[Dshield] PF parser issues

Wayne Larmon wlarmon at dshield.org
Sat Mar 13 22:24:30 GMT 2004


It looks like the reason it isn't parsing is because your logs are different
than what the parser expects.  The parser expects to see the protocol, with
logs like:

Apr 28 11:27:57.262651 rule 5/0(match): block in on tun0: 201.1.2.3.110 >
192.5.6.7.80: R [tcp sum ok]  180649940:180649940(0) ack 2761221649 win 0
(ttl 59, id 51314)

or

Apr 29 03:27:17.466144 rule 8/0(match): block in on tun0: 201.1.2.3 >
192.5.6.7: icmp: echo request (id:3 seq:51426) (ttl 124, id 39118)

The protocols are 'tcp' and 'icmp'.  The non ICMP parser requires that
either 'tcp' or 'udp' exist in the log line.  The ICMP parser requires that
'icmp' exist in the log.  If neither parser is satisfied, then it returns
'SKIPPING: Can't parse this line'

Presumably something changed somewhere since this parser was written.  I'm
not an OpenBSD user, so this parser was written using a sample log that
another OpenBSD user sent in.

Is there any way that you can get your log to be like the sample lines,
above?  If not, is the protocol encoded some way in your log line so I can
write another regex to determine it?

If you want, you can contact me off list so that we can get this figured
out.

Wayne Larmon
DShield.org
wlarmon at dshield.org

> When I run the pf perl script on a log that I convert to ascii (tcpdump
> -n -e -ttt -r /var/log/pflog.0 > /home/admin/pf.log) I get "cannot parse
> this line" numerous times.  I can understand if the log entry does not
> contain a 'block in' so it does not parse... But the others should be
> parsed?  I remove the files from /tmp before I run the script.  I am
> running OpenBSD 3.4 and PF obviously.  Has anyone experienced issues
> like this before?
>
>
>
> -------------------------------Processing line
> 1-------------------------------
>
> PARSING: Mar 11 00:00:03.498608 rule 1/0(match): block in on fxp0:
> 172.171.179.96.220 > 172.16.28.20.21: S 16644:16644(0) win 16384
>
> SKIPPING: Can't parse this line.
>
> -------------------------------Processing line
> 2-------------------------------
>
> PARSING: Mar 11 00:00:14.906594 rule 48/0(match): pass in on fxp0:
> 69.42.77.53.37646 > 172.16.28.33.25: S 1304702558:1304702558(0) wi
>
> SKIPPING: Does not contain ' block in '
>
> -------------------------------Processing line
> 3-------------------------------
>
> PARSING: n 5840 <mss 1460,sackOK,timestamp 974015 0,nop,wscale 0> (DF)
>
> SKIPPING: Does not contain ' block in '
>
> -------------------------------Processing line
> 4-------------------------------
>
> PARSING: Mar 11 00:00:16.109325 rule 1/0(match): block in on fxp0:
> 172.171.179.96.220 > 172.16.28.24.21: S 16644:16644(0) win 16384
>
> SKIPPING: Can't parse this line.
>
> -------------------------------Processing line
> 5-------------------------------
>
> PARSING: Mar 11 00:00:19.268294 rule 1/0(match): block in on fxp0:
> 172.171.179.96.220 > 172.16.28.25.21: S 16644:16644(0) win 16384
>
> SKIPPING: Can't parse this line.
>
> -------------------------------Processing line
> 6-------------------------------
>
> PARSING: Mar 11 00:00:22.438096 rule 1/0(match): block in on fxp0:
> 172.171.179.96.220 > 172.16.28.26.21: S 16644:16644(0) win 16384
>
> SKIPPING: Can't parse this line.
>
> -------------------------------Processing line
> 7-------------------------------
>
> PARSING: Mar 11 00:00:25.604125 rule 1/0(match): block in on fxp0:
> 172.171.179.96.220 > 172.16.28.27.21: S 16644:16644(0) win 16384
>
> SKIPPING: Can't parse this line.
>
> -------------------------------Processing line
> 8-------------------------------
>
> PARSING: Mar 11 00:00:29.297737 rule 1/0(match): block in on fxp0:
> 172.171.179.96.220 > 172.16.28.28.21: S 16644:16644(0) win 16384
>
> SKIPPING: Can't parse this line.
>
>
>
> <truncated>
>
>
>
> DEBUG: updating timestamp file /tmp/dshield.cnt (2004-03-11 23:59:33)
>
> WARNING: /tmp/dshield.18261.tmp is empty.  Not sending any mail.
>
> DEBUG: deleting /tmp/dshield.18261.tmp
> ====================================Totals==============================
> =======
>
> Wrote 0 valid log lines
>
> Excluded 47 invalid (unparsable for some reason) lines
>
> Excluded 0 lines that were too early
>
> Excluded 0 source IP filtered lines
>
> Excluded 0 target IP filtered lines
>
> Excluded 0 source Port filtered lines
>
> Excluded 0 target Port filtered lines
>
> ===================================All
> Done====================================
>
>
>
>
>
> W. Harison Phinizy
>
>
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>






More information about the list mailing list