--- fwanalog.sh.orig Sun Dec 5 14:27:25 2004 +++ fwanalog.sh Sun Dec 5 14:24:28 2004 @@ -885,6 +886,87 @@ # $outdir/fwanalog.current.log now contains the data in the Analog URL format. } +freebsd_pf () +{ + # Parse Freebsd 5.x pf logfiles into an analog-compatible "URL log" + + (for log in $inputfiles ; do + if [ "$( expr "$log" : '.*\(bz2\)' )" = "bz2" ]; then + bzcat $log \ + | $tcpdump -n -e -tttt -q -r - + else + $tcpdump -n -e -tttt -q -r $log + fi + done) \ + | $egrep -h "rule .+: block .+ on .+ [0-9.]{7}" \ + > $outdir/fwanalog.current + + mkmonthconvscript-slash + # Create script to convert lines with a numeric month and dashes + # to the alphanumeric month with slashes (Jan...Dec) + + $sed -f $outdir/convdate.sed $outdir/fwanalog.current \ + > $outdir/fwanalog.current.withmonth + # Use the script on the current logfile + + # Example of converted log line: + # TCP: + # 2004-12-04 14:09:20.562164 rule 0/0(match): block in on ng0: + # IP 213.229.55.195.1054 > 213.229.63.234.445: tcp 0 + # + # 2004-12-04 14:09:52.027033 rule 43/0(match): block out on ste2: + # IP 192.168.169.33.22 > 192.168.170.36.49772: tcp 0 + # + # UDP: + # 2004-09-06 20:49:34.022988 rule 0/0(match): block in on ng0: + # IP 213.150.1.6.53 > 213.229.63.234.49152: UDP, length: 50 + # + # ICMP: + # 2004-09-17 05:47:05.746445 rule 32/0(match): block out on ste1: + # IP 192.168.169.33 > 192.168.169.46: icmp 28: echo request seq 0 + # + # Example of desired output: + # 192.168.49.2 - - [5/Apr/2001:16:55:54 +0200] "GET /192.168.49.3/tcp/22 HTTP/1.0" + # 200 20 "2081" "" 0 ae0 + # + # Which means: + # ip - - [date] "GET Desthost/Protocol/Port" 200 PcktLen "http://Sourceport/" "Macadr" 0 interface + # Sourceport is in the referrer field, macadr in the user-agent, interface + # in the VirtualHost. There is no macadr in the BSD log. + + # Decide if the source or the destination host is included in the + # Blocked Packet Report (option "onehost" in fwanalog.opts) + # altreqhost is needed for unknown protocols (e.g. esp, ah) + if [ $onehost = true ]; then + reqhost="\$6" # The analog "request" contains the source ip + altreqhost="\$7" + elif [ $onehost = dynip ]; then + reqhost="firewall" # The analog "request" contains this string + altreqhost="firewall" + else + reqhost="\$8" # The analog "request" contains the destination ip + altreqhost="\$9" + fi + + #first TCP, then UDP, then ICMP, then others (hopefully this works) + # 1 2 3 4 5 6 7 8 9 + $perl -pwe "s!^(\d+)/(\w+)/(\d+) +([0-9:]+)\.\d+ rule.+block \w+ on (\w+): IP ([0-9.]+)\.(\d+) \> ([0-9.]+)\.(\d+): tcp (\d+)(.*)\$!\$6 - - [\$3/\$2/\$1:\$4 $timezone] \"GET /$reqhost/tcp/\$9/ HTTP/1.0\" 200 \$10 \"http://\$8/\" \"\" 0 \$5!" \ + $outdir/fwanalog.current.withmonth \ + |$perl -pwe "s!^(\d+)/(\w+)/(\d+) +([0-9:]+)\.\d+ rule.+block \w+ on (\w+): IP ([0-9.]+)\.(\d+) \> ([0-9.]+)\.(\d+): +UDP, length: (\d+).*\$!\$6 - - [\$3/\$2/\$1:\$4 $timezone] \"GET /$reqhost/udp/\$7/ HTTP/1.0\" 200 \$10 \"http://\$8/\" \"\" 0 \$5!" \ + |$perl -pwe "s!echo re(quest|ply)!echo_re\$1!" \ + |$perl -pwe "s!host(.+)unreachable!host_unreachable!" \ + |$perl -pwe "s!^(\d+)/(\w+)/(\d+) +([0-9:]+)\.\d+ rule.+block \w+ on (\w+): IP ([0-9.]+) \> ([0-9.]+): icmp (\d+): ([a-z][a-z_]+).*\$!\$6 - - [\$3/\$2/\$1:\$4 $timezone] \"GET /\$6/icmp/\$9/ HTTP/1.0\" 200 0 \"http://\$7/\" \"\" 0 \$5!" \ + |$perl -pwe "s!^(\d+)/(\w+)/(\d+) +([0-9:]+)\.\d+ rule.+block \w+ on (\w+): IP ([0-9.]+) \> ([0-9.]+): icmp \d+: ([0-9.]+) protocol \d+ port (\d+) unreachable.*\$!\$6 - - [\$3/\$2/\$1:\$4 $timezone] \"GET /\$6/icmp_port_unreachable/\$9/ HTTP/1.0\" 200 0 \"http://\$7/\" \"\" 0 \$5!" \ + > $outdir/fwanalog.current.log + +# |$perl -pwe "s!^(\d+) +(\w+) +(\d+) +([0-9:]+)\.\d+ rule.+block \w+ on (\w+): ([0-9.]+)(X?) \\> ([0-9.]+): icmp: ([a-z][a-z_]+).*\$!\$6 - - [\$3/\$2/\$1:\$4 $timezone] \"GET /$reqhost/icmp/\$9/ HTTP/1.0\" 200 0 \"http://\$7/\" \"\" 0 \$5!" \ +# |$perl -pwe "s!^(\d+) +(\w+) +(\d+) +([0-9:]+)\.\d+ rule.+block \w+ on (\w+): ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.?(\d*) \\> ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.?(\d*): (\S*) ?(\d*).*\$!\$6 - - [\$3/\$2/\$1:\$4 $timezone] \"GET /$reqhost/\$10/\$9/ HTTP/1.0\" 200 0\$11 \"http://\$7/\" \"\" 0 \$5!" \ +# |$perl -pwe "s!^(\d+) +(\w+) +(\d+) +([0-9:]+)\.\d+ rule.+block \w+ on (\w+): (\w+) ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.?(\d*) \\> ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.?(\d*).*len (\d+).*\$!\$7 - - [\$3/\$2/\$1:\$4 $timezone] \"GET /$altreqhost/\$6\$10/ HTTP/1.0\" 200 \$11 \"http://\$8\" \"\" 0 \$5!" \ +# > $outdir/fwanalog.current.log + + # $outdir/fwanalog.current.log now contains the data in the Analog URL format. +} + ipchains () { # Parse ipchains logfiles into an analog-compatible "URL log" @@ -1428,6 +1510,28 @@ ) > $outdir/convdate.sed } +mkmonthconvscript-slash () +{ + # Creates a sed script in the output dir which converts the firewall logs + # containg dashes (2004-12-04) and the month specified numerically to + # the month's abbreviation with slashes (2004/Jan/04) + + ( + echo "s!-01-!/Jan/!" + echo "s!-02-!/Feb/!" + echo "s!-03-!/Mar/!" + echo "s!-04-!/Apr/!" + echo "s!-05-!/May/!" + echo "s!-06-!/Jun/!" + echo "s!-07-!/Jul/!" + echo "s!-08-!/Aug/!" + echo "s!-09-!/Sep/!" + echo "s!-10-!/Oct/!" + echo "s!-11-!/Nov/!" + echo "s!-12-!/Dec/!" + ) > $outdir/convdate.sed +} + rotate_cache () { # Greps all entries not from the current month from $outdir/fwanalog.all.log