Thread: Simplifying pflog file parsing
View Single Post
  #2   (View Single Post)  
Old 9th February 2014
J65nko J65nko is offline
Administrator
  
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,131
Default Simplification nr 1
Code:
#   date(1)    time(2)       ty  source(4)      destination(5)    header info (6)
# 2014-01-31 16:14:38.108331 IP 80.34.103.251 > 1.2.22.222: ICMP echo request [snip]
                                                                                                      ^
With the split function I separate the long line on the colon followed by the space into two parts.
A second [b]split] on a space or blank then separates the first part into the fields that I am interested in.

Code:
sub read_simple {
    my ($leading, $info);
    my ($date, $time, $type, $source, $direction, $dest);
    while (<DATA>) {
        ($leading, $info) = split(/: /);
        print "Leading: ", $leading, "\n";
        print "Info   : ", $info,    "\n";
        ($date,  $time, $type, $source, $direction, $dest) = split( / /, $leading);
        show_raw($date,  $time, $type, $source, $dest, $info);
        export( $date,  $time, $type, $source, $dest, $info);
    }
}
The following output demonstrates this two stages approach:
  1. Stage 1
    Code:
    Leading: 2014-01-31 16:14:30.938665 IP 80.25.124.114 > 1.2.22.222
Info   : ICMP echo request, id 0, seq 0, length 64
  2. Stage 2
    Code:
    Date             : 2014-01-31
Time             : 16:14:30.938665
Type             : IP
Source IP        : 80.25.124.114
Destination IP   : 1.2.22.222
Info             : ICMP echo request, id 0, seq 0, length 64

=============================
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Last edited by J65nko; 9th February 2014 at 05:58 PM.
Reply With Quote