fwlog - extract connection data from firewall logs
use fwlog $result = fwlog::Auto(...one line of firewall logs...); $result = fwlog::Protocol(protocol number); $result = fwlog::Service(port number/protocol number);
fwlog::Auto extracts the following data from firewall logs.
- Action - Source - Destination - Protocol - Port
Data is returned seperated by vertical bars "|". For example "drop|10.1.1.1|192.168.1.1|tcp|25".
fwlog::Protocol resolves IP Protocol numbers to names using your /etc/protocols file
fwlog::Services resolves service numbers to names using your /etc/services file and IP protocol number
Note: to use fwlog::Service for ICMP types and codes as per RFC-792 add the following to your /etc/services
# fwlog services ping-request (type-8,code-0)/icmp ping-reply (type-0,code-0)/icmp network-unreachable (type-3,code-0)/icmp host-unreachable (type-3,code-1)/icmp protocol-unreachable (type-3,code-2)/icmp port-unreachable (type-3,code-3)/icmp frag-needed-but-DF-set (type-3,code-4)/icmp src-route-failed (type-3,code-5)/icmp source-quench (type-4,code-0)/icmp parameter-problem (type-12,code-0)/icmp ttl-excd-in-tran (type-11,code-0)/icmp frag-reass-time-excd (type-11,code-1)/icmp redir-net (type-5,code-0)/icmp redir-host (type-5,code-1)/icmp redir-ToS-and-net (type-5,code-2)/icmp redir-ToS-and-host (type-5,code-3)/icmp timestamp-request (type-13,code-0)/icmp timestamp-reply (type-14,code-0)/icmp info-request (type-15,code-0)/icmp info-reply (type-16,code-0)/icmp
- Checkpoint Firewall-1 - accept - drop - reject - NetScreen - Permit - Deny - CISCO Pix (IOS v6.1 and v6.2 and maybe others) - PIX-6-302013 - PIX-5-304001 - PIX-6-106015 - PIX-3-305005 - PIX-3-106011 - Smoothwall (v0.9) - only chain logged is by Smoothwall is a hyphen "-". - IPCHAINS - drops - rejects - redirects - custom chains - IPTABLES (using fwbuilder) - drops - accepts - ipf - pass - block - pfSense - pass - block
use fwlog; while (<>) { chomp; my $data = &fwlog::Auto($_); if ($data eq undef) { $unknownLines{$_}++; next; } else { $events{$data}++; } } print "\n\nConnections:\n"; foreach my $event (sort {$events{$b} <=> $events{$a}} keys %events) { print "\t$events{$event}: $event\n"; } print "\n\nLines not processed as connection data:\n"; foreach my $unknown (sort {$unknownLines{$b} <=> $unknownLines{$a}} keys %unknownLines) { print "\t$unknownLines{$unknown}: $unknown\n"; }
use fwlog; my $protocol = &fwlog::Protocol("6"); print "$protocol\n";
use fwlog; my $protocol = &fwlog::Protocol("6"); my $service = &fwlog::Service("25/$protocol"); print "$protocol, $service\n"; my $protocol = &fwlog::Protocol("1"); my $service = &fwlog::Service("(type-13,code-0)/$protocol"); print "$protocol, $service\n";
Ed Blanchfield <Ed@E-Things.Org>
This program is Copyright 2000 by Ed Blanchfield.
This program is free software; you can redistribute it and/or modify it under the terms of the Perl Artistic License or the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
If you do not have a copy of the GNU General Public License write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
2 POD Errors
The following errors were encountered while parsing the POD:
'=item' outside of any '=over'
You forgot a '=back' before '=head1'
To install fwlog, copy and paste the appropriate command in to your terminal.
cpanm
cpanm fwlog
CPAN shell
perl -MCPAN -e shell install fwlog
For more information on module installation, please visit the detailed CPAN module installation guide.