dshield-preparser

By On · Add Comment

If you click on the read more button you will find my preparser for dshield pf logging.

#!/usr/bin/perl
###############################################################################
# $Id: parse.pl,v 1.8 2005/05/28 22:11:40 remko Exp $
###############################################################################
# Copyright (C) 2005, Remko Lodder . All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS “AS IS” AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
###############################################################################
# This script is to be able to parse our current pflog format and make the default
# pf.pl from dshield able to parse the results of this script.
# Reason we wrote it is that the output suggested actually defers from our current
# output, so we have to rewrite the stuff a bit. Hence, this script.
###############################################################################

use strict;

# Variable declarations
my $LOGFILE = "/home/pflogger/pf-dshield.log";
my $OUTFILE = "/home/pflogger/pf-parsed.log";

open (FH, "< $LOGFILE");
open (FO, "> $OUTFILE");

while (my $line=<FH>) {
        chomp $line;

        # TCP output
        if (
          (my ($year,$month,$day,$time,$extra,$src,$dst,$flags,$protocol)) =
          ($line =~ m/^(\d{4})\-(\d{2})\-(\d{2}) (\d{2}:\d{2}:\d{2}\.\d+) (.*) (\d+\.\d+\.\d+\.\d+\.\d+) \> (\d+\.\d+\.\d+\.\d+\.\d+): ([A-Z*]) \[(tcp)/)
          ) {
                my $Month = ParseMonth($month);
                print FO "$Month $day $time $extra: $src \> $dst: $flags \[$protocol\n";
        }
        # TCP Special output (TCP can have bogus output as well :(   )
        # --> 2005-05-28 11:37:19.310092 rule 65/0(match): block in on em0: IP (tos 0x10, ttl  57, id 65225, offset 0, flags [DF], length: 100) 195.64.94.120.51320 > 217.148.169.57.22: P 1031327946:1031327994(48) ack 1475109561 win 65535 <nop,nop,timestamp 1856875172 135036302>
        elsif (
          (my ($year,$month,$day,$time,$extra,$src,$dst,$flags)) =
          ($line =~ m/^(\d{4})\-(\d{2})\-(\d{2}) (\d{2}:\d{2}:\d{2}\.\d+) (.*) (\d+\.\d+\.\d+\.\d+\.\d+) \> (\d+\.\d+\.\d+\.\d+\.\d+): (P)/)
          ) {
                my $Month = ParseMonth($month);
                print FO "$Month $day $time $extra: $src \> $dst: $flags \[tcp\n";
        }
        # UDP output
        elsif (
          (my ($year,$month,$day,$time,$extra,$src,$dst,$textra)) =
          ($line =~ m/^(\d{4})\-(\d{2})\-(\d{2}) (\d{2}:\d{2}:\d{2}\.\d+) (.*) (\d+\.\d+\.\d+\.\d+\.\d+) \> (\d+\.\d+\.\d+\.\d+\.\d+): UDP\, (.*)$/)
          ) {

                my $Month = ParseMonth($month);
                print FO "$Month $day $time $extra: $src \> $dst: N \[udp\n";
        }
        # UDP Special output (UDP can have a bogus output as well :( )
        elsif (
          (my ($year,$month,$day,$time,$extra,$src,$dst,$textra)) =
          ($line =~ m/^(\d{4})\-(\d{2})\-(\d{2}) (\d{2}:\d{2}:\d{2}\.\d+) (.*) (\d+\.\d+\.\d+\.\d+\.\d+) \> (\d+\.\d+\.\d+\.\d+\.\d+): .* UDP\, (.*)$/)
          ) {

                my $Month = ParseMonth($month);
                print FO "$Month $day $time $extra: $src \> $dst: N \[udp\n";
        }
        # ICMP output
        elsif (
          (my ($year,$month,$day,$time,$extra,$src,$dst,$textra)) =
          ($line =~ m/^(\d{4})\-(\d{2})\-(\d{2}) (\d{2}:\d{2}:\d{2}\.\d+) (.*) (\d+\.\d+\.\d+\.\d+) \> (\d+\.\d+\.\d+\.\d+): icmp \d+: +(\w+\s+\w+)/)
          ) {

                my $Month = ParseMonth($month);
                print FO "$Month $day $time $extra: $src \> $dst: icmp: $textra\n";
        }
        else {
                print "we did not match at all\n";
                print "--> $line\n";
                }
}

close FO;
close FH;

sub ParseMonth {
        my $month = $_[0];
        my $monthout;

        if ($month eq "01") { $monthout = "Jan"; }
        elsif ($month eq "02") { $monthout = "Feb"; }
        elsif ($month eq "03") { $monthout = "Mar"; }
        elsif ($month eq "04") { $monthout = "Apr"; }
        elsif ($month eq "05") { $monthout = "May"; }
        elsif ($month eq "06") { $monthout = "Jun"; }
        elsif ($month eq "07") { $monthout = "Jul"; }
        elsif ($month eq "08") { $monthout = "Aug"; }
        elsif ($month eq "09") { $monthout = "Sep"; }
        elsif ($month eq "10") { $monthout = "Oct"; }
        elsif ($month eq "11") { $monthout = "Nov"; }
        elsif ($month eq "12") { $monthout = "Dec"; }
        else { $monthout = "Jan"; }

        return $monthout;
}

Share →

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>