masato@mulan.aero.org # 30-Jul-1999 1.1 Added cpu utilization check (SunOS 5.x) # 30-Jul-1999 1.0 Script completed # #---------------------------------------------------------------------------- # # TARGET : Target FW host # # LIMIT : Number of slots in the connection table. Details can be found # in PhoneBoy's FW1 FAQ: http://www.phoneboy.com/fw1/faq/0289.html # # WARN : Percentage at which a page/email will be sent # # SRC_MAX : Number of connection sources to report on # # SCRIPT : Path to Lance Spitzner's fwtable.pl script # http://www.spitzner.net/fwtable.html # # PAGE : Address to send warning page to # # EMAIL : Address to send connection report to # # SLEEP : Number of seconds to sleep between checks # #---------------------------------------------------------------------------- $TARGET = "localhost"; $LIMIT = 25000; $WARN = 20; $SRC_MAX = 100; $SCRIPT = "/etc/fw/bin/fwtable.pl -c $LIMIT"; # < ver 1.1beta #$SCRIPT = "/etc/fw/bin/fwtable.pl -s -c $LIMIT"; # >= ver 1.1beta $PAGE = "pager\@example.com"; $EMAIL = "infosec\@example.com"; $LOGGER = "/usr/bin/logger -p local1.info -t FWD"; $SLEEP = 60; # main { while(1) { $conns = get_conns(); $percent = ($conns / $LIMIT) * 100; if ($ARGV[0] eq '-f') { $date = `date`; chop($date); print "$date $percent% $conns\n"; } elsif (($ARGV[0] eq '-F') && defined($LOGGER)) { system("$LOGGER connections=$conns $percent%"); } if ($percent >= $WARN) { `echo \"fw conn $percent%\" | mailx $PAGE`; report_top(); } check_cpu(); sleep($SLEEP); } } # # get_conns : returns the number of slots filled in the connection table # sub get_conns { $_ = `/etc/fw/bin/fw tab -t connections -s $TARGET | tail -1`; chop(); $_ =~ /(\d+)$/; $1; } # # report_top : reports the top n connection sources # sub report_top { my ($top, %table); open(DATA, "$SCRIPT |"); while() { if ($_ =~ /^(\d+\.\d+\.\d+\.\d+)/) { $table{$1}++; } } close($DATA); my($i) = 0; foreach $key ( sort { $table{$b} <=> $table{$a} } sort(keys %table) ) { if ($i < $SRC_MAX) { $top .= sprintf(" %-20s %-8d\n", $key, $table{$key}); $i++; } } open(MAIL, "| mailx -s \"FW Connection Table $percent%\" $EMAIL"); print MAIL "Top $i connection sources:\n\n$top"; close(MAIL); } # # check_cpu : checks the cpu stats and sends an alarm if warranted # sub check_cpu { $_ = `iostat -c 5 2 | tail -1`; my(@stats) = split; if ( ($stats[0] > 85) || # user ($stats[1] > 85) || # kernel ($stats[2] > 70) ) # iowait { `echo \"fw cpu us:$stats[0] ke:$stats[1] io:$stats[2]\" | mailx $PAGE`; } }