LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-09-2013, 12:38 AM   #1
hattori.hanzo
Member
 
Registered: Aug 2006
Posts: 168

Rep: Reputation: 15
Cisco PIX log regex


I am trying to run a script called ciscofw2csv.pl from a GIAC paper (https://s54-www.giac.org/paper/gcia/...ecurity/109883). This script supposes to parse PIX logs to .csv for further processing.

Code:
#!/usr/bin/perl
########################################################################
# Title: CISCOFW2CSV
# File: ciscofw2csv.pl
# Version: 1.0
#
# Description: Takes specific cisco firewall (asa, fwsm, pix) messages (see below) and
# parses the events into comma separated values. Specific fields wanted in the output are
# provided at execution.
#
# %PIX|ASA-3-710003: {TCP|UDP} access denied by ACL from source_address/source_port to interface_name:dest_address/service
# %PIX|ASA-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type
#{string}, code {code}] by access_group #acl_ID
#
# Usage: cat /var/log/enterprise.log | ./ciscofw2csv.pl ["field list"]
#
# Possible fields:
# timestamp sip dip sport dport type level src_int dst_int access_group
# rest proto report_ip
########################################################################
#
#
use strict vars;
my $output=$ARGV[0];
our ($timestamp,$report_ip,$level,$type,$src_int,$sip,$sport,$dst_int,$dip,$dport,$access_group,$rest,$proto);

while (<STDIN>) {
        chomp;
        my $input = $_;
        if ($input =~ /106023/){
        ($timestamp, $report_ip, $type, $level, $proto, $src_int, $sip, $sport, $dst_int, $dip, $dport, $access_group,$rest) =
        $input =~ /^(.* \d{2}:\d{2}:\d{2}).*? (\d+\.\d+\.\d+\.\d+) \%(ASA|FWSM|PIX)\-(4)\-106023\: Deny (tcp|udp) src (\D+)\:(\d+\.\d+\.\d+\.\d+)\/(\d+) dst (\D+)\:(\d+\.\d+\.\d+\.\d+)\/(\d+) by access-group \"(\D+)\" (.*)/;
        }

        if ($input =~ /710003/){
        ($timestamp, $report_ip, $type, $level, $proto, $sip, $sport, $dst_int, $dip, $dport) =
        $input =~ /^(.* \d{2}:\d{2}:\d{2}).*? (\d+\.\d+\.\d+\.\d+) \%(ASA|FWSM|PIX)\-(3)\-710003\:(TCP|UDP) access denied by ACL from (\d+\.\d+\.\d+\.\d+)\/(\d+) to (\D+)\:(\d+\.\d+\.\d+\.\d+)\/(\d+)/;
        }

        $dport = $dport."-".$proto;
        my @tokens = split / /,$output;
        print ${shift(@tokens)};
        for my $token (@tokens) {
                print ','.$$token;
        }
        print "\n";
}
When I test the script I cannot get any meaningful output.

Code:
May  7 09:23:39 143.45.9.7 %PIX-4-106023: Deny icmp src outside:65.255.219.102 dst dmz1:34.160.128.101 (type 8, code 0) by access-group "inbound"
May  7 09:23:39 143.45.9.7 %PIX-4-106023: Deny tcp src inside:221.166.70.61/35848 dst outside:291.166.101.213/143 by access-group "inbound"
May  7 09:23:39 143.45.9.7 %PIX-4-106023: Deny tcp src inside:221.166.70.61/40669 dst outside:291.166.100.61/110 by access-group "outbound"
I got a feeling the regex maybe the problem (high lighted above in bold).

Could anyone confirm this?

Thanks.
 
Old 05-09-2013, 02:12 AM   #2
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,417

Rep: Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397
There seemed to be 1 or 2 problems with the regexes, plus a few other Perlisms that needed tidying up.
Its not quite how I would do it, but this seems to work
Code:
#!/usr/bin/perl -w
########################################################################
# Title: CISCOFW2CSV
# File: ciscofw2csv.pl
# Version: 1.0
#
# Description: Takes specific cisco firewall (asa, fwsm, pix) messages (see below) and
# parses the events into comma separated values. Specific fields wanted in the output are
# provided at execution.
#
# %PIX|ASA-3-710003: {TCP|UDP} access denied by ACL from source_address/source_port to interface_name:dest_address/service
# %PIX|ASA-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type
#{string}, code {code}] by access_group #acl_ID
#
# Usage: cat /var/log/enterprise.log | ./ciscofw2csv.pl ["field list"]
#
# Possible fields:
# timestamp sip dip sport dport type level src_int dst_int access_group
# rest proto report_ip
########################################################################
#
#
use strict "vars";

my @tokens = @ARGV;
our ($timestamp,$report_ip,$level,$type,$src_int,$sip,$sport,$dst_int,$dip,$dport,$access_group,$rest,$proto);

        # Print hdr csv
        my $cflag = 0;
        for my $token (@tokens)
        {
            if( $cflag == 0 )
            {
                print $token;
                $cflag = 1;
            }
            else
            {
                print ','.$token;
            }
        }
        print "\n";

while (<STDIN>) 
{
        chomp;
        my $input = $_;
		next if( $input =~ /icmp/ );
        if ($input =~ /106023/ )
		{
			($timestamp, $report_ip, $type, $level, $proto, $src_int, $sip, $sport, $dst_int, $dip, $dport, $access_group,$rest) =

     $input =~ /^([A-Za-z]+\s+[0-9]{1,2} \d{2}:\d{2}:\d{2}) (\d+\.\d+\.\d+\.\d+) \%(ASA|FWSM|PIX)\-(4)\-106023\: Deny (tcp|udp) src (\D+)\:(\d+\.\d+\.\d+\.\d+)\/(\d+) dst (\D+)\:(\d+\.\d+\.\d+\.\d+)\/(\d+) by access-group \"(\D+)\"/ ;

        }

        if ($input =~ /710003/)
		{
			($timestamp, $report_ip, $type, $level, $proto, $sip, $sport, $dst_int, $dip, $dport) =
        $input =~ /^([A-Za-z]+\s+[0-9]{1,2} \d{2}:\d{2}:\d{2}).*? (\d+\.\d+\.\d+\.\d+) \%(ASA|FWSM|PIX)\-(3)\-710003\:(TCP|UDP) access denied by ACL from (\d+\.\d+\.\d+\.\d+)\/(\d+) to (\D+)\:(\d+\.\d+\.\d+\.\d+)\/(\d+)/;
        }

        $dport = $dport."-".$proto;

		# Print data csv	
        $cflag = 0;
        for my $token (@tokens) 
		{
            if( $cflag == 0 )
			{
				print $$token;
                $cflag = 1;
            }
            else
            {
               print ','.$$token;
			}
        }
        print "\n";
}
Obviously I don't have a 710003 type rec to test.
Note that the original code didn't output icmp pkts, so I've told it to skip those; I'm sure you can handle that if reqd
 
2 members found this post helpful.
Old 05-17-2013, 01:30 AM   #3
hattori.hanzo
Member
 
Registered: Aug 2006
Posts: 168

Original Poster
Rep: Reputation: 15
G'Day,

Thank you very much for the response.

I will look into this further.

Cheers.
 
  


Reply

Tags
cisco pix, ciscofw2csv, ciscofw2csv.pl, giac


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
vpnc and Cisco PIX RomanC Linux - Software 1 09-18-2007 03:26 AM
Cisco PIX to SmoothWall cmt9000 Linux - Networking 1 09-08-2006 01:29 PM
Cisco PIX shipon_97 Linux - Networking 1 02-20-2006 02:57 AM
Cisco PIX 500 Series Secure Firewall (PIX-520) robertwolfe Linux - Networking 1 01-19-2006 05:37 AM
Mrtg+Cisco PIX pudhiyavan Linux - Networking 4 04-11-2005 03:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 12:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration