'========================================================================================================
'========================================================================================================
' ### Script: outbound.vbs
' ### ScriptVersion: 0
' ### Created: 04/07/02
' ### Group: corpsec
' ### Contact: Tim Chovanak, timc@blackpondfarm.com
' ### Description: Fast, Cheap, and Good
' ### Description: Shows total outbound traffic volume where a single client has sent more than 100 megs
' ### through a single ISA server, and shows first log file entry where the byte count > 1048576
' ### Thoroughly tested on Windows 2003 Advanced Server
'========================================================================================================
'========================================================================================================
Option explicit
On error resume next

Dim wshNetwork,wshShell,wshFile

Dim objDictionary,ItemsArray,KeysArray,ArrayItems,i
Dim objDictionary2,ItemsArray2,KeysArray2

Dim objArgs
Dim LogFile
Dim strServer,strDate
Dim stroutputFile
Dim objFolder
Dim strPath


Set Wshnetwork = wscript.CreateObject("Wscript.Network")
Set Wshshell = wscript.CreateObject("Wscript.shell")
Set Wshfile = wscript.CreateObject("Scripting.FileSystemObject")


'Make sure the host is cscript, IF not THEN set default to cscript
IF instr(1, wscript.fullname, "cscript.exe", 1) = 0 THEN VerifyCscript()


Set objDictionary = CreateObject("Scripting.Dictionary")
ItemsArray = objDictionary.Items
KeysArray = objDictionary.Keys


Set objDictionary2 = CreateObject("Scripting.Dictionary")
ItemsArray2 = objDictionary2.Items
KeysArray2 = objDictionary2.Keys


'Get date in GMT
UTC()

'Un-comment the following line and set the correct date to have the script grab a different day
'strDate = "20020427"

Set objArgs = WScript.Arguments
If objArgs.Count < 1 Then
	LogFile = "FWSEXTD" & strDate & ".Log"
	strServer = "\\" & wshShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
ElseIF objArgs.Count = 1 THEN
	LogFile = "FWSEXTD" & Year(Now) & objArgs(0) & ".Log"
	strServer = "\\" & wshShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
ElseIF objArgs.Count = 2 THEN
	LogFile = "FWSEXTD" & Year(Now) & objArgs(0) & ".log"
	strServer = "\\" & objArgs(1)
ElseIF objArgs.Count > 2 THEN
	wscript.echo "Usage: outbound.vbs"
	wscript.echo "or"
	wscript.echo "outbound.vbs <date>"
	wscript.echo "or"
	wscript.echo "outbound.vbs <date> <servername> "
	wscript.echo "Where date is the month and day i.e. 0403"
	wscript.echo ""
	wscript.echo "When run without any parameters will use localmachine"
	wscript.echo "and today's date."
	wscript.echo ""
	wscript.echo "Scan's the current (GMT) Firewall log and reports all"
	wscript.echo "clients with more than 100 megs of outbound traffic"
	wscript.echo ""
	wscript.quit
End If


'Point to the logfiles directory
Set objFolder = wshFile.GetFolder(strServer & "\d$\logfiles\")


'Set path to servername\logfiles directory
strPath = objFolder & "\" & Logfile

FilterFile(strPath)

'Clear out any existing output file
strOutputFile = "c:\temp\" & strServer & "-" & strDate & "-outbound.txt"
If (Wshfile.fileexists(strOutputFile)) Then Wshfile.deletefile(strOutputFile)

wscript.echo "==================================="

	'Print final results
	arrayItems = objDictionary.Keys
	screenout "Source	Client	Bytes	Megabytes	Notes	Capture	c-ip	cs-username	c-agent	sc-authenticated	date	time	s-svcname	s-computername	cs-referred	r-host	r-ip	r-port	time-taken	cs-bytes	sc-bytes	cs-protocol	cs-transport	s-operation	cs-uri	cs-mime-type	s-object-source	sc-status	s-cache-info	rule#1	rule#2	sessionid	connectionid"
	for i = 0 to objDictionary.count-1
		IF objDictionary.Item(arrayItems(i)) <> "cs-bytes" THEN
			IF INT(objDictionary.Item(arrayItems(i))) > 104857600 THEN 'This is 100 megs, or 100 times 1 meg at 1048576 bytes
				screenout mid(strPath,3) & "	" & arrayItems(i) & "	" & objDictionary.Item(arrayItems(i)) & "	" & CINT(INT(objDictionary.Item(arrayItems(i)))/1048576) & "	x	x	" & objDictionary2.Item(arrayItems(i))
			END IF
		END IF
	next 

screenout strServer & " Finished."

'========================================================================================================
'========================================================================================================
Function FilterFile(strPath)
On error resume next

Dim wshtempfile
Dim Line,FullLine,Position,Temp
Dim strcsBytes,strscBytes,strIP,strHost,strHostname

'c-ip	cs-username	c-agent	sc-authenticated	date	time	s-svcname	s-computername	cs-referred	r-host	r-ip	r-port	time-taken	cs-bytes	sc-bytes	cs-protocol	cs-transport	s-operation	cs-uri	cs-mime-type	s-object-source	sc-status	s-cache-info	rule#1	rule#2	sessionid	connectionid"
'65.53.173.93	SYSTEM	Dfssvc.exe:3:5.0	N	2002-01-21	00:00:33	fwsrv	MIAMIPROXY01	-	mlapo.DLAPO.COM	-	-	2422	-	-	-	-	GHBN	-	-	-	11001	-	All IP Traffic	-	4924	0

wscript.echo ""
wscript.echo strPath

Set wshtempfile = wshfile.OpenTextFile(strPath, 1)

If Err.Number <> 0 Then 
	screenout mid(strServer,3) & ","  & Err.Description & "," & strPath
	wscript.quit
ELSE
	Do While wshtempfile.AtEndOfStream <> true
		line = wshtempFile.ReadLine
		FullLine = Line
		strcsbytes = 0
			Position= instr(1, line, chr(9), 1)
			strIP = Left(Line, Position-1)

			Position= instr(1, line, chr(9) & "fwsrv" & chr(9), 1)
			line = mid(line,position+1)

			Position= instr(1, line, chr(9), 1)
			line = mid(line,position+1)

			Position= instr(1, line, chr(9), 1)
			line = mid(line,position+1)

			Position= instr(1, line, chr(9), 1)
			line = mid(line,position+1)

			Position= instr(1, line, chr(9), 1)
'			strHostName = left(line,position-1)
			line = mid(line,position+1)
'wscript.echo strHostName

			Position= instr(1, line, chr(9), 1)
'			strHost = left(line,position-1)
			line = mid(line,position+1)
'wscript.echo strHost

			Position= instr(1, line, chr(9), 1)
			line = mid(line,position+1)

			Position= instr(1, line, chr(9), 1)
			line = mid(line,position+1)

			Position= instr(1, line, chr(9), 1)
			strcsBytes = left(line,position-1)
'wscript.echo strcsbytes
			IF strcsBytes = "-" THEN
				'skip it
			ELSE

				if objDictionary.exists(strIP) THEN
					objDictionary.Item(strIP) = INT(objDictionary.Item(strIP))+INT(strcsbytes)
					IF strIP <> "-"	THEN
						IF strcsBytes > 1048576 THEN objDictionary2.Item(strIP) = FullLine
					END IF
				ELSE
					objDictionary.Add strIP,strcsBytes
					objDictionary2.Add strIP,FullLine
				END IF

			END IF
	loop
END IF

wshtempfile.Close
wscript.DisconnectObject wshtempfile
Set wshtempfile=nothing

END Function
'========================================================================================================
'========================================================================================================
Function UTC() 'Get time in GMT or UTC
On error resume next
Dim DateTime,strYear,strMonth,strDay,strTime
Dim objZone,INST


Set dateTime = CreateObject("WbemScripting.SWbemDateTime")
If Err.Number <> 0 Then 'Pre-.NET server, use a cludgy conversion
	Set ObjZone = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strServer).InstancesOf("Win32_TimeZone") 
	for each INST in ObjZone
		objZone = inst.Bias
		objZone = (objZone - inst.DaylightBias)/60
	next

	strTime = hour(now)

	strTime = strTime - objZone

	IF strTime < 0 THEN
		strYear = Year(Now)
		strMonth = Month(Now)
		strDay = Day(now-1)
	ELSEif strTime =< 24 THEN
		strYear = Year(Now)
		strMonth = Month(Now)
		strDay = Day(now)
	ELSE
		strYear = Year(Now)
		strMonth = Month(Now)
		strDay = Day(now+1)
	END IF
ELSE
	dateTime.SetVarDate (CDate (now))
	strYear = Year(dateTime.GetVarDate (false))
	strMonth = Month(dateTime.GetVarDate (false))
	strDay = Day(dateTime.GetVarDate (false))
END IF

IF LEN(strMonth) < 2 THEN strMonth = "0" & strMonth
IF LEN(strDay) < 2 THEN strDay = "0" & strDay

strDate = strYear & strMonth & strDay


END FUNCTION
'========================================================================================================
'========================================================================================================
Function screenout(text)
Dim wsherrorlogfile
On Error Resume Next
    

wscript.echo text

If (Wshfile.fileexists(strOutputFile)) Then
        Set wsherrorlogfile = Wshfile.OpenTextFile(strOutputFile, 8)
	wsherrorlogfile.writeline (text)
	wsherrorlogfile.Close
	wscript.DisconnectObject wsherrorlogfile
	Set wsherrorlogfile = Nothing
	If Err.number <> 0 Then Err.Clear
Else
	Set wsherrorlogfile = Wshfile.createtextfile(strOutputFile, 1)
	wsherrorlogfile.writeline (text)
	wsherrorlogfile.Close
	wscript.DisconnectObject wsherrorlogfile
	Set wsherrorlogfile = Nothing
	If Err.number <> 0 Then Err.Clear
End If

End Function
'========================================================================================================
'========================================================================================================
Function VerifyCscript()
Dim temp

	REM ###### Sets up Vbscript to always run in command window ######
		temp = MsgBox ("The script is changing your default output of Windows Scripting Host to the command prompt." &_
		vbCrLf & "This is pop up is normal, just re-run the script after the third pop-up.", 0, "WSH default changed to cscript.")
		temp = wshshell.Run("cmd /c ""wscript //h:cscript //nologo //s 1>nul 2>nul""", 0, true)
		wscript.quit
		EXIT function
END Function
'========================================================================================================
'========================================================================================================