fwlog - extract connection data from firewall logs
use fwlog $result = fwlog::Auto(...one line of firewall logs...); $result = fwlog::Protocol(protocol number); $result = fwlog::Service(port number/protocol number);
fwlog::Auto extracts the following data from firewall logs.
- Action
- Source
- Destination
- Protocol
- Port
Data is returned seperated by vertical bars ``|''. For example ``drop|10.1.1.1|192.168.1.1|tcp|25''.
fwlog::Protocol resolves IP Protocol numbers to names using your /etc/protocols file
fwlog::Services resolves service numbers to names using your /etc/services file and IP protocol number
Note: to use fwlog::Service for ICMP types and codes as per RFC-792 add the following to your /etc/services
# fwlog services ping-request (type-8,code-0)/icmp ping-reply (type-0,code-0)/icmp network-unreachable (type-3,code-0)/icmp host-unreachable (type-3,code-1)/icmp protocol-unreachable (type-3,code-2)/icmp port-unreachable (type-3,code-3)/icmp frag-needed-but-DF-set (type-3,code-4)/icmp src-route-failed (type-3,code-5)/icmp source-quench (type-4,code-0)/icmp parameter-problem (type-12,code-0)/icmp ttl-excd-in-tran (type-11,code-0)/icmp frag-reass-time-excd (type-11,code-1)/icmp redir-net (type-5,code-0)/icmp redir-host (type-5,code-1)/icmp redir-ToS-and-net (type-5,code-2)/icmp redir-ToS-and-host (type-5,code-3)/icmp timestamp-request (type-13,code-0)/icmp timestamp-reply (type-14,code-0)/icmp info-request (type-15,code-0)/icmp info-reply (type-16,code-0)/icmp
- Checkpoint Firewall-1
- accept
- drop
- reject
- NetScreen
- Permit
- Deny
- CISCO Pix (IOS v6.1 and v6.2 and maybe others)
- PIX-6-302013
- PIX-5-304001
- PIX-6-106015
- PIX-3-305005
- PIX-3-106011
- Smoothwall (v0.9)
- only chain logged is by Smoothwall is a hyphen "-".
- IPCHAINS
- drops
- rejects
- redirects
- custom chains
- IPTABLES (using fwbuilder)
- drops
- accepts
- ipf
- pass
- block
- pfSense
- pass
- block
use fwlog;
while (<>) {
chomp;
my $data = &fwlog::Auto($_);
if ($data eq undef) {
$unknownLines{$_}++;
next;
} else {
$events{$data}++;
}
}
print "\n\nConnections:\n";
foreach my $event (sort {$events{$b} <=> $events{$a}} keys %events) {
print "\t$events{$event}: $event\n";
}
print "\n\nLines not processed as connection data:\n";
foreach my $unknown (sort {$unknownLines{$b} <=> $unknownLines{$a}} keys %unknownLines) {
print "\t$unknownLines{$unknown}: $unknown\n";
}
use fwlog;
my $protocol = &fwlog::Protocol("6");
print "$protocol\n";
use fwlog;
my $protocol = &fwlog::Protocol("6");
my $service = &fwlog::Service("25/$protocol");
print "$protocol, $service\n";
my $protocol = &fwlog::Protocol("1");
my $service = &fwlog::Service("(type-13,code-0)/$protocol");
print "$protocol, $service\n";
Ed Blanchfield <Ed@E-Things.Org>
This program is free software; you can redistribute it and/or modify it under the terms of the Perl Artistic License or the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
If you do not have a copy of the GNU General Public License write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.