advertisement

Print

Cooking with Cisco, Part 1
Pages: 1, 2

Author's note: You can use the logging feature with Cisco Access Lists to keep track of how often certain types of packets pass through your network. This is often a good way to detect patterns of abuse or attempts to violate network security. The only problem is that the sheer volume of log messages generated this way can make analysis very difficult. This recipe provides a script to scan and analyze the log files automatically for you.



Recipe 19.10: Analyzing ACL Log Entries

Problem

You want to analyze the log entries created by logging ACLs.

Solution

The Perl script in Example 19-1 parses a router syslog file and builds a detailed report of packets that were denied by logging ACLs. By default, the script will parse every ACL log message that it finds in the syslog file on a server. You can also look for messages associated with a particular ACL by specifying the ACL number or name as a command-line argument.

Example 19-1. logscan.pl

#!/usr/local/bin/perl
#
#       logscan.pl -- a script to extract ACL logs from a syslog file. 
#
# Set behaviour
$log="/var/log/cisco.log";
$ntop=10;
#
chomp ($acl=$ARGV[0]);
if ($acl =  = "") { $acl=".*"};
   
open(LOG , "<$log") or die;
while (<LOG>) {
 if (/IPACCESSLOGP: list $acl denied ([tcpud]+) ([0-9.]+)\(([0-9]+)\) ->
  ([0-9.]+)\(([0-9]+\), ([0-9]+) /) {
   $x=$6;
   $srca{$2}+=$x;
   $foo=sprintf("%16s  -> %16s  %3s port %-6s",$2,$4,$1,$5);
   $moo=sprintf("%3s port %-6s",$1,$5);
   $quad{$foo}+=$x;
   $port{$moo}+=$x;
 }
}
$n=0;
printf ("Connection Summary:\n");
foreach $i (sort { $quad{$b} <=> $quad{$a} } keys %quad) {
   if ($n++ >= $ntop) { last };
   printf ("%6s:%s\n", $quad{$i},$i);
}
$n=0;
printf ("\nDestination Port Summary:\n");
foreach $i ( sort { $port{$b} <=> $port{$a} } keys %port) {
   if ($n++ >= $ntop) { last };
   printf ("%6s: %s\n", $port{$i},$i);
}
$n=0;
printf ("\nSource Address Summary:\n");
foreach $i ( sort { $srca{$b} <=> $srca{$a} } keys %srca) {
   if ($n++ >= $ntop) { last };
   printf ("%6s: %s\n", $srca{$i},$i);
}

Note that we have had to split the line that begins "if (/IPACCESSLOGP: list" across two lines so that it will fit on the page. If you decide to use this script, please type this as a single line.

Discussion

It's a good idea configure your access lists so that they log all of the packets that they deny. This is particularly true for security-related ACLs. You can then use these log messages for security or audit purposes. Unfortunately, this level of logging can create a large number of messages, which makes analysis difficult. This Perl script automates the most difficult part of this analysis by parsing a large file of ACL log messages and building a report that can help to identify potential problems.

The report produced by the script has three sections that summarize connections, destination ports, and source IP addresses. The connection report displays the top 10 most common connection denied attempts including the source address, destination source, and destination port number. The destination port summary displays the top 10 most frequently denied destination ports. Finally, the source address summary displays the 10 hosts whose connection attempts were most frequently denied. In each case, the script looks at both TCP and UDP ports.

The following is a sample report:

Freebsd%./logscan.pl
Connection Summary:
   195:      172.25.1.1  ->     172.20.100.1  tcp port 23    
    13:      172.25.1.1  ->     172.20.100.1  tcp port 22    
     8:      172.20.1.2  ->       172.25.1.3  udp port 53    
     6:      172.20.1.2  ->       172.25.1.1  udp port 123   
     6:      172.25.1.1  ->         10.2.2.2  tcp port 23    
     4:      172.20.1.2  ->       172.25.1.1  udp port 162   
     4:      172.25.1.1  ->     172.20.100.1  tcp port 21    
     4:      172.20.1.2  ->       172.25.1.1  udp port 53    
     3:      172.25.1.1  ->     172.20.100.1  tcp port 80    
     2:      172.20.1.2  ->       172.25.1.3  udp port 123   
   
Destination Port Summary:
   206: tcp port 23    
    14: tcp port 22    
    12: udp port 53    
     8: udp port 123   
     4: tcp port 80    
     4: udp port 162   
     4: tcp port 21    
     2: tcp port 443   
     1: tcp port 6000  
     1: tcp port 79    
   
Source Address Summary:
   222: 172.25.1.1
    24: 172.20.1.2
     3: 172.25.1.6
     1: 192.168.4.217
     1: 172.25.1.9
     1: 10.2.3.134
     1: 172.25.1.4
     1: 172.22.1.9
     1: 10.23.55.121
     1: 172.25.1.3
Freebsd%

This report can help identify troubling behavior that warrants further investigation. For instance, address 172.25.1.1 has attempted to telnet to 172.20.100.1 195 times. This may not have been evident by scanning the log file by hand.

The script can also build a report based on the messages received from a particular ACL number or name:

Freebsd%./logscan.pl 122
Connection Summary:
     2:      172.25.1.6  ->         10.2.2.2  tcp port 443   
     1:   192.168.4.217  ->         10.2.2.2  tcp port 23    
     1:      172.22.1.9  ->         10.2.2.2  tcp port 6000  
     1:      10.2.3.134  ->         10.2.2.2  tcp port 23    
     1:      172.25.1.9  ->         10.2.2.2  tcp port 23    
     1:    10.23.55.121  ->         10.2.2.2  tcp port 79    
     1:      172.25.1.1  ->         10.2.2.2  tcp port 22    
     1:      172.25.1.6  ->         10.2.2.2  tcp port 23    
   
Destination Port Summary:
     4: tcp port 23    
     2: tcp port 443   
     1: tcp port 22    
     1: tcp port 6000  
     1: tcp port 79    
   
Source Address Summary:
     3: 172.25.1.6
     1: 10.2.3.134
     1: 172.22.1.9
     1: 192.168.4.217
     1: 172.25.1.1
     1: 172.25.1.9
     1: 10.23.55.121
Freebsd%

Before you can use this script you must modify the variable $log. This variable must contain the full directory and filename of the syslog file that you wish to scan. The script is then ready to launch. The only other variable you may want to modify is the $ntop variable. This variable defines how long each section of the report will be. By default, the script is set to display the top 10 matches in each category. However, you can set this number to any number you prefer. Note also that, as in the previous example, if there are fewer than $ntop matches in any category, the script will show only the matches that it actually finds.

For more information on logging and remote logging to a syslog server, please see Chapter 18 of Cisco Cookbook.

See Also

Chapter 19's Recipe 19.8; Recipe 19.9; Chapter 18

Editor's note: Check back to this space next Tuesday for recipes on a little-known IOS feature called IP Multicast Helper, and on a simple way to ensure that the routers never send unimportant messages.

Kevin Dooley is an independent networking consultant who has been designing and implementing networks for more than ten years.


Return to the O'Reilly Network.