[Dshield] PF parser issues

Phinizy William phinizyw at bandai.com
Fri Mar 12 17:22:04 GMT 2004


When I run the pf perl script on a log that I convert to ascii (tcpdump
-n -e -ttt -r /var/log/pflog.0 > /home/admin/pf.log) I get "cannot parse
this line" numerous times.  I can understand if the log entry does not
contain a 'block in' so it does not parse... But the others should be
parsed?  I remove the files from /tmp before I run the script.  I am
running OpenBSD 3.4 and PF obviously.  Has anyone experienced issues
like this before?

 

-------------------------------Processing line
1-------------------------------

PARSING: Mar 11 00:00:03.498608 rule 1/0(match): block in on fxp0:
172.171.179.96.220 > 172.16.28.20.21: S 16644:16644(0) win 16384

SKIPPING: Can't parse this line. 

-------------------------------Processing line
2-------------------------------

PARSING: Mar 11 00:00:14.906594 rule 48/0(match): pass in on fxp0:
69.42.77.53.37646 > 172.16.28.33.25: S 1304702558:1304702558(0) wi

SKIPPING: Does not contain ' block in ' 

-------------------------------Processing line
3-------------------------------

PARSING: n 5840 <mss 1460,sackOK,timestamp 974015 0,nop,wscale 0> (DF)

SKIPPING: Does not contain ' block in ' 

-------------------------------Processing line
4-------------------------------

PARSING: Mar 11 00:00:16.109325 rule 1/0(match): block in on fxp0:
172.171.179.96.220 > 172.16.28.24.21: S 16644:16644(0) win 16384

SKIPPING: Can't parse this line. 

-------------------------------Processing line
5-------------------------------

PARSING: Mar 11 00:00:19.268294 rule 1/0(match): block in on fxp0:
172.171.179.96.220 > 172.16.28.25.21: S 16644:16644(0) win 16384

SKIPPING: Can't parse this line. 

-------------------------------Processing line
6-------------------------------

PARSING: Mar 11 00:00:22.438096 rule 1/0(match): block in on fxp0:
172.171.179.96.220 > 172.16.28.26.21: S 16644:16644(0) win 16384

SKIPPING: Can't parse this line. 

-------------------------------Processing line
7-------------------------------

PARSING: Mar 11 00:00:25.604125 rule 1/0(match): block in on fxp0:
172.171.179.96.220 > 172.16.28.27.21: S 16644:16644(0) win 16384

SKIPPING: Can't parse this line. 

-------------------------------Processing line
8-------------------------------

PARSING: Mar 11 00:00:29.297737 rule 1/0(match): block in on fxp0:
172.171.179.96.220 > 172.16.28.28.21: S 16644:16644(0) win 16384

SKIPPING: Can't parse this line. 

 

<truncated>

 

DEBUG: updating timestamp file /tmp/dshield.cnt (2004-03-11 23:59:33)

WARNING: /tmp/dshield.18261.tmp is empty.  Not sending any mail.

DEBUG: deleting /tmp/dshield.18261.tmp
====================================Totals==============================
=======

Wrote 0 valid log lines

Excluded 47 invalid (unparsable for some reason) lines

Excluded 0 lines that were too early

Excluded 0 source IP filtered lines

Excluded 0 target IP filtered lines

Excluded 0 source Port filtered lines

Excluded 0 target Port filtered lines 

===================================All
Done====================================

 

 

W. Harison Phinizy

 




More information about the list mailing list