Example of a Manson Script
2018-11-26 by: Mike
This is part of a 5 minutes at DC423 meeting.
and subset example part of a system that includes: NOC Display
#!/usr/bin/perl #EXAMPLE VERSION FOR DC423 #Manson the Mass Murderer. Kills (iptables blocks) errant IP's #This version is tuned up for Asterisk Systems with port forwarding at the firewall. #$stalk = "/tmp/modem.log" ; $stalk = "/var/log/asterisk/full" ; @whitelist = ('19.7.11.1','sippy.foo.com','74.1.1.1','127.0.0.1','2600:3a02::f13c:91ff:fa0b:6cb') ; #Not the real or full list require('/ring-u/manson.cnf') ; #$mac='b1:31:92:4e:e9:0b' ; #$ip='192.168.1.22' ; #$network='192.168.1.0' ; #$cidr='24' ; print "Network: $network IP: $ip CIDR: $cidrn" ; @local = ("$network") ; system("/sbin/iptables -L -n >/tmp/iptables") ; open(IN,"/tmp/iptables") ; while() { if(/all/) { @line = split(/s+/) ; push (@blocked,$line[3]) ; } ; } ; print "Whitelist: @whitelistn" ; print "Blocked: @blockedn" ; print "Local: @localn" ; open(IN,$stalk) ; while( ) { #Contact: sip:100@185.44.76.133:56385 $kill = 'false' ; $ip = '' ; if(/^XContact/) { #rules for t38modem log with tttt print "$_" ; s//g ; s/>//g ; @line = split(/[:@><]/) ; #print $line[3] ; $ip = $line[3] ; $ip =~ s/n//g ; #removes CR's. #print "n" ; #if($ip ~~ @whitelist) { print "WHOO" ; } ; if ( grep( /$ip/, @whitelist ) ) { print "IP $ip whitelistedn"; } elsif ( grep( /$ip/, @blocked) ) { # print "IP $ip already blockedn"; } else { $knife = "/sbin/iptables -A INPUT -s $ip -j DROP" ; print "I should kill1: $ip $knifen" ; } ; } ; if(/No matching endpoint/ or /Failed to authenticate/) { # print "$_" ; s//g ; s/>//g ; s/'//g ; @line = split(/[:@><]/) ; $_ = $line[5] ; @line = split(/s/) ; $ip = $line[3] ; $ip =~ s/n//g ; #removes CR's. @chunk = split(/./,$ip) ; $shortip = $chunk[0] . '.' . $chunk[1] ; # print "Short: $shortip @localn"; if ( grep( /$ip/, @whitelist ) ) { print "IP $ip whitelistedn"; } elsif ( grep( /$ip/, @blocked) ) { print "IP $ip already blockedn"; } elsif ( grep( /$shortip/, @local) ) { # print "IP $ip is local part of $shortipn"; } else { $knife = "/sbin/iptables -A INPUT -s $ip -j DROP" ; push (@blocked,$ip) ; print "I should kill2: $ip $knifen" ; system("$knife") ; } ; } ; } ; close (IN) ; truncate '/var/log/asterisk/full', 0; truncate '/var/log/asterisk/security', 0;