Found at
http://www.samag.com/documents/s=1146/sam0109m/0109m_l1.htm#!/usr/bin/awk -f
#
# looks for basic syslog items: failed logins, block connects (via tcpd)
# and bad su's (confirmed in sulog)
#
# copyright(c) 2001 jose nazario
#
BEGIN {
print "\n\tChecking the syslog"
print "\t-------------------"
failed=0
blocked=0
badsu=0
notmine=0
shellcode=0
binsh=0
}
{
if ($5 ~ /login*/) {
# useful for IRIX
if ($6 ~ /failed*/) {
print "failed login: "$9"\tat "$1" "$2" "$3" from\t"$7
failed=failed+1
}
# useful for Linux
if ($0 ~ /LOGIN.FAILURE/) {
print "failed login: "$11"\tat "$1" "$2" "$3" from\t"$10
failed=failed+1
}
# also useful for Linux
if ($0 ~ /FAILED.LOGIN/) {
print "failed login: "$10"\tat "$1" "$2" "$3" from\t"$12
failed=failed+1
}
} # end if $5 == login...
#looking for failed sshd1 logins, openssh2 format
if ($5~ /sshd*/) {
if ($6 == "Failed"){
print "failed login: "$9"\tat "$1" "$2" "$3" from\t"$11
failed=failed+1
}
}
# tcp wrappers check
if ($6 ~ /refused/) {
source=$9
printf("blocked %-32s\tto "$5" at\t"$1" "$2" "$3"\n", source)
blocked=blocked+1
}
# syslog su checking (backed up in sulog on IRIX, Solaris)
# IRIX, Solaris, Linux
if (($5 ~ /su\[*/) && ($6 ~ /failed*/)) {
badsu=badsu+1
printf("failed su from "$10" to "$12" at \t"$1" "$2" "$3"\n")
}
# Linux using PAM (ie RedHat)
if (($12 ~ /su/) && ($7 ~ /failure*/)) {
badsu=badsu+1
print "failed su from "$8" to "$10" at \t"$1" "$2" "$3
}
# HPUX 10.20
if (($6 == "su") && ($7 == "-")) {
badsu=badsu+1
print "failed su: "$9" at \t"$1" "$2" "$3
}
# looking for not local syslog messages
if ($4 != "$HOSTNAME") {
notmine=notmine+1
print "nonlocal syslog entry:"
print $0
}
# looking for possible exloit signatures
# \x90 is x86 only!
if ($0 ~ /\x90/) {
shellcode=shellcode+1
print "----------------- Possible buffer overflow at line "NR
print "time: "$1" "$2" "$3" process was "$5
}
if ($0 ~ /bin.sh/) {
binsh=binsh+1
print "------------- Possible call to /bin/sh at line "NR
print "time: "$1" "$2" "$3" process was "$5
}
}
END {
print "\t----------------------------------------"
printf("\trecords processed:\t%15d\n", NR)
printf("\tnumber of failed logins:%15d\n", failed)
printf("\tblocked connections:\t%15d\n", blocked)
printf("\tnumber of failed su's:\t%15d\n", badsu)
printf("\tlines not from localhost:%15d\n", notmine)
printf("\tpossible shellcode found:%15d\n", shellcode)
printf("\tpossible /bin/sh calls:%15d\n\n", binsh)
}
