[Dshield] OpenBSD 3.2 pf.pl parser (correction)

millerbn millerbn at chiba.dhs.org
Tue Mar 11 03:07:29 GMT 2003

My mistake on the udp log line; there were a couple that were parsed and I compared them. The ones that are parsed 
have "[udp sum ok]" preceeding the udp. I didn't have much luck with the pf.pl and regex expression so I cheated and 
used sed 's/  udp/  [udp sum ok] udp /' before writing the ascii file. ;) Likely it was something simple that I was missing in 
the script.

>The default file when run will not process these two types of lines. I'm sure it is due to 
>the extra "white space" prior to UDP and the "." for a flag. I edited the regex expressions 
>a couple different ways but must have missed something since it still wouldn't parse the line. 
>Any ideas?
>------------------------------Processing line 383------------------------------
>PARSING: Mar 10 12:52:22.628017 rule 59/0(match): block in on we0: > . [tcp sum ok] ack 1131429386 win 4096 (ttl 28, id 15628)
>SKIPPING: Can't parse this line. 
>------------------------------Processing line 391------------------------------
>PARSING: Mar 10 13:28:54.244467 rule 58/0(match): block in on we0: >  udp 376 (ttl 117, id 40464)
>SKIPPING: Can't parse this line. 

