HomeLabContactFor HireCodeArticles/Blog /0/0 3.235.185.78
< >

Example of a Manson Script

2018-11-26 by: Mike
This is part of a 5 minutes at DC423 meeting. and subset example part of a system that includes: NOC Display 
#!/usr/bin/perl
#EXAMPLE VERSION FOR DC423
#Manson the Mass Murderer. Kills (iptables blocks) errant IP's 
#This version is tuned up for Asterisk Systems with port forwarding at the firewall. 

  #$stalk = "/tmp/modem.log" ; 
  $stalk = "/var/log/asterisk/full" ; 
  @whitelist = ('19.7.11.1','sippy.foo.com','74.1.1.1','127.0.0.1','2600:3a02::f13c:91ff:fa0b:6cb') ; 
#Not the real or full list
  require('/ring-u/manson.cnf') ; 

#$mac='b1:31:92:4e:e9:0b' ; 
#$ip='192.168.1.22' ;
#$network='192.168.1.0' ;
#$cidr='24' ;

  print "Network: $network IP: $ip  CIDR: $cidrn" ; 
  @local = ("$network") ; 

system("/sbin/iptables -L -n >/tmp/iptables") ; 
open(IN,"/tmp/iptables") ; 
while() { 
  if(/all/) { 
  @line = split(/s+/) ; 
  push (@blocked,$line[3]) ; 
  } ; 
} ;   

print "Whitelist: @whitelistn" ; 
print "Blocked: @blockedn" ; 
print "Local: @localn" ; 

open(IN,$stalk) ; 

while() { 
#Contact: sip:100@185.44.76.133:56385
$kill = 'false' ; 
$ip = '' ; 

if(/^XContact/) { #rules for t38modem log with tttt  
    print "$_" ; 
    s///g ; 
    @line = split(/[:@><]/) ; 
    #print $line[3] ; 
    $ip = $line[3] ; 
    $ip =~ s/n//g ; #removes CR's. 
    #print "n" ; 
    #if($ip ~~ @whitelist) { print "WHOO" ; } ; 
    if ( grep( /$ip/, @whitelist ) ) {
      print "IP $ip whitelistedn";
    } elsif ( grep( /$ip/, @blocked) )  { 
    #  print "IP $ip already blockedn";
    } else { 
      $knife = "/sbin/iptables -A INPUT -s $ip -j DROP" ; 
      print "I should kill1: $ip     $knifen" ; 
    } ; 
} ; 


if(/No matching endpoint/ or /Failed to authenticate/) { 
#    print "$_" ; 
    s///g ; 
    s/'//g ; 
    @line = split(/[:@><]/) ; 
    $_ = $line[5] ; 
    @line = split(/s/) ; 
    $ip = $line[3] ; 
    $ip =~ s/n//g ; #removes CR's. 
    @chunk = split(/./,$ip) ; 
    $shortip = $chunk[0] . '.' . $chunk[1] ;
#    print "Short: $shortip    @localn";  
    if ( grep( /$ip/, @whitelist ) ) {
      print "IP $ip whitelistedn";
    } elsif ( grep( /$ip/, @blocked) )  { 
      print "IP $ip already blockedn";
    } elsif ( grep( /$shortip/, @local) )  { 
     # print "IP $ip is local part of $shortipn";
    } else { 
      $knife = "/sbin/iptables -A INPUT -s $ip -j DROP" ; 
      push (@blocked,$ip) ; 
      print "I should kill2: $ip     $knifen" ; 
      system("$knife") ; 
    } ; 
} ; 
} ; 
close (IN) ; 

truncate '/var/log/asterisk/full', 0;
truncate '/var/log/asterisk/security', 0;
Playing around with: CounterSocial