[Dshield] OpenBSD 3.2 pf.pl parser (correction)

millerbn millerbn at chiba.dhs.org
Tue Mar 11 17:48:56 GMT 2003


Thanks. Tried the new parser and while I didn't try the old logs, I did try today's and here is some of the output.
I started with a new dshield.cnt so nothing should be too early. Yet, line 219 is parsed fine while 220 is considered 
too early. I noticed that 00 for month. The lines with a source port of 80 should have been excluded and some were 
but a few weren't. I also included a few others that caught my eye. I didn't include everything, I can reply off list if it's 
needed or if there's interest in the original log file.

Thanks again

------------------------------Processing line 198------------------------------
PARSING: Mar 11 11:01:15.976859 rule 45/0(match): block in on we0: 203.117.112.203.1046 > 66.93.187.127.1434:  udp 376 (ttl 113, id 53647)
PARSE RESULT:2003-00-11 11:01:15 -05:00|12203927|1|203.117.112.203|1046|66.93.187.127|1434|UDP|
SKIPPING: 2003-00-11 11:01:15 -05:00 is too early
------------------------------Processing line 208------------------------------
PARSING: Mar 11 11:36:59.348297 rule 45/0(match): block in on we0: 66.82.208.169.1026 > 66.93.187.127.137:  [no cksum] udp 50 (ttl 116, id 43841)
SKIPPING: This converter doesn't support NO
------------------------------Processing line 219------------------------------
PARSING: Mar 11 11:59:32.906159 rule 46/0(match): block in on we0: 66.93.128.233.3189 > 66.93.187.127.139: S [tcp sum ok] 3987171096:3987171096(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 116, id 53291)
PARSE RESULT:2003-03-11 11:59:32 -05:00|12203927|1|66.93.128.233|3189|66.93.187.127|139|TCP|
WRITTEN: 2003-03-11 11:59:32 -05:00     12203927        1       66.93.128.233   3189    66.93.187.127   139     TCP     
------------------------------Processing line 220------------------------------
PARSING: Mar 11 11:59:57.119593 rule 45/0(match): block in on we0: 61.221.28.63.1026 > 66.93.187.127.137:  udp 50 (ttl 112, id 13966)
PARSE RESULT:2003-00-11 11:59:57 -05:00|12203927|1|61.221.28.63|1026|66.93.187.127|137|UDP|
SKIPPING: 2003-00-11 11:59:57 -05:00 is too early
------------------------------Processing line 221------------------------------
PARSING: Mar 11 12:00:12.524198 rule 46/0(match): block in on we0: 204.71.191.157.80 > 66.93.187.127.39061: P 2537118085:2537118589(504) ack 3084020388 win 17520 (DF) (ttl 55, id 15112)
SKIPPING: Can't parse this line. 

------------------------------Processing line 233------------------------------
PARSING: Mar 11 12:07:58.075303 rule 46/0(match): block in on we0: 204.71.191.157.80 > 66.93.187.127.39061: P 0:504(504) ack 1 win 17520 (DF) (ttl 55, id 580)
SKIPPING: Can't parse this line. 
------------------------------Processing line 234------------------------------
PARSING: Mar 11 12:09:02.712077 rule 46/0(match): block in on we0: 204.71.191.157.80 > 66.93.187.127.39061: R [tcp sum ok] 505:505(0) ack 1 win 17520 (DF) (ttl 55, id 4969)
DEBUG: 80 excluded because it is between 80 and 80
PARSE RESULT:2003-03-11 12:09:02 -05:00|12203927|1|204.71.191.157|80|66.93.187.127|39061|TCP|A
SOURCE PORT EXCLUDED: 80




On Tue, 11 Mar 2003 08:53:26 -0500, you wrote:

>
>
>> My mistake on the udp log line; there were a couple that were
>> parsed and I compared them. The ones that are parsed
>> have "[udp sum ok]" preceeding the udp. I didn't have much luck
>> with the pf.pl and regex expression so I cheated and
>> used sed 's/  udp/  [udp sum ok] udp /' before writing the ascii
>> file. ;) Likely it was something simple that I was missing in
>> the script.
>
>Yeah, the log lines that weren't converting were enough different that the
>regex in pf.pl didn't match them.  I just added a new regex that will get
>them.  I also added logic to detect flags.  Flags processing wasn't correct
>before.
>
>http://www.dshield.org/framework.php
>
>Wayne Larmon
>DShield.org
>
>> >The default file when run will not process these two types of
>> lines. I'm sure it is due to
>> >the extra "white space" prior to UDP and the "." for a flag. I
>> edited the regex expressions
>> >a couple different ways but must have missed something since it
>> still wouldn't parse the line.
>> >Any ideas?
>> >
>> >
>> >------------------------------Processing line
>> 383------------------------------
>> >PARSING: Mar 10 12:52:22.628017 rule 59/0(match): block in on
>> we0: 68.62.111.200.44124 > 66.93.187.127.80: . [tcp sum ok] ack
>> 1131429386 win 4096 (ttl 28, id 15628)
>> >SKIPPING: Can't parse this line.
>> >--
>> >------------------------------Processing line
>> 391------------------------------
>> >PARSING: Mar 10 13:28:54.244467 rule 58/0(match): block in on
>> we0: 65.214.186.194.1097 > 66.93.187.127.1434:  udp 376 (ttl 117,
>> id 40464)
>> >SKIPPING: Can't parse this line.
>
>
>



More information about the list mailing list