#!/usr/bin/perl
#
# PIX Logging Architecture
# [ Kristof Philipsen ]
#
# This file is part of PIX Logging Architecture
#
# PIX Logging Architecture is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# PIX Logging Architecture is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Foobar; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA


use DBI;

#
# Variables
#
$mysql_db_host = "<mysql_logging_host>";	# MySQL Host
$mysql_db_port = "<mysql_logging_port>";	# MySQL Port
$mysql_db_user = "<mysql_logging_user>";	# MySQL User
$mysql_db_pass = "<mysql_logging_pass>";	# MySQL Pass
$pix_log_file  = "<mysql_logging_file>";	# PIX Log File

&db_connect;

%months =   (
             "Jan","01",
             "Feb","02",
             "Mar","03",
             "Apr","04",
             "May","05",
             "Jun","06",
             "Jul","07",
             "Aug","08",
             "Sep","09",
             "Oct","10",
             "Nov","11",
             "Dec","12"
             );

$date=`date +%Y%m%d`;
$date=~s/\n//g;
$title=`date +%b' '%d' '%Y`;
$title=~s/\n//g;

sub calculatedate {
    if($pixtime=~/(.*):/) {
       $pxtime=$1;
    }
    if (length($pixdate) == "1") {
        $pixdate="0$pixdate";
    }
    $realdate="$pixyear-$months{$pixmonth}-$pixdate $pxtime";
}

sub db_connect {
    $dbh = DBI->connect("DBI:mysql:database=pix;host=$mysql_db_host;port=$mysql_db_port",$mysql_db_user,$mysql_db_pass)
           or die "Couldn't connect to database: $DBI::errstr\n";

}

sub write_traffic_drop_db {

    $sth=$dbh->prepare("insert into traffic_log values(\'\', \'$realdate\', \'$pixhost\',\'$pixmsg\',\'DROP\',\'$proto\',\'$srcip\',\'$srcpt\',
                       \'$dstip\',\'$dstpt\',\'$flag\')");
    $rc=$sth->execute();
    #print "$realdate\t$pixhost\tDROP\t$proto\t$srcip\t$srcpt\t$dstip\t$dstpt\t$flag\n";

}

sub write_traffic_accept_db {
                                                                                                                                                                                                   
    $sth=$dbh->prepare("insert into traffic_log values(\'\', \'$realdate\', \'$pixhost\',\'$pixmsg\',\'ACCEPT\',\'$proto\',\'$srcip\',\'$srcpt\',
                       \'$dstip\',\'$dstpt\',\'$flag\')");
    $rc=$sth->execute();
    #print "$realdate\t$pixhost\tACCEPT\t$proto\t$srcip\t$srcpt\t$dstip\t$dstpt\t$flag\n";
                                                                                                                                                                                                   
}

sub write_ids_db {
    $sth=$dbh->prepare("insert into ids_log values(\'\', \'$realdate\', \'$pixhost\',\'$proto\',\'$srcip\',\'$dstip\',\'IDS:$signature\')");
    $rc=$sth->execute();

}

open(FILE,"<$pix_log_file");
while (<FILE>) {  
  $line = $_;
   if ($line =~ /(.*)IDS:(.*)/) {
      if($line =~ /IDS:(.*) from (.*) to (.*) on interface(.*)/) {
         $signature=$1;
         $srcip=$2;
         $dstip=$3;
      }
      ($tmp,$tmp,$tmp,$pixhost,$pixmonth,$pixdate,$pixyear,$pixtime,$pixmsg,$idsmsg,$proto,$end) = split(" ",$line);
       &calculatedate;
       &write_ids_db;
   }
   if ($line =~ /(.*)PIX-3-313001(.*)/) {
      ($tmp,$tmp,$tmp,$pixhost,$pixmonth,$pixdate,$pixyear,$pixtime,$pixmsg,$tmp,$proto,$icmptype,$icmpcode,$tmp,$srcip,$tmp)  = split(" ",$line);
       $proto="ICMP";
       $flag = "$icmptype $icmpcode";
       &calculatedate;
       $srcpt="n/a";
       $dstpt="n/a";
      if($pixmsg=~/%(.*):/) {
         $pixmsg=$1;
      }
       &write_traffic_drop_db;
   }
   if ($line =~ /(.*)PIX-4-106023(.*)/) {
      ($tmp,$tmp,$tmp,$pixhost,$pixmonth,$pixdate,$pixyear,$pixtime,$pixmsg,$tmp,$proto,$tmp,$src,$tmp,$dst,$tmp,$icmptype,$tmp,$icmpcode,$tmp) = split(" ",$line);
      ($srcdir,$srip) = split(":",$src);
      ($dstdir,$dstip) = split(":",$dst);
      $proto="ICMP";
      $flag = "\(type $icmptype code $icmpcode";
      &calculatedate;
      $srcpt="n/a";
      $dstpt="n/a";
      if($pixmsg=~/%(.*):/) {
         $pixmsg=$1;
      }
      &write_traffic_drop_db;
      
   }
   if ($line =~ /(.*)PIX-6-106015(.*)/) {
      ($tmp,$tmp,$tmp,$pixhost,$pixmonth,$pixdate,$pixyear,$pixtime,$pixmsg,$tmp,$proto,$tmp,$tmp,$tmp,$src,$tmp,$dst,$tmp,$flag,$end) = split(" ",$line);
      ($srcip,$srcpt) = split("\/",$src);
      ($dstip,$dstpt) = split("\/",$dst);
      if($end =~ /(.*) on interface (.*)/) {
         $flag=$1;
      }      
      $proto="TCP";
      &calculatedate;
      if($pixmsg=~/%(.*):/) {
         $pixmsg=$1;
      }
      &write_traffic_drop_db;
   }
   if ($line =~ /(.*)PIX-6-302015(.*)/) {
      ($tmp,$tmp,$tmp,$pixhost,$pixmonth,$pixdate,$pixyear,$pixtime,$pixmsg,$tmp,$direction,$proto,$tmp,$tmp,$tmp,$src,$tmp,$tmp,$dst,$end) = split(" ",$line);
      ($tmp,$src_elig) = split(":",$src);
      ($tmp,$dst_elig) = split(":",$dst);
      if ($direction eq "outbound") {
         ($srcip,$srcpt) = split("\/",$dst_elig);
         ($dstip,$dstpt) = split("\/",$src_elig);
      }
      if ($direction eq "inbound") {
         ($srcip,$srcpt) = split("\/",$src_elig);
         ($dstip,$dstpt) = split("\/",$dst_elig);
      }
      $proto="UDP";
      $flag="n/a";
      &calculatedate;
      if($pixmsg=~/%(.*):/) {
         $pixmsg=$1;
      }
      &write_traffic_accept_db;
   }
   if ($line =~ /(.*)PIX-6-302013(.*)/) {
      ($tmp,$tmp,$tmp,$pixhost,$pixmonth,$pixdate,$pixyear,$pixtime,$pixmsg,$tmp,$direction,$proto,$tmp,$tmp,$tmp,$src,$tmp,$tmp,$dst,$end) = split(" ",$line);
      ($tmp,$src_elig) = split(":",$src);
      ($tmp,$dst_elig) = split(":",$dst);
      if ($direction eq "outbound") {
         ($srcip,$srcpt) = split("\/",$dst_elig);
         ($dstip,$dstpt) = split("\/",$src_elig);
      }
      if ($direction eq "inbound") {
         ($srcip,$srcpt) = split("\/",$src_elig);
         ($dstip,$dstpt) = split("\/",$dst_elig);
      }
      $proto="TCP";
      $flag="n/a";
      &calculatedate;
      if($pixmsg=~/%(.*):/) {
         $pixmsg=$1;
      }
      &write_traffic_accept_db;
   }

}

system("rm -rf $pix_log_file;/etc/init.d/syslog restart");
