First, let’s set up the PF table which will control the traffic. Add the following to your /etc/pf.conf :

# add time block table
table <time_block> { } persist

Next, create a PF rule which block traffic for all entries in the time_block table:

# block all CIDR addresses in the time block table
block in quick log from <time_block> to any

Since the time_block table is still empty, no traffic is actually blocked.

The last thing to implement, is periodically manipulating the time_block table. This could be done by creating two cronjobs:

1. allow traffic at the beginning of “business hours”
2. block traffic at the end of “business hours”

crontab -e
# Allow traffic
0 7 * * * /usr/local/scripts/allow_employees.sh > /dev/null 2>&1
# Block traffic
0 17 * * * /usr/local/scripts/block_employees.sh > /dev/null 2>&1


The allow_employees.sh script will allow certain network ranges by ensuring those are removed from the time_block table:

#!/bin/sh

/sbin/pfctl -Td -t time_block 10.1.0.0/24
/sbin/pfctl -Td -t time_block 10.2.0.0/24

The block_employees.sh script will do the exact opposite: it will add ranges to the time_block table so that their network access will be blocked by the firewall:

#!/bin/sh

/sbin/pfctl -Ta -t time_block 10.1.0.0/24
/sbin/pfctl -Ta -t time_block 10.2.0.0/24

Finally deploy your new PF rules (first test them!)

pfctl -nf /etc/pf.conf
pfctl -f /etc/pf.conf

The zone files provided by https://ipdeny.com/ need to be stored locally. A simple way to achieve this is by having a cronjob downloading those periodically (for instance once per day):

#!/bin/sh

# download the latest country zone files
curl -s https://www.ipdeny.com/ipblocks/data/countries/ru.zone > /etc/ru.zone
curl -s https://www.ipdeny.com/ipblocks/data/countries/cn.zone > /etc/cn.zone


We store them directly to /etc in the above example.

In the /etc/pf.conf, first add a table based on the files you have generated with the above statements:

# add a bad hosts table based on local disk text files
# one CIDR per line
table <badhosts> persist file "/etc/ru.zone" file "/etc/cn.zone"

In the above example, we have created a table called badhosts based on two local files.

Finally we need some rules which actually blocks from and to these network ranges, an example PF block rule could be:

# block bad IP addresses
block from <badhosts> to any
block from any to <badhosts>

One simple (not full bullet-proof) way of doing this, is by setting up block rules on firewall level, which can be achieved on Linux servers with iptables and zone files of https://www.ipdeny.com/. These zone files contain the network ranges assigned to a specific country.

The network ranges are fed to a tool called ipset, which sets up of hash map that can be easily used within iptables rules.

On Debian/Ubuntu systems, ipset can be installed with the apt command:

apt install ipset

Next, create an iptables chain called “blocked_countries“, to which we will add rules afterwards. Add this chain to the beginning of the INPUT and FORWARD chain, to have early blocking in your ruleset.

iptables -N blocked_countries
iptables -I INPUT -j blocked_countries -m comment --comment "Blocked countries"
iptables -I FORWARD -j blocked_countries -m comment --comment "Blocked countries"

Finally, create a shell script which will download the required zone files from https://ipdeny.com/ and which feeds them to ipset. The example script will try to block the countries China, Russia and Belarus:

#!/bin/bash

COUNTRIES=('cn' 'ru' 'by')

for COUNTRY in "${COUNTRIES[@]}"; do
    ipset create "countries_${COUNTRY}" hash:net
done

iptables -v -F blocked_countries

for i in "${COUNTRIES[@]}"; do
    echo "Ban IP of country ${i}"
    ipset flush "countries_${i}"


    for IP in $(wget -O - https://www.ipdeny.com/ipblocks/data/countries/${i}.zone)
    do
        ipset add "countries_${i}" $IP
    done
    iptables -I blocked_countries   -m set --match-set "countries_${i}" src  -j LOGDROP -m comment   --comment "Block .${i}"
done


You can check the blocked_countries chain if packets are being blocked by your new rules:

iptables -v -n -L blocked_countries 
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain blocked_countries (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   104 LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set countries_by src /* Block .by */
 2182  155K LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set countries_ru src /* Block .ru */
  344 21370 LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set countries_cn src /* Block .cn */


It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and OpenBSD.

There is no OSSEC package available on the OSSEC website or in the OpenBSDs ports repositry, so I’ve decided to create an OpenBSD on my own.
OpenBSD packages are pretty easy to create and are very useful when installing, upgrading or deleting software on a server.

One of the disadvantages when creating an OpenBSD package, is that you will need to have X11 installed on your OpenBSD system.
In the following example I have used OpenBSD 5.8 to create a package for OSSEC 2.8.2 (OSSEC 2.8.3 doesn’t compile on OpenBSD 5.8)

Step 1: Prerequisites

cd /tmp
wget http://ftp.eu.openbsd.org/pub/OpenBSD/5.8/amd64/xbase58.tgz 
wget http://ftp.eu.openbsd.org/pub/OpenBSD/5.8/amd64/xshare58.tgz
wget http://ftp.eu.openbsd.org/pub/OpenBSD/5.8/amd64/comp58.tgz
tar -C / -xzvphf xbase58.tgz
tar -C / -xzvphf xshare58.tgz
tar -C / -xzvphf comp58.tgz

cd /tmp
ftp http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/ports.tar.gz
ftp http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/SHA256.sig
signify -Cp /etc/signify/openbsd-$(uname -r | cut -c 1,3)-base.pub -x SHA256.sig ports.tar.gz

cd /usr
tar xzf /tmp/ports.tar.gz

You will also need a compiler:

pkg_add gcc

Step 2: Download and repack the source

ossec_version="2.8.2"
cd /usr/src
wget https://github.com/ossec/ossec-hids/archive/${ossec_version}.tar.gz 
mv ${ossec_version}.tar.gz ossec-hids-${ossec_version}.tar.gz 
tar xfz ossec-hids-${ossec_version}.tar.gz
cd ossec-hids-${ossec_version}

Since the Makefile for OSSEC is in the src/ sub directory, we will create a proxy Makefile in /usr/src/ossec-hids-2.8.2

cd ossec-hids-2.8.2
vim Makefile

I have actually taken the original Makefile from src/ and narrowed it down to the following:

# Makefile
# http://www.ossec.net/hids/

none:
 @echo "Nothing selected ..."
 @echo "\"make all\" to compile everything."
 @echo "\"make server\" to build the server."
 @echo "\"make local\" to build the local."
 @echo "\"make agent\" to build the agent."
 @echo "\"make clean\" to clean anything built."

clean:
 cd src/ ; $(MAKE) clean

all:
 cd src/ ; $(MAKE) all
 
test:
 cd src/ ; $(MAKE) test

server:
 cd src/ ; $(MAKE) server

local:
 cd src/ ; $(MAKE) local

agent:
 cd src/ ; $(MAKE) agent

We will also edit the ‘ossec-clients.sh‘ script, because we will use this script as a start/stop script. We will have to set the path name in this script.

vim src/init/ossec-client.sh
# LOCAL=/var/ossec
# cd ${LOCAL}
# PWD=`pwd`
DIR=/var/ossec
cd ${DIR}

And that’s the only thing we will need to change in the sources, we can now repackage it.

cd ..
tar czf /usr/ports/distfiles/ossec-hids-2.8.2.tar.gz ossec-hids-2.8.2/

Step 3: Prepare the ports directory

The following steps explain how to set up a ports directory in /usr/ports for OSSEC, in order to build the package.
Custom made packages are built in /usr/ports/mystuff. In there, we will have to one sub directory for the package category (we will use security) and in there the package name, which in our case will be ossec-hids.

cd /usr/ports/mystuff
mkdir -p security/ossec-hids

The configuration file for building an OpenBSD package is a Makefile. There is a template file in /usr/ports/infrastructure/templates/Makefile.template which can be used.

cd security/ossec-hids
cp /usr/ports/infrastructure/templates/Makefile.template Makefile

This file of course needs editing. Not everything is required in this file, so I have narrowed the Makefile down to what I need it for:

# $OpenBSD: Makefile.template,v 1.68 2013/10/02 07:34:45 ajacoutot Exp $
# $FreeBSD/NetBSD: credit FreeBSD/NetBSD if thats where the port came from $
# Original from: credit the original author here
COMMENT =               OSSEC is an Open Source HIDS
DISTNAME =              ossec-hids-2.8.2
CATEGORIES =            security
HOMEPAGE =              http://www.ossec.net/
MAINTAINER =            Johnny Morano <jmorano@moretrix.com>;
MASTER_SITES =          https://github.com/ossec/ossec-hids/

PERMIT_PACKAGE_CDROM =  Yes
PERMIT_PACKAGE_FTP =    Yes
PERMIT_DISTFILES_FTP =  Yes

PKG_ARCH =              *
PREFIX = /var/ossec

do-install:
        mkdir -p ${PREFIX}/bin
        mkdir -p ${PREFIX}/logs
        mkdir -p ${PREFIX}/var/run
        mkdir -p ${PREFIX}/queue
        mkdir -p ${PREFIX}/active-response/bin
        mkdir -p ${PREFIX}/agentless
        mkdir -p ${PREFIX}/etc/orig/shared
        mkdir -p ${PREFIX}/doc
        ${INSTALL_SCRIPT} ${WRKSRC}/active-response/firewalls/pf.sh ${PREFIX}/active-response/bin/
        ${INSTALL_SCRIPT} ${WRKSRC}/src/agentlessd/scripts/* ${PREFIX}/agentless
        ${INSTALL_SCRIPT} ${WRKSRC}/src/os_execd/ossec-execd ${PREFIX}/bin/
        ${INSTALL_SCRIPT} ${WRKSRC}/src/logcollector/ossec-logcollector ${PREFIX}/bin/
        ${INSTALL_SCRIPT} ${WRKSRC}/src/client-agent/ossec-agentd ${PREFIX}/bin/
        ${INSTALL_SCRIPT} ${WRKSRC}/src/addagent/manage_agents ${PREFIX}/bin/
        ${INSTALL_SCRIPT} ${WRKSRC}/src/syscheckd/ossec-syscheckd ${PREFIX}/bin/
        ${INSTALL_SCRIPT} ${WRKSRC}/src/os_auth/agent-auth ${PREFIX}/bin/
        ${INSTALL_SCRIPT} ${WRKSRC}/src/init/ossec-client.sh ${PREFIX}/bin/
        ${INSTALL_SCRIPT} ${WRKSRC}/doc/*.txt ${PREFIX}/doc/
        ${INSTALL_SCRIPT} ${WRKSRC}/doc/README.config ${PREFIX}/doc/
        ${INSTALL_SCRIPT} ${WRKSRC}/etc/*.conf ${PREFIX}/etc/orig/
        ${INSTALL_SCRIPT} ${WRKSRC}/etc/*.xml ${PREFIX}/etc/orig/
        ${INSTALL_SCRIPT} ${WRKSRC}/src/rootcheck/db/* ${PREFIX}/etc/orig/shared/

.include <bsd.port.mk>;

The above Makefile will install OSSEC in /var/ossec and will only install the agent files. It does not install the server files.

Step 4: Test the settings

First we will make a checksum and then we will start a fake compile run, to see if everything compiles nicely.

make makesum 
===>  Checking files for ossec-hids-2.8.2
`/usr/ports/distfiles/ossec-hids-2.8.2.tar.gz' is up to date.

make fake
===>  Checking files for ossec-hids-2.8.2
`/usr/ports/distfiles/ossec-hids-2.8.2.tar.gz' is up to date.
>> (SHA256) ossec-hids-2.8.2.tar.gz: OK
===>  Extracting for ossec-hids-2.8.2
===>  Patching for ossec-hids-2.8.2
===>  Configuring for ossec-hids-2.8.2
===>  Building for ossec-hids-2.8.2
***snip***

If there were no errors, then we are ready to create the actual package.

Step 5: Create the OpenBSD package

mkdir pkg
echo "OSSEC is an Open Source HIDS" > pkg/DESCR
make plist
vim pkg/PLIST

Normally we do not need to edit the PLIST file, but I wanted to create an ossec user upon installation and chown the /var/ossec directory to that user.
So I have added the following lines to the top of pkg/PLIST:

@comment $OpenBSD$
@newgroup ossec:1002
@newuser ossec:1005:ossec:daemon:OSSEC User:/var/ossec:/bin/sh

And these to the bottom:

@exec-add mkdir -p /var/ossec
@exec-add chown -R ossec.ossec /var/ossec
@exec-add cp %D/bin/ossec-client.sh /etc/rc.d/ossec

Afterwards you will need to run:

make plist

Now we are ready to build the package:

make package
`/usr/ports/pobj/ossec-hids-2.8.2/fake-amd64/.fake_done' is up to date.
===>  Building package for ossec-hids-2.8.2
Create /usr/ports/packages/amd64/no-arch/ossec-hids-2.8.2.tgz
Link to /usr/ports/packages/amd64/all/ossec-hids-2.8.2.tgz
Link to /usr/ports/packages/amd64/ftp/ossec-hids-2.8.2.tgz
Link to /usr/ports/packages/amd64/cdrom/ossec-hids-2.8.2.tgz

That’s it! This package can now be installed with the pkg_add command.

pkg_add ./ossec-hids-2.8.2.tgz 
quirks-2.114 signed on 2015-08-09T11:57:52Z
UNSIGNED PACKAGE file:./ossec-hids-2.8.2.tgz: install anyway ? [y/N/a] y
ossec-hids-2.8.2: ok
UNSIGNED PACKAGES: ossec-hids-2.8.2

• AuthorizedKeysCommand
• AuthorizedKeysCommandUser

These parameters allow to create any kind of authentication method for OpenSSH, including LDAP authentication, and therefore patches like the LPK patch for OpenSSH are not required anymore.
The only thing the script needs to do is return either an empty string or the public key of the user.

In our example below, we have created an extra check which will verify if a user is in a certain group.
The script is a very simple Bash script and can be rewritten to any kind of script or program, important is what it returns to STDOUT.

#!/bin/bash
# $Id: ldap_ssh_key.sh 138 2013-09-14 08:24:39Z jmorano $
#
# Check if the user is in the right group 
#  and afterwards retrieve the SSH public key from LDAP
# Logs directly in Syslog
#
#
# sshd_config for OpenSSH 6.2 or higher:
#
#  AuthorizedKeysCommand /usr/local/bin/ldap_keys.sh
#  AuthorizedKeysCommandUser nobody
# 

LDAP_SERVER="ldap-server"
BASE_DN="ou=users,dc=company,dc=example,dc=com"
ALLOWED_GROUP="6667"

# load local configuration if available
if [ -f /etc/example/ldap.cfg ]; then
    . /etc/example/ldap.cfg
fi

SSH_USER=$1

if id "${SSH_USER}" | egrep -q "${ALLOWED_GROUP}";
then
	logger -t sshd -p info "User $SSH_USER is a member of the group"
else 
	logger -t sshd -p warn "User $SSH_USER is not allowed to log in, access denied"
	echo 
	exit 0
fi


KEY=$(ldapsearch -o ldif-wrap=no -S sshPublicKey -c -h "${LDAP_SERVER}" -b "${BASE_DN}" -x -LLL "uid=${SSH_USER}" sshPublicKey | grep -v 'dn:' | perl -pe 's/sshPublicKey: //;')

logger -t sshd -p info "Sent LDAP SSH public key for user $SSH_USER"
echo "${KEY}"

The default character set is alpha-numerical based, but can be set to any kind of character list.

The complete handling and generating is implemented in a module, which exports one function: ‘generate_password‘.
This function can take (optional) as arguments:

• a length
• a character list

The entropy is generated with Bytes::Random::Secure and random numbers are generated with Math::Random::ISAAC.

package MORETRIX::Password;
#===============================================================================
#  DESCRIPTION: A password generator module
#     REVISION: $Id: Password.pm 71 2013-07-02 12:28:42Z jmorano $
#===============================================================================

use strict;
use warnings;
use Digest;
use Exporter qw/import/;
use Time::HiRes qw/time/;
use Bytes::Random::Secure;
use Math::Random::ISAAC;

our @EXPORT    = qw/generate_password/;
our @EXPORT_OK = qw/generate_password/;

my $random_state;
my $CHARLIST = q{abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ!"$%&/\()=?{}[]*+#;:.,-_<>|^~'};

# Generate a cryptographic safe random password
# default length: 12
#
sub generate_password {
    my ($length, $charlist) = @_;
    $length   //= 12;
    $charlist //= $CHARLIST;

    my @temp_passwords;
    foreach my $loop ( 0 .. int(random_number(100)) ){
        my $password = '';
        while (length($password) < $length) {
            $password .= substr($charlist, (int(myrand(length($charlist)))), 1);
        }
        push @temp_passwords, $password;
    }

    return $temp_passwords[int(random_number(length(scalar @temp_passwords)))];
}

sub random_number {
    my ($seed) = @_;

    my $r = Math::Random::ISAAC->new($seed);
    return $r->rand();
}

sub mysrand{
    my $seed = shift || (time ^ $ ^ int(random_number(time)) ^ int(random_number(2048 ^ 128)));
    $random_state = {
        digest  => new Digest ("SHA-512"),
        counter => 0,
        waiting => [],
        prev    => $seed
    };
}

sub myrand{
    my $range = shift || 1.0;
    mysrand() unless defined $random_state;

    if (! @{$random_state->{waiting}}){
        $random_state->{digest}->reset();
        $random_state->{digest}->add( generate_entropy(4096) .
                                     $random_state->{counter}++ .
                                     $random_state->{prev});
        $random_state->{prev} = $random_state->{digest}->digest();
        my @ints = unpack("L*", $random_state->{prev}); # 32 bit unsigned integers
        $random_state->{waiting} = \@ints;
    }
    my $int = shift @{$random_state->{waiting}};
    return $range * $int / 2**32;
}

sub generate_entropy {
    my ($length) = @_;

    $length //= 1024;

    my $random = Bytes::Random::Secure->new( NonBlocking => 1, Bits => 4096 );
    return $random->string_from($CHARLIST, $length);
}

1;

Example script:

#!/usr/bin/env perl 

use strict;
use warnings;
use utf8;
use MORETIX::Password;

my $length = shift @ARGV;
$length //= 32;

print generate_password($length) . "\n";
print generate_password($length) . "\n";
print generate_password($length) . "\n";
print generate_password($length) . "\n";
print generate_password($length) . "\n";

References:

• http://wellington.pm.org/archive/200704/randomness/#slide0

The normal ‘logger’ command sends Syslog messages using the machine’s IP address, so logger wasn’t very useful. The only thing useful seem to be, to generate my own Syslog packets in which I spoof the source address. After writing this handy little script, I realized that I’ve actually created a monster. A very evil scary kinda looking mean monster! I will show an example for creating Syslog event generator (and later on one for creating SNMP events), but the code can be used for much more. Please keep in mind I post this code just for educational and debugging reasons. If you want to use it for other reasons… well that’s up to you!

The example shown overhere is a bit more worked out and put in an object oriented structure. It could have also been a simple quick and dirty script.

The module we will use is called Net::RawIP and it will allow us to create our TCP or UDP packets. We just need to figure out how packets should be created in order for the Syslog daemon to accept them.

At first I’ve created a Packet.pm class. This is the main base class, which creates the constructor and defines the class interface.

package Packet;
# $Id: Packet.pm 828 2011-06-28 13:05:03Z insaniac $
use strict; use warnings;
use Net::RawIP;

sub new {
    my($class, $opts) = @_;

    my $self = bless {}, $class || ref $class;
    $self->{rawip} = Net::RawIP->new($opts);

    return $self;
}

sub pkt_payload {
}

sub pkt_size {
}

sub pkt_debug {
}

sub pkt_send {
    my($self, $delay, $amount) = @_;

    $self->pkt_debug();
    $self->{rawip}->send($delay, $amount);
}

1;

Secondly I’ll need an UDP base class, from which the Syslog module will inherit.

package Packet::UDP;
# $Id: UDP.pm 837 2011-06-28 15:05:10Z insaniac $
use strict; use warnings;
use base qw/Packet/;
use POSIX qw{strftime};

#
# src => IP:PORT
# dst => IP:PORT
#
sub new {
    my($class, $src, $dst) = @_;
    my($saddr, $sport) = split /:/, $src;
    my($daddr, $dport) = split /:/, $dst;

    my $self = $class->SUPER::new({
            ip => {
                saddr    => $saddr,
                daddr    => $daddr,
                frag_off => 0,
                tos      => 0,
                id       => $$ + strftime('%s', localtime()),
            },
            udp => {
                source => $sport,
                dest   => $dport,
            },
            });
}

sub pkt_size {
    my($self)= @_;

    my($src, $dst, $data) = $self->{rawip}->get( {
                udp => [qw/source dest data/]
            },
    );
    my $size = length($src) + length($dst) + length($data);

    # set 'check' to 0 to recalculate the UDP checksum
    $self->{rawip}->set( {
            udp => {
                len   => $size,
                check => 0,
            }
    });

    return $size;
}

sub pkt_payload {
}

sub pkt_debug {
    my($self) = @_;

    my(@udp_fields) = qw/source dest len data/;
    my(@ip_fields)  = qw/version ihl tos id frag_off ttl protocolsaddr daddr/;
    my(@udp_data)   = $self->{rawip}->get({ udp => @udp_fields });
    my(@ip_data)    = $self->{rawip}->get({ ip  => @ip_fields });

    print "IP FIELDSn";
    print "=========n";
    print "- $ip_fields[$_]: $ip_data[$_]n" foreach 0 ..  $#ip_data;
    print "UDP FIELDSn";
    print "=========n";
    print "- $udp_fields[$_]: $udp_data[$_]n" foreach 0 ..  $#udp_data;

}

1;

Having all the base classes in place, we can finally focus on creating our Syslog class, a module which will allow us to send Syslog messages, allowing us to change the source IP address.

package Packet::UDP::Syslog;
# $Id: Syslog.pm 838 2011-06-28 15:08:07Z insaniac $
use strict; use warnings;
use base qw/Packet::UDP/;

sub new {
    my ($class, $src, $dst) = @_;
    my $self = $class->SUPER::new("$src:1666", "$dst:514");
    return $self;
}

# TAG               CODE    DESCRIPTION
# =====================================
# kernel            0       kernel messages
# user              1       user-level messages
# mail              2       mail system
# system            3       system daemons
# security          4       security/authorization messages (note 1)
# internal          5       messages generated internally by syslogd
# print             6       line printer subsystem
# news              7       network news subsystem
# uucp              8       UUCP subsystem
# clock             9       clock daemon (note 2)
# security2        10       security/authorization messages (note 1)
# ftp              11       FTP daemon
# ntp              12       NTP subsystem
# logaudit         13       log audit (note 1)
# logalert         14       log alert (note 1)
# clock2           15       clock daemon (note 2)
# local0           16       local use 0  (local0)
# local1           17       local use 1  (local1)
# local2           18       local use 2  (local2)
# local3           19       local use 3  (local3)
# local4           20       local use 4  (local4)
# local5           21       local use 5  (local5)
# local6           22       local use 6  (local6)
# local7           23       local use 7  (local7)
my $i = 0;
my %fac_map = map {$_ => $i++ } qw/kernel user mail system security internal print news uucp clock security2 ftp ntp logaudit logalert clock2 local0 local1 local2 local3 local4 local5 local6 local7/;

# TAG             CODE    DESCRIPTION
# =====================================
# emerg           0       Emergency: system is unusable
# alert           1       Alert: action must be taken immediately
# crit            2       Critical: critical conditions
# err             3       Error: error conditions
# warn            4       Warning: warning conditions
# notice          5       Notice: normal but significant condition
# info            6       Informational: informational messages
# debug           7       Debug: debug-level messages
$i = 0;
my %sev_map = map {$_ => $i++} qw/emerg alert crit err warn notice info debug/;

sub pkt_payload {
    my($self, $facility, $severity, $msg) = @_;

    my ($fac_sev) = ($fac_map{$facility} << 3) + $sev_map{$severity};
    $self->{rawip}->set({
            udp => { 
                data => "<$fac_sev>$msg�" 
                } 
            }
    );

    # call and set the size
    $self->pkt_size();
}

1;

Our OO structure is now ready, all we need is a script which will call all this code.

#!/usr/bin/perl
use strict; use warnings;
use lib './';
use Packet::UDP::Syslog;
use POSIX qw/strftime/;

my @sources = qw{
    166.59.83.200 166.59.83.1 166.59.83.206 192.168.0.99
    192.168.1.99
};

my @messages = (
        {severity => 'info',  payload => 'the planet is going down'},
        {severity => 'err',   payload => 'BOOM BOOM BOOM'},
        {severity => 'emerg', payload => 'The house is on fire!'},
        {severity => 'alert', payload => "Do NOT forget to feed the monkeysnAnd the bearsnand the cows!"},
        {severity => 'debug', payload => 'We should have a look into this'},
);

foreach my $src (@sources){
    my $syslog = Packet::UDP::Syslog->new($src, "192.168.1.3");
    foreach my $msg (@messages) {
        my $datetime = strftime("%b %d %H:%M:%S", localtime());
        $syslog->pkt_payload('local7', $msg->{severity}, $datetime." $src: ".$msg->{payload});
        $syslog->pkt_send(1,1);
    }
}

Running the script:

root@yamamoto:/home/insaniac/dev/Net# perl raw_pkt.pl
IP FIELDS
=========
- version: 4
- ihl: 5
- tos: 0
- id: 1309286460 
- frag_off: 0
- ttl: 64
- protocolsaddr: 3232235779
UDP FIELDS
=========
- source: 1666   
- dest: 514
- len: 68
- data: <190>Jun 28 17:12:13 166.59.83.200: the planet is going down
IP FIELDS
=========
- version: 4
- ihl: 5
- tos: 0
- id: 1309286460 
- frag_off: 0
- ttl: 64
- protocolsaddr: 3232235779
UDP FIELDS
=========
- source: 1666   
- dest: 514
- len: 58
- data: <187>Jun 28 17:12:14 166.59.83.200: BOOM BOOM BOOM
*** snip output ***

And that’s it! If we would check our receiving network interface (on IP address 192.168.1.3) with tcpdump, we would see our packets arriving:

17:13:24.218196 IP (tos 0x0, ttl 64, id 8359, offset 0, flags [none], proto UDP (17), length 96)
    166.59.83.206.1666 > musashi_vpn.syslog: [udp sum ok] SYSLOG, length: 68
        Facility local7 (23), Severity debug (7)
        Msg: Jun 28 17:13:24 166.59.83.206: We should have a look into this�x00
        0x0000:  3c31 3931 3e4a 756e 2032 3820 3137 3a31
        0x0010:  333a 3234 2031 3636 2e35 392e 3833 2e32
        0x0020:  3036 3a20 5765 2073 686f 756c 6420 6861
        0x0030:  7665 2061 206c 6f6f 6b20 696e 746f 2074
        0x0040:  6869 7300
        0x0000:  4500 0060 20a7 0000 4011 9e31 a63b 53ce
        0x0010:  c0a8 0103 0682 0202 004b cc9e 3c31 3931
        0x0020:  3e4a 756e 2032 3820 3137 3a31 333a 3234
        0x0030:  2031 3636 2e35 392e 3833 2e32 3036 3a20
        0x0040:  5765 2073 686f 756c 6420 6861 7665 2061
        0x0050:  206c 6f6f 6b20 696e 746f 2074 6869 7300
17:13:25.219101 IP (tos 0x0, ttl 64, id 8364, offset 0, flags [none], proto UDP (17), length 88)
    192.168.0.99.1666 > musashi_vpn.syslog: [udp sum ok] SYSLOG, length: 60
        Facility local7 (23), Severity info (6)
        Msg: Jun 28 17:13:25 192.168.0.99: the planet is going down�x00
        0x0000:  3c31 3930 3e4a 756e 2032 3820 3137 3a31
        0x0010:  333a 3235 2031 3932 2e31 3638 2e30 2e39
        0x0020:  393a 2074 6865 2070 6c61 6e65 7420 6973
        0x0030:  2067 6f69 6e67 2064 6f77 6e00
        0x0000:  4500 0058 20ac 0000 4011 d732 c0a8 0063
        0x0010:  c0a8 0103 0682 0202 0043 70bf 3c31 3930
        0x0020:  3e4a 756e 2032 3820 3137 3a31 333a 3235
        0x0030:  2031 3932 2e31 3638 2e30 2e39 393a 2074
        0x0040:  6865 2070 6c61 6e65 7420 6973 2067 6f69
        0x0050:  6e67 2064 6f77 6e00