#!/bin/sh
# sh_denied_packets.sh

# this takes a log file and pulls out just the DENYed packets that
# aren't local

# use the file to check as an argument
# like find_denied_remote /var/log/messages

# the local network
LOCAL_LAN="192.168.1"

# path to the program to resolve the ip addys
LOG_RESOLVE="/home/marc/bin/logresolve"

# path to script to pull out extra info
LOG_STRIP="/home/marc/bin/strip_log.pl"

# if the first argument is not a readable file, use /var/log/messages
if [ ! -r "$1" ]
    then LOG_TO_CHECK="/var/log/messages";
    else LOG_TO_CHECK=$1;
fi

# grep for DENY, but not for my lan, remove the data up to the ip addy
# , resolve the first ip addy, sort it, and remove the dupes

grep DENY $LOG_TO_CHECK | grep -v 127.0.0 | grep -v $LOCAL_LAN \
    | $LOG_STRIP | $LOG_RESOLVE | sort | uniq

