parse iptables logs

toovato · 10-29-2003, 10:44 PM

Hello all - Perl question:

I would love to see the output of this if statement:

if (/^(\w+)\s+([0-9]+) ([0-9]+):([0-9]+):([0-9]+) (\w+) kernel: INPUT packet died: IN=(\w+[0-9]+) OUT= MAC=(\w+) SRC=([0-9\.]+) DST=([0-9\.]+) LEN=([0-9]+) TOS=(\w+) PREC=(\w+) TTL=([0-9]+) ID=([0-9]+) DF PROTO=(\w+) SPT=([0-9]+) DPT=([0-9]+) WINDOW=([0-9]+) RES=(\w+) ([\w+\s]+)URGP=([1-9]+)/) {
#If we audited an incoming TCP packet
print"I have been trying to get this to work for 10 hours";
send to mysql
}

my syslog entry looks like:

Oct 29 23:31:34 noc kernel: INPUT packet died: IN=eth0 OUT= MAC=00:20:78:1c:fe:b3:00:60:0f:4f:d3:e2:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=56152 DF PROTO=TCP SPT=3119 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0

Anybody know whats wrong with my parse?

Nightblade_oz · 10-30-2003, 06:04 AM

1. You've got: URGP=([1-9]+)
But the snippet of syslog you provide has: URGP=0

2. You've got: MAC=(\w+)
But that doesn't match a ":", so you need: MAC=([\w:]+)

Incidentally, that has got to be one of the ugliest bits of code I've ever seen. There are dozens of better ways to do what you want. Give me three examples for homework :-)

Working code:

Code:

#!/usr/bin/perl

use warnings;
use diagnostics;

my $log = "Oct 29 23:31:34 noc kernel: INPUT packet died: IN=eth0 OUT= MAC=00:20:78:1c:fe:b3:00:60:0f:4f:d3:e2:08:00 SRC=000.000.000.000 DST=000.000.000.000 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=56152 DF PROTO=TCP SPT=3119 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0";

if ( $log =~ /^(\w+)\s+([0-9]+) ([0-9]+):([0-9]+):([0-9]+) (\w+) kernel: INPUT packet died: IN=(\w+[0-9]+) OUT= MAC=([\w:]+) SRC=([0-9\.]+) DST=([0-9\.]+) LEN=([0-9]+) TOS=(\w+) PREC=(\w+) TTL=([0-9]+) ID=([0-9]+) DF PROTO=(\w+) SPT=([0-9]+) DPT=([0-9]+) WINDOW=([0-9]+) RES=(\w+) ([\w+\s]+) URGP=([0-9]+)/ )
{
	print "Worked!\n";
}

toovato · 10-30-2003, 04:22 PM

Yea - the URGP was the culprit - Figured it out late last night crawling through perldoc-

Wasnt my code - there is a script given out with snort to parse iptables logs and drop them into the snort db - it did not parse for MAC or DF. My problem now is that some packets logged will not show DF? How do I make it so that "DF" might be there and might not.

there are six if statements like that - this is what I did for MAC, but I guess yours will work too

if (/^(\w+)\s+([0-9]+) ([0-9]+)

[0-9]+)

[0-9]+) ([^\s]+) kernel: INPUT packet died: IN=(\w+[0-9]+) OUT= MAC=([a-f,0-9,:]+) SRC=([0-9\.]+) DST=([0-9\.]+) LEN=([0-9]+) TOS=(\w+) PREC=(\w+) TTL=([0-9]+) ID=([0-9]+) DF PROTO=(\w+) SPT=([0-9]+) DPT=([0-9]+) WINDOW=([0-9]+) RES=(\w+) ([\w+\s]+)URGP=([0-9]+)/) {
print"this code is a load of ....";
$month=$1;
$day=$2;
$hour=$3;
$min=$4;
$sec=$5;
$linux=$6;
$ruleset=IN;
$auth=audit;
$interface=$7;
# MAC=$8;
$src_addr=$9;
$dst_addr=$10;
$ip_len=$11;
$ip_tos=$12;
# PREC=$13
$ip_ttl=$14;
$ip_id=$15;
$proto=$16;
$src_port=$17;
$dst_port=$18;
# WINDOW=$19;
# RES=$20;
# FLAGS=$21
# URGP=$22
$therest=$23;
# $frag_off=$;

drop into database;

print"how would you do it? thanks";

Nightblade_oz · 10-30-2003, 07:45 PM

"+" = one or more things
"*" = zero or more things

so you could use: ([\w+\s]*)

Code:

#!/usr/bin/perl

use warnings;
use strict;

my $log = 'Oct 29 23:31:34 noc kernel: INPUT packet died: IN=eth0 OUT= '
        . 'MAC=00:20:78:1c:fe:b3:00:60:0f:4f:d3:e2:08:00 SRC=000.000.000.000 ' 
        . 'DST=000.000.000.000 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=56152 DF ' 
        . 'PROTO=TCP SPT=3119 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0';

my $re	= '^(\w+)\s+([0-9]+) ([0-9]+):([0-9]+):([0-9]+) (\w+) kernel: INPUT '
        . 'packet died: IN=(\w+[0-9]+) OUT= MAC=([\w:]+) SRC=([0-9\.]+) '
        . 'DST=([0-9\.]+) LEN=([0-9]+) TOS=(\w+) PREC=(\w+) TTL=([0-9]+) '
        . 'ID=([0-9]+) ([\w+\s]*) PROTO=(\w+) SPT=([0-9]+) DPT=([0-9]+) '
        . 'WINDOW=([0-9]+) RES=(\w+) ([\w+\s]+) URGP=([0-9]+)';

if ( $log =~ /$re/o )
{
    print "Worked!\n";
}

toovato · 10-30-2003, 10:56 PM

I like that - thanks nightblade