On Sun, 20 Oct 2002, Franck MAHE wrote:
David, Achim,
Around a month ago I posted a similar message to this list and got some answers: - Achim Hoffmann sent me a Perl-script for making a readable file out of [ .. ] I'm interesting to get this script. Could U post it on this list or send it me by mail.
kernel.info in /etc/syslog.conf
ok, I'll post my basic script. Use it as is, or improve as you like (you need to adapt some variables first). If somebody improves it in a valuable way (means may be usefull for others), please send me changes. <comment to other suggestion to this thread> this redirect all kernel messages of facility info to the specified file, not only those of iptables
.. snort .. does not make any sense for the questioner purpose (filtering iptables messages)
Script follows, Achim. ------------------------------------------- #! /usr/bin/perl #? #? NAME #? $0 - extract and format log messages of iptables #? #? SYNOPSIS #? $0 #? #? DESCRIPTION #? TBD #? #? AUTHOR #? 12-dec-01 ah@secure-net.de #? # ----------------------------------------------------------------------------- $SID = '@(#) extract_iptables_logs.pl 1.1 01/12/12 21:04:02'; $me = $0; $me =~ s:.*[/\\]([^/\\]+):$1:; if ("$ARGV[0]" eq '-h') { open(FID, $0) || warn "$0: WARNING: cannot read myself.\n"; while(<FID>) { s/\$0/$me/g; /^#\?(.*)$/ && print "$1\n"; } close(FID); exit( 0 ); } use Data::Dumper; $file = '/var/log/messages'; # <-- change as you need #$file = '/var/log/yy'; $ident = 'fw-scan:'; # <-- change as you need print "Time src-IP :port > dst-IP :port proto ttl id tos prec len -- payload\n"; print "--------+----------------------+----------------------+----+---+-----+----+----+-----+----------\n"; open( FID, "<$file" ) or die "*** $me cannot open '$file': $!"; while( <FID> ) { next if ! m/$ident/; $line = $_; &iphead_init(); $s_len = 13; # length to be spliced @fields = split( /\s+/, $line ); $mon = shift @fields; $day = shift @fields; $time = shift @fields; $host = shift @fields; $dumm = shift @fields; # should be kernel: $dumm = shift @fields; # should be fw-scan: $s_len++ if grep( /DF/i, @fields ); # see TCP examples below @head = splice( @fields, $s_len );# store IP header fields # @fields no contains payload foreach $f (@fields) { ($k,$v) = split( /=/, $f ); #dbx print "iphead{$k} = $v\n"; $iphead{$k} = $v; } #foreach $f (keys %iphead) { printf(" %5s: %s\n", $f, $iphead{$f}); } &p_iphead( $time, \%iphead, @head ); #print; } close FID; exit( 0 ); format IPHEAD_TOP = Time src-IP :port > dst-IP :port proto ttl id tos prec len ------------------------------------------------------------------------------------- . format = # time src-IP port > dst-IP port proto ttl id tos prec len @<<<<<<<< @<<<<<<<<<<<<<<< @<<<<< > @<<<<<<<<<<<<<<< @<<<<< @<<<< @<<< @<<<<< @<<<< @<<<< @<<<<< $time, $p->{SRC}, $p->{SPT}, $p->{DST}, $p->{DPT},$p->{PROTO},$p->{TTL},$p->{ ID},$p->{TOS},$p->{PREC},$p->{LEN} . sub p_iphead { my ($t, $p, @f) = @_; #print Dumper($p); if ($p->{PROTO} eq 'TCP') { printf( "%8s %15s %-5s > %15s %-5s %4s %3s %5s %4s %4s %5s -- %s\n", $t, $p->{SRC}, $p->{SPT}, $p->{DST}, $p->{DPT}, $p->{PROTO},$p->{TTL},$p->{ID},$p->{TOS},$p->{PREC},$p->{LEN}, join( ' ', @f ) ); } if ($p->{PROTO} eq 'ICMP') { printf( "%8s %15s T%-4s > %15s C%-4s %4s %3s %5s %4s %4s %5s -- %s\n", $t, $p->{SRC}, $p->{SPT}, $p->{DST}, $p->{DPT}, $p->{PROTO},$p->{TTL},$p->{ID},$p->{TOS},$p->{PREC},$p->{LEN}, join( ' ', @f ) ); } #select IPHEAD; #write; #foreach $k (keys %{$p}) { printf(" %5s: %s\n", $k, $p->{$k} ); } } sub iphead_init { # not really neaded, but in case of ... @idx = ('CODE', 'DF', 'DPT', 'DST', 'ID', 'IN', 'LEN', 'MAC', 'OUT', 'PREC', 'PROTO', 'SPT', 'SRC', 'TOS', 'TTL', 'TYPE',); foreach $k (@idx) { $iphead{$k} = '.'; } } __END__ # TCP example Dec 12 17:38:11 dent kernel: fw-scan: IN=eth0 OUT=eth1 SRC=212.43.239.134 DST=192.168.18.149 LEN=40 TOS=0x00 PREC=0x00 TTL=120 ID=5595 PROTO=TCP SPT=22 DPT=22 WINDOW=64858 RES=0x00 SYN URGP=0