[Dshield] OpenBSD 3.2 pf.pl parser (correction)

Wayne Larmon wlarmon at dshield.org
Tue Mar 11 13:53:26 GMT 2003



> My mistake on the udp log line; there were a couple that were
> parsed and I compared them. The ones that are parsed
> have "[udp sum ok]" preceeding the udp. I didn't have much luck
> with the pf.pl and regex expression so I cheated and
> used sed 's/  udp/  [udp sum ok] udp /' before writing the ascii
> file. ;) Likely it was something simple that I was missing in
> the script.

Yeah, the log lines that weren't converting were enough different that the
regex in pf.pl didn't match them.  I just added a new regex that will get
them.  I also added logic to detect flags.  Flags processing wasn't correct
before.

http://www.dshield.org/framework.php

Wayne Larmon
DShield.org

> >The default file when run will not process these two types of
> lines. I'm sure it is due to
> >the extra "white space" prior to UDP and the "." for a flag. I
> edited the regex expressions
> >a couple different ways but must have missed something since it
> still wouldn't parse the line.
> >Any ideas?
> >
> >
> >------------------------------Processing line
> 383------------------------------
> >PARSING: Mar 10 12:52:22.628017 rule 59/0(match): block in on
> we0: 68.62.111.200.44124 > 66.93.187.127.80: . [tcp sum ok] ack
> 1131429386 win 4096 (ttl 28, id 15628)
> >SKIPPING: Can't parse this line.
> >--
> >------------------------------Processing line
> 391------------------------------
> >PARSING: Mar 10 13:28:54.244467 rule 58/0(match): block in on
> we0: 65.214.186.194.1097 > 66.93.187.127.1434:  udp 376 (ttl 117,
> id 40464)
> >SKIPPING: Can't parse this line.





More information about the list mailing list