From f0003a7f5af5edb41bab2e248371b812c5d2dfd6 Mon Sep 17 00:00:00 2001 From: Sefinek Date: Wed, 25 Dec 2024 00:32:52 +0100 Subject: [PATCH] Update logData --- default.config.js | 30 ++++++++++++++++++++++++++++-- index.js | 31 ++++++++++++++++++++----------- 2 files changed, 48 insertions(+), 13 deletions(-) diff --git a/default.config.js b/default.config.js index 068e774..843fb80 100644 --- a/default.config.js +++ b/default.config.js @@ -12,14 +12,40 @@ exports.MAIN = { GITHUB_REPO: 'https://github.com/sefinek/UFW-AbuseIPDB-Reporter', // If you are using a fork, provide the link to the forked repository here. }; -exports.REPORT_COMMENT = (timestamp, srcIp, dstIp, proto, spt, dpt, ttl, len, tos, serverName) => { +/** + * Generates a report submission to AbuseIPDB. + * @param {Object} logData + * @param {string|null} logData.timestamp + * @param {string|null} logData.In + * @param {string|null} logData.Out + * @param {string|null} logData.srcIp + * @param {string|null} logData.dstIp + * @param {string|null} logData.res + * @param {string|null} logData.tos + * @param {string|null} logData.prec + * @param {string|null} logData.ttl + * @param {string|null} logData.id + * @param {string|null} logData.proto + * @param {string|null} logData.spt + * @param {string|null} logData.dpt + * @param {string|null} logData.len + * @param {string|null} logData.urgp + * @param {string|null} logData.mac + * @param {string|null} logData.window + * @param {boolean} logData.syn + * @param {string|null} fullLog + * @param {string|null} serverName + * + * @returns {string} A formatted string report. + */ +exports.REPORT_COMMENT = ({ timestamp, In, Out, srcIp, dstIp, res, tos, prec, ttl, id, proto, spt, dpt, len, urgp, mac, window, syn }, fullLog, serverName) => { return `Blocked by UFW ${serverName ? `on ${serverName} ` : ''}[${dpt}/${proto?.toLowerCase()}] Source port: ${spt || 'N/A'} TTL: ${ttl || 'N/A'} Packet length: ${len || 'N/A'} TOS: ${tos || 'N/A'} -This report (for ${srcIp}) was generated by: +This report was generated by: https://github.com/sefinek/UFW-AbuseIPDB-Reporter`; // Please do not remove this URL; I would be very grateful! Thank you. 💙 }; diff --git a/index.js b/index.js index 9a5fe63..55eb07c 100644 --- a/index.js +++ b/index.js @@ -28,19 +28,28 @@ const reportToAbuseIPDb = async (ip, categories, comment) => { const processLogLine = async line => { if (!line.includes('[UFW BLOCK]')) return log(1, `Ignoring line: ${line}`); - const match = { + const logData = { timestamp: line.match(/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:[+-]\d{2}:\d{2})?/)?.[0] || null, - srcIp: line.match(/SRC=([\d.]+)/)?.[1] || null, - dstIp: line.match(/DST=([\d.]+)/)?.[1] || null, - proto: line.match(/PROTO=(\S+)/)?.[1] || null, - spt: line.match(/SPT=(\d+)/)?.[1] || null, - dpt: line.match(/DPT=(\d+)/)?.[1] || null, - ttl: line.match(/TTL=(\d+)/)?.[1] || null, - len: line.match(/LEN=(\d+)/)?.[1] || null, - tos: line.match(/TOS=(\S+)/)?.[1] || null, + In: line.match(/IN=([\d.]+)/)?.[1] || null, + Out: line.match(/OUT=([\d.]+)/)?.[1] || null, + srcIp: line.match(/SRC=([\d.]+)/)?.[1] || null, + dstIp: line.match(/DST=([\d.]+)/)?.[1] || null, + res: line.match(/RES=(\S+)/)?.[1] || null, + tos: line.match(/TOS=(\S+)/)?.[1] || null, + prec: line.match(/PREC=(\S+)/)?.[1] || null, + ttl: line.match(/TTL=(\d+)/)?.[1] || null, + id: line.match(/ID=(\d+)/)?.[1] || null, + proto: line.match(/PROTO=(\S+)/)?.[1] || null, + spt: line.match(/SPT=(\d+)/)?.[1] || null, + dpt: line.match(/DPT=(\d+)/)?.[1] || null, + len: line.match(/LEN=(\d+)/)?.[1] || null, + urgp: line.match(/URGP=(\d+)/)?.[1] || null, + mac: line.match(/MAC=([\w:]+)/)?.[1] || null, + window: line.match(/WINDOW=(\d+)/)?.[1] || null, + syn: !!line.includes('SYN'), }; - const { srcIp, proto, dpt } = match; + const { srcIp, proto, dpt } = logData; if (!srcIp) { log(1, `Missing SRC in log line: ${line}`); return; @@ -85,7 +94,7 @@ const processLogLine = async line => { } const categories = config.DETERMINE_CATEGORIES(proto, dpt); - const comment = config.REPORT_COMMENT(match.timestamp, srcIp, match.dstIp, proto, match.spt, dpt, match.ttl, match.len, match.tos, SERVER_ID); + const comment = config.REPORT_COMMENT(logData, line, SERVER_ID); log(0, `Reporting IP ${srcIp} (${proto} ${dpt}) with categories: ${categories}`);