#!/bin/bash
#
# http://support.f5.com/kb/en-us/solutions/public/11000/300/sol11370.html?sr=9518045
#


##############################################################################
#
#  Variables: You may edit these items
#


threshold=5
windowMinutes=60
multiplier=3
emailRecipient=security@mycompany.com


#############################################################################
#
# Don't edit anything below this line
#

let windowSeconds=$windowMinutes*60
QUERYFILE1=/tmp/$$.myquery1.tmp
QUERYFILE2=/tmp/$$.myquery2.tmp
TEMPFILE2=/tmp/$$.mytemp2.tmp

echo "select count(DISTINCT src_ip) as num_blocked, dest_ip from PRX.PROXY_LOG where (unix_timestamp(now()) - $windowSeconds ) <= log_time group by dest_ip order by num_blocked desc;" > $QUERYFILE1

RUNMYSQL="mysql -uroot -p`perl -I/ts/packages -MF5::GenUtils -e 'print get_mysql_password().qq{\n}'` --batch "


##############################################################################
#
# Main
#

$RUNMYSQL < $QUERYFILE1 |
while read count dest_ip
do
   # a hack to convert strings to integers.  let var=var+0
   let count=count+0
   if [ $count -gt $threshold ]; then

      sitename="NULL"
      sitename=`host $dest_ip | head -1 | cut -f5 -d' '`
      if [ "$sitename" = "3(NXDOMAIN)" ]; then
         sitename=$dest_ip
      fi

      OLDCOUNTFILE=/tmp/oldcount.`/bin/hostname | cut -f1 -d'.'`.$sitename
      if [ -f $OLDCOUNTFILE ]; then
         oldvalue=`cat $OLDCOUNTFILE`
      else
         oldvalue=0
      fi

      let "testvalue = $oldvalue *  $multiplier"
      #echo -e "Debug: count:$count  oldvalue:$oldvalue testvalue:$testvalue sitename:$sitename"

      if [ $count -gt $testvalue ]; then
          #echo Debug: $count $sitename
          emailsubj="F5 ASM alert $count blocked requesters on $sitename"
          emailtext="F5 ASM blocked $count different requesters this past hour (up from $oldvalue blocks the previous hour)."

          echo "select src_ip, geo_location_country_code as geo, count(*) as srcnum  from PRX.PROXY_LOG \
               where (unix_timestamp(now()) - $windowSeconds ) <= log_time and dest_ip = '$dest_ip' \
               group by src_ip order by srcnum desc;" > $QUERYFILE2

          echo -e "Blocks\tGeo\tBlocked Source IP\n========================" > $TEMPFILE2

          $RUNMYSQL < $QUERYFILE2 | tail -n +2 |
          while read srcip geo count
          do
             echo -e "$count\t$geo\t$srcip" >> $TEMPFILE2
          done

         (echo -e "$emailtext\\n\\r`cat $TEMPFILE2`" ) | mail -s "$emailsubj" $emailRecipient
      fi
   echo $count > $OLDCOUNTFILE
   fi
done

# clean up temp files
rm /tmp/$$.*.tmp