# # scanalert.pl v1.0 # Written By: Roland Lee # Date: 5 February 2001 # # Note: This Perl script should be converted to batch script by "pl2bat" distributed with # the ActivePerl package. Because of a limitation in Windows NT/2000, Perl script running # under ActivePerl can't handle I/O processing correctly. Besides, you should Specify the # batch script in Check Point like the following "c:/log/scanalert.bat" but not # "c:\log\scanalert.bat" otherwise Check Point can't locate the file. # # Please direct all your queries to rolee@hotmail.com. # ######################################################## # User customization ######################################################## #The FromAddress variable is the e-mail address of the firewall management console $FromAddress = 'Firewall'; #The ToAddress variable is the e-mail address of where the alert should be sent to $ToAddress = 'YOUR_E-MAIL_ADDRESS'; #The MailServer variable is the IP address of the Mail Server $MailServer = 'YOUR_MAIL_SERVER'; # The AttackerLog file keeps track of the IP addresses of the attackers $AttackerLog = 'c:\log\attacker.log'; # The AlertLog file contains the detailed log information of the scan $AlertLog = 'c:\log\alert.log'; # The maximum number of e-mail alerts $MailLimit = 5; # The maximum number of scan before blocking the attacker $ScanLimit = 50; # This command is to block the attacker for 3600 seconds $block = $ENV{SystemRoot}.'\fw1\5.0\bin\fw sam -t 3600 -i src'; ######################################################## # The main program starts at here ######################################################## # Read the standard input from Check Point Firewall-1 NG $message = ; # Manipulate the standard input and put the information to the corresponding variables @message = split / src /, $message; @message1 = split /[ ]+/, @message[0]; @message2 = split /[ ]+/, @message[1]; $icmp = 1 if ( $message =~ / proto icmp / ); if ( $icmp == 1 ) { $time = @message1[0]; $source = @message2[0]; $destination = @message2[2]; $sport = @message2[4]; $service = @message2[5]." ".@message2[6]." ".@message2[7]." ".@message2[8]; } else { $time = @message1[0]; $source = @message2[0]; $destination = @message2[4]; $sport = @message2[2]; $service = @message2[6]; } # Check Point won't pass the date information, we need to get it here. Format is DD-MM-YYYY. use Time::localtime; $year = localtime->year()+1900; $mon = localtime->mon()+1; $mday = localtime->mday(); $date = $mday.'-'.$mon.'-'.$year; # Record the log information into the alert.log file open file, ">>$AlertLog"; print file "$date, $time, $source, $destination, $sport, $service\n"; close file; # Count the number of times the source has scanned us open file, "<$AlertLog"; while (@alert = ){ chomp @alert; $NumberOfScan = grep {/$source/} @alert; } close file; # Check whether the source has scanned us before, if not, log it in the attacker.log file open file, "<$AttackerLog"; while (@attacker = ){ chomp @attacker; $NumberOfAttack = grep {/$source/} @attacker; } close file; if ( $NumberOfAttack == 0 ) { open file, ">>$AttackerLog"; print file "$source\n"; close file; } # Block the attacker if the number of scan exceeds the limit and send an e-mail to the admin if ( $NumberOfScan%$ScanLimit == 0 ) { system "$block $source\n"; use Net::SMTP; $smtp = Net::SMTP->new($MailServer); $smtp->mail($FromAddress); $smtp->to($ToAddress); $smtp->data(); $smtp->datasend("To: $ToAddress\n"); $smtp->datasend("Subject: ***** Block Notice ***** \n\n"); $smtp->datasend("The IP address $source is blocked for 60 minutes because it has "); $smtp->datasend("exceeded the threshold ($ScanLimit) in scanning your network.\n"); $smtp->dataend(); $smtp->quit; } # Send an e-mail to acknowledge the administrator if the number of scan does not exceed the limit if ($NumberOfScan <= $MailLimit) { use Net::SMTP; $smtp = Net::SMTP->new($MailServer); $smtp->mail($FromAddress); $smtp->to($ToAddress); $smtp->data(); $smtp->datasend("To: $ToAddress\n"); $smtp->datasend("Subject: ***** Port Scan Alert ***** \n\n"); $smtp->datasend("Someone at IP address $source is probably performing a port scanning to your network. "); $smtp->datasend("At most $MailLimit e-mails regarding this IP address will be sent to you. "); $smtp->datasend("The following is the detailed information of this scan:\n\n"); $smtp->datasend("-------- Critical Information --------\n"); $smtp->datasend("Date: $date\n"); $smtp->datasend("Time: $time \n"); $smtp->datasend("Source IP: $source\n"); $smtp->datasend("Source Port: $sport\n"); $smtp->datasend("Destination IP: $destination\n"); $smtp->datasend("Service: $service\n\n"); $smtp->datasend("----- Actual FW-1 Log Entry -----\n"); $smtp->datasend("$message \n"); $smtp->dataend(); $smtp->quit; }