#!/usr/bin/perl -w
##########################################################################
# $Id: kernel,v 1.5 1999/02/23 00:39:54 kirk Exp $
##########################################################################
# $Log: kernel,v $
# Revision 1.5  1999/02/23 00:39:54  kirk
# Added code written by Fabrizio Zeno Cornelli <zeno@filibusta.crema.unimi.it>.
#
# Revision 1.4  1998/04/08 18:32:03  kirk
# Applied changes submitted by Luuk de Boer <luuk_de_boer@pi.net>.. Thanks!
#
# Revision 1.3  1998/02/23 01:16:57  kirk
# Getting ready for a first distribution
#
# Revision 1.2  1998/02/22 22:36:28  kirk
# Created named...
#
# Revision 1.1  1998/02/22 21:45:41  kirk
# Added kernel message processing
#
##########################################################################

########################################################
# This was written and is maintained by:
#    Kirk Bauer <kirk@kaybee.org>
#
# Please send all comments, suggestions, bug reports,
#    etc, to kirk@kaybee.org.
#
########################################################

$Detail = $ENV{'LOGWATCH_DEBUG'};
#$MaxFlood = $ENV{'MAXFLOOD'};
$MaxFlood = 10;
$MaxNum =0;

sub LookupIP {
   my ($name, $a1, $a2,$a3,$a4,$PackedAddr,$Addr);
   $Addr = $_[0];
   ($a1,$a2,$a3,$a4) = split /\./,$Addr;
   $PackedAddr = pack('C4',$a1,$a2,$a3,$a4);
   if ($name = gethostbyaddr ($PackedAddr,2)) {
      return ($name . " (" . $Addr . ")");
   } else {
      return ($Addr);
   }
}


while (defined($ThisLine = <STDIN>)) {
    chomp($ThisLine);
    next if ($ThisLine eq "");
    if ( ($from,$on) = ( $ThisLine =~ /^Warning: possible SYN flood from ([^ ]+) on ([^ ]+):.+ Sending cookies/ ) ) {
	$Fullfrom = LookupIP($from);
	$Fullon = LookupIP($on);
	$SYNflood{$Fullon}{$Fullfrom}++;
    } elsif( ($TU,$from,$port,$on) = ( $ThisLine =~ /IP fw-in deny \w+ (\w+) ([^:]+):\d+ ([^:]+):(\d+) / ) ){
	#$Fullfrom = LookupIP($from);
    #$Fullon = LookupIP($on);
          if($MaxNum < ++$TCPscan{$TU}{$from}) {
		$MaxNum = $TCPscan{$TU}{$from}};
	$port=0;
    } else{
	$Kernel{$ThisLine}++;
    }
}
    
if ( (keys %SYNflood) or 
		($MaxNum > $MaxFlood and (keys %TCPscan)  ) 
	or (($Detail >= 5) and (keys %Kernel)) ) {
	
    print "\n\n ---------------------- Kernel Begin ------------------------- \n\n";

    if (keys %SYNflood) {
	print "\nWarning: SYN flood on:\n";
	foreach $ThisOne (sort {$a cmp $b} keys %SYNflood) {
	    print "   " . $ThisOne . " from:\n";
	    foreach $Next (sort {$a cmp $b} keys %{$SYNflood{$ThisOne}}) {
		 print "      " . $Next . ": $SYNflood{$ThisOne}{$Next} Time(s)\n";
	    }
	}
    }
    if (keys %TCPscan and $MaxNum>$MaxFlood) {
        print "\nWarning: ipfwadm scan detected on:\n";
        foreach $ThisOne (sort {$a cmp $b} keys %TCPscan) {
            print "   " . $ThisOne . " from:\n";
            foreach $Next (sort {$a cmp $b} keys %{$TCPscan{$ThisOne}}) {
	       $TCPscan{$ThisOne}{$Next}>$MaxFlood &&
                print "      " . LookupIP($Next). ": $TCPscan{$ThisOne}{$Next} Time(s)\n";
            }
        }
    }

    if ( ($Detail >= 5) and (keys %Kernel) ) {
	print "\n";
	foreach $ThisOne (sort {$a cmp $b} keys %Kernel) {
	    print $Kernel{$ThisOne} . " Time(s): " . $ThisOne . "\n";
	}
    }

    print "\n\n ---------------------- Kernel End ------------------------- \n\n";
	
}


exit(0);


