[Dshield] OpenBSD 3.2 pf.pl parser (correction)

Wayne Larmon wlarmon at dshield.org
Tue Mar 11 19:22:13 GMT 2003


> Thanks. Tried the new parser and while I didn't try the old logs,
> I did try today's and here is some of the output.
> I started with a new dshield.cnt so nothing should be too early.
> Yet, line 219 is parsed fine while 220 is considered
> too early. I noticed that 00 for month. The lines with a source
> port of 80 should have been excluded and some were
> but a few weren't. I also included a few others that caught my
> eye. I didn't include everything, I can reply off list if it's
> needed or if there's interest in the original log file.

Yes, send me a copy of your log file off-list.

Wayne Larmon
wlarmon at dshield.org

>
> Thanks again
>
> ------------------------------Processing line
> 198------------------------------
> PARSING: Mar 11 11:01:15.976859 rule 45/0(match): block in on
> we0: 203.117.112.203.1046 > 66.93.187.127.1434:  udp 376 (ttl
> 113, id 53647)
> PARSE RESULT:2003-00-11 11:01:15
> -05:00|12203927|1|203.117.112.203|1046|66.93.187.127|1434|UDP|
> SKIPPING: 2003-00-11 11:01:15 -05:00 is too early
> ------------------------------Processing line
> 208------------------------------
> PARSING: Mar 11 11:36:59.348297 rule 45/0(match): block in on
> we0: 66.82.208.169.1026 > 66.93.187.127.137:  [no cksum] udp 50
> (ttl 116, id 43841)
> SKIPPING: This converter doesn't support NO
> ------------------------------Processing line
> 219------------------------------
> PARSING: Mar 11 11:59:32.906159 rule 46/0(match): block in on
> we0: 66.93.128.233.3189 > 66.93.187.127.139: S [tcp sum ok]
> 3987171096:3987171096(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> (ttl 116, id 53291)
> PARSE RESULT:2003-03-11 11:59:32
> -05:00|12203927|1|66.93.128.233|3189|66.93.187.127|139|TCP|
> WRITTEN: 2003-03-11 11:59:32 -05:00     12203927        1
> 66.93.128.233   3189    66.93.187.127   139     TCP
> ------------------------------Processing line
> 220------------------------------
> PARSING: Mar 11 11:59:57.119593 rule 45/0(match): block in on
> we0: 61.221.28.63.1026 > 66.93.187.127.137:  udp 50 (ttl 112, id 13966)
> PARSE RESULT:2003-00-11 11:59:57
> -05:00|12203927|1|61.221.28.63|1026|66.93.187.127|137|UDP|
> SKIPPING: 2003-00-11 11:59:57 -05:00 is too early
> ------------------------------Processing line
> 221------------------------------
> PARSING: Mar 11 12:00:12.524198 rule 46/0(match): block in on
> we0: 204.71.191.157.80 > 66.93.187.127.39061: P
> 2537118085:2537118589(504) ack 3084020388 win 17520 (DF) (ttl 55,
> id 15112)
> SKIPPING: Can't parse this line.
>
> ------------------------------Processing line
> 233------------------------------
> PARSING: Mar 11 12:07:58.075303 rule 46/0(match): block in on
> we0: 204.71.191.157.80 > 66.93.187.127.39061: P 0:504(504) ack 1
> win 17520 (DF) (ttl 55, id 580)
> SKIPPING: Can't parse this line.
> ------------------------------Processing line
> 234------------------------------
> PARSING: Mar 11 12:09:02.712077 rule 46/0(match): block in on
> we0: 204.71.191.157.80 > 66.93.187.127.39061: R [tcp sum ok]
> 505:505(0) ack 1 win 17520 (DF) (ttl 55, id 4969)
> DEBUG: 80 excluded because it is between 80 and 80
> PARSE RESULT:2003-03-11 12:09:02
> -05:00|12203927|1|204.71.191.157|80|66.93.187.127|39061|TCP|A
> SOURCE PORT EXCLUDED: 80
>
>
>
>
> On Tue, 11 Mar 2003 08:53:26 -0500, you wrote:
>
> >
> >
> >> My mistake on the udp log line; there were a couple that were
> >> parsed and I compared them. The ones that are parsed
> >> have "[udp sum ok]" preceeding the udp. I didn't have much luck
> >> with the pf.pl and regex expression so I cheated and
> >> used sed 's/  udp/  [udp sum ok] udp /' before writing the ascii
> >> file. ;) Likely it was something simple that I was missing in
> >> the script.
> >
> >Yeah, the log lines that weren't converting were enough
> different that the
> >regex in pf.pl didn't match them.  I just added a new regex that will get
> >them.  I also added logic to detect flags.  Flags processing
> wasn't correct
> >before.
> >
> >http://www.dshield.org/framework.php
> >
> >Wayne Larmon
> >DShield.org
> >
> >> >The default file when run will not process these two types of
> >> lines. I'm sure it is due to
> >> >the extra "white space" prior to UDP and the "." for a flag. I
> >> edited the regex expressions
> >> >a couple different ways but must have missed something since it
> >> still wouldn't parse the line.
> >> >Any ideas?
> >> >
> >> >
> >> >------------------------------Processing line
> >> 383------------------------------
> >> >PARSING: Mar 10 12:52:22.628017 rule 59/0(match): block in on
> >> we0: 68.62.111.200.44124 > 66.93.187.127.80: . [tcp sum ok] ack
> >> 1131429386 win 4096 (ttl 28, id 15628)
> >> >SKIPPING: Can't parse this line.
> >> >--
> >> >------------------------------Processing line
> >> 391------------------------------
> >> >PARSING: Mar 10 13:28:54.244467 rule 58/0(match): block in on
> >> we0: 65.214.186.194.1097 > 66.93.187.127.1434:  udp 376 (ttl 117,
> >> id 40464)
> >> >SKIPPING: Can't parse this line.
> >
> >
> >
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list