#!/usr/bin/perl 
# 6/1/2004 Author: Joe Barbish, I bequeath this perl script to public domain.
# It can be copied and distributed for free by anyone to anyone by any manner.  
print ("
           Welcome to the Proactive Abuse Reporting System.
In an effort to be proactive in doing my part to stop the massive quantities
of internet traffic probing for open ports or more specifically the probing 
for known ports that ms/windows spy ware, Trojans, and what ever other
ms/windows ports are commonly probed which result in increasing my bandwidth
usage changes, I wrote this perl application for reporting that abuse to the 
senders ISP, with the hopes they will monitor the abuser and terminate the
abuser's internet account. 
This group of scripts are based on the log records created by the IPFILTER 
firewall. www.dshield.org has perl scripts that use the IPFW log file as 
source. The logic code for converting ipfw log records to the DShield record
file format could be lifted from one of the www.dshield.org downloadable 
scripts and inserted in these scripts replacing the ipfilter log record 
conversion to DShield record format if an person wanted to do so.
     Enter to continue\n");
$line =<STDIN>;
if ($line eq "\n") { print ("
This proactive abuse reporting system is comprised of 4 major process, all of 
which are based on ipfilter firewall log records.
1. abuse.ipflog.rotate.pl :: This script is executed from within the cron 
   scheduling system. It checks to see if the ipfilter log file was rotated
   by the newsyslog command. If the ipfilter log file was rotated it launches
   the following scripts to process the log file creating abuse email reports
   containing the firewall log records. /etc/crontab has these lines added
   # rotate ipfilter security log files every 10 min, if necessary
   */10  *   *   *    *    root    /root/bin/abuse.ipflog.rotate.pl
/etc/newsyslog.ipflog.conf   has this in it.
#
# This is an special purpose conf file for ipfilter log data which is written 
# to /var/log/security. The etc/crontab file runs the 
# /root/bin/abuse.ipflog.rotate.pl script every 10 minutes. This script issues the
# newsyslog -v -f /etc/newsyslog.ipflog.conf /var/log/security command. If the
# If the security file size is greater than 50k as defined in this file, then 
# the log will be rotated and the abuse scripts get run.
#
# logfilename     [owner:group]  mode count size when  flags [/pid_file]
/var/log/security                600  10    50   *     B    /var/run/syslog.pid
     Enter to continue\n");}
$line =<STDIN>;
if ($line eq "\n") { print ("
2. abuse.dshield.pl  :: This script reads the ipf log, drops log records based 
   on the exclusion file, and creates an email containing all the remaining
   ipf log records which is sent to the global reporting site for abuse 
   at www.dshield.com. The exclusion file contains only the IP address ranges
   used on your private LAN if you have any.
   <IE: Single email containing both public and your ISP abuse log records.>
3. abuse.myisp.pl :: This script reads the ipf log, drops all log records
   not contained in the exclusion file, and creates an email containing all the
   ipf log records from source IP address belonging to your ISP which is 
   then emailed to your ISP's abuse department. The exclusion file contains
   only the IP address ranges owned by your ISP.
   <IE: Single email containing only your ISP abuse log records.>
     Enter to continue
\n");}
$line =<STDIN>;
if ($line eq "\n") { print ("  
4. abuse.public.ISP0.pl :: This script first executes the 
   abuse.public.ISP1.pl script. It reads the ipf log, drops log 
   records based on the exclusion file, and write a file. Then this script
   sorts the source IP address into sequence,
   performs an whoi command to harvest the abuse reporting email address of
   the ISP who owns the IP address range and then creates an email containing
   all the ipf log records for that offending source IP address which is then
   sent to the owning ISP reporting the probing abuse. The exclusion file 
   contains only the IP address ranges used on your private LAN if you have
   any and the IP address range owned by your ISP.
   <IE: Single email per each abusing source IP address containing it's log 
    records is sent. This generates a lot of email. 99% of the abusive source
    IP address resolve to good owner ISP abuse reporting email address.
    RIPE and APNIC have merged their data into the whois.internic.org 
    database which makes this possible. There are still some South America 
    countries which have not as yet merged there data.> 
\n");}