#spambotchk.sh #Used to alert on outbound SMTP connections for non-mailservers above a threshold #for a full discussion on its use, see the paper http://www.altsec.info/fwlogproj/Stingley-GIAC-GOLD-2009.pdf # Copyright (C) 2008 Mark Stingley # mark AT altsec.info # http://www.altsec.info # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # See http://www.gnu.org/licenses/licenses.html#GPL or write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, # MA 02111-1307 USA # # Changelog: #Version 20090903.01 #!/bin/sh #create some secure temporary files TMPFILE=`tempfile` TMPQRY=`tempfile` MAILTMP=`tempfile` #store the times NOW and 5 minutes ago in MySQL date time format TNOW=`date "+%Y-%m-%d %H:%M"` TTHEN=`date -d "5 minutes ago" "+%Y-%m-%d %H:%M"` #botchk.list is a daily list of reported spambots, a simple way #of avoiding self-spam and noise #if the file doesn’t exit, create it if [ ! -f /var/run/botchk.list ]; then touch /var/run/botchk.list fi #build the query with the following criteria #1. for the past five minutes #2. for valid connections (not dropped) #3. on internet firewall interfaces 192.168.15.1 and 192.168.15.2 #4. originating from internal systems (networks 192.168. and 172.16.) #5. excluding internal destinations (NOT networks 192.168. and 172.16.) #6. excluding known mailservers (subnets 192.106.101 and 192.168.8) #7. looking at only SMTP traffic (destination port 25) #8. examine only the top 40 talkers echo "select distinct count(*) as count, count(distinct fw1dst) as targets,fw1src,fw1service,fw1proto from fw1logs.fw1logs where fw1time between \"$TTHEN\" and \"$TNOW\" and fw1action = \"accept\" and (fw1orig = \"192.168.15.1\" or fw1orig = \"192.168.15.2\") and (mid(fw1src,1,8) = \"192.168.\" or mid(fw1src,1,7) = \"172.16.\") and mid(fw1dst,1,8) != \"192.168.\" and mid(fw1dst,1,7) != \"172.16.\" and mid(fw1src,1,11) != \"192.168.101\" and mid(fw1src,1,10) != \"192.168.8.\" and fw1service = \"25\" group by fw1src, fw1service, fw1proto order by count desc limit 40;" > $TMPQRY #ISQL needs a blank line after the query statement echo "" >> $TMPQRY #run the query with the 32 bit version of isql (renamed isql32) #$2>100 is total connections, $3>10 is greater than 10 destinations isql32 -b FWLogs32 logger somepassword < $TMPQRY | grep '\.' | awk -F"|" '{if ($2>100 && $3>10) print $2$3$4}' >> $TMPFILE #example output for a confirmed spambot #+-------+---------+----------------+------------+----------+ #| count | targets | fw1src | fw1service | fw1proto | #+-------+---------+----------------+------------+----------+ #| 809 | 564 | 192.168.124.38 | 25 | tcp | #| 4 | 2 | 192.168.139.1 | 25 | tcp | #| 3 | 1 | 172.16.104.26 | 25 | tcp | #| 1 | 1 | 172.16.103.91 | 25 | tcp | #+-------+---------+----------------+------------+----------+ #stored text in $TMPFILE after the above grep/awk # 809 564 192.169.124.38 #read the resulting file, exiting if no spambots were found while read LINE; do if [ "$LINE" ]; then #for each line grab the total count, number of targets, and #ip address of the source CNT=`echo "$LINE" | awk '{print $1}'` TGT=`echo “$LINE” | awk ‘{print $2}’` IP=`echo "$LINE" | awk '{print $3}'` #see if the spambot has already been reported grep "$IP" /var/run/botchk.list #if the spambot ip address is a new discovery, process it if [ $? -ne 0 ]; then #add the spambot’s ip address to the daily list echo "$IP" >> /var/run/botchk.list #build the text file to be emailed and sent to cell phones echo "SPAMBOT detected" > $MAILTMP echo `date "+%Y-%m-%d %H:%M"` >> $MAILTMP echo -e "\n" >> $MAILTMP echo "$IP, $CNT connections, $TGT targets" >> $MAILTMP mail -s "$IP: SPAMBOT" somebody@example.com < $MAILTMP mail -s "$IP: SPAMBOT" phone-number@mms.example.com < $MAILTMP #pause 15 seconds to let the mailer do its thing sleep 15 fi fi done < $TMPFILE #delete the temporary files rm -f $TMPFILE rm -f $TMPQRY rm -f $MAILTMP