lire::firewall::ipfilterdlfconverter(3pm) [debian man page]

IpfilterDlfConverter(3pm)				  LogReport's Lire Documentation				 IpfilterDlfConverter(3pm)

NAME

       Lire::Firewall::IpfilterDlfConverter - convert ipf (ipmon) logs to firewall DLF

DESCRIPTION

       Lire::Firewall::IpfilterDlfConverter converts Ipfilter logs into firewall DLF format.  Input for this converter is the standard ipf syslog
       log file as produced by ipmon. IP Filter is shipped with FreeBSD, OpenBSD (up to 2.9) and some other OS's.

EXAMPLE

       A ipfilter logfile which looks like

	Oct 30 07:42:29 rolle ipmon[16747]: 07:42:28.585962	ie0 @0:9
	 b 192.168.48.1,45085 -> 192.168.48.2,22 PR tcp len 20 64 -S OUT
	Oct 30 07:40:24 rolle ipmon[16747]: 07:40:23.631307	ep1 @0:6
	 b 192.168.26.5,113 -> 192.168.26.1,3717 PR tcp len 20 40 -AR OUT
	Oct 30 07:42:29 rolle ipmon[16747]: 07:42:28.585962	ie0 @0:9
	 b 192.168.48.1,45085 -> 192.168.48.2,22 PR tcp len 20 64 -S OUT
	Oct 30 07:44:11 rolle ipmon[16747]: 07:44:10.605416 2x	   ep1 @0:15
	 b 192.168.26.1,138 -> 192.168.26.255,138 PR udp len 20 257  IN
	Oct 30 07:44:34 rolle ipmon[16747]: 07:44:33.891869	ie0 @0:10
	 b 192.168.48.1,23406 -> 192.168.48.2,22 PR tcp len 20 64 -S OUT
	Oct 30 07:49:13 rolle ipmon[16747]: 07:49:12.554420	ep1 @0:15
	 b 210.132.100.117 -> 192.168.26.5 PR icmp len 20 56 icmp 3/3 for
	 192.168.26.5,61915 - 210.132.100.117,53 PR udp len 20 23040 IN
	Oct 30 07:50:23 rolle ipmon[16747]: 07:50:22.908107	ep1 @0:15
	 b 210.132.100.117 -> 192.168.26.5 PR icmp len 20 56 icmp 3/3 for
	 192.168.26.5,4480 - 210.132.100.117,53 PR udp len 20 19712 IN
	Oct 30 07:56:11 rolle ipmon[16747]: 07:56:11.113029 2x	   ep1 @0:15
	 b 192.168.26.1,138 -> 192.168.26.255,138 PR udp len 20 257  IN

       (that's: .... 'PR' protocol 'len' length_of_ip_headers_saved packetlength direction) will get converted to something like

	994398737 denied igmp 100.187.115.1 - ep1 LIRE_NOTAVAIL 
	 224.0.0.2 - 56
	994398861 denied igmp 100.187.115.1 - ep1 LIRE_NOTAVAIL 
	 224.0.0.1 - 56
	994398862 denied igmp 100.187.115.1 - ep1 LIRE_NOTAVAIL 
	 224.0.0.2 - 56
	994406849 denied udp 192.168.26.4 137 ie0 LIRE_NOTAVAIL 
	 192.168.26.255 137 116
	994406850 denied udp 192.168.26.4 137 ie0 LIRE_NOTAVAIL 
	 192.168.26.255 137 116
	994406866 denied udp 192.168.26.4 137 ie0 LIRE_NOTAVAIL 
	 192.168.26.255 137 98

SEE ALSO

       ipl(4) for description of log structure.

       The ipmon.c source (e.g. on

	http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/ 
	 src/usr.sbin/ipmon/Attic/ipmon.c?rev=1.27& 
	 content-type=text/plain&hideattic=0

       ) for the specification of the log syntax.

       The IP Filter webpage on http://coombs.anu.edu.au/~avalon/ip-filter.html

AUTHOR

       Joost van Baal <joostvb@logreport.org>, Wessel Dankers <wsl@logreport.org>

VERSION

       $Id: IpfilterDlfConverter.pm,v 1.7 2009/03/15 08:10:55 vanbaal Exp $

COPYRIGHT

       Copyright (C) 2001-2003 Stichting LogReport Foundation LogReport@LogReport.org

       This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
       the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.

       You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with
       http://www.gnu.org/copyleft/gpl.html.

Lire 2.1.1							    2009-03-15						 IpfilterDlfConverter(3pm)

Check Out this Related Man Page

WELF(3pm)						  LogReport's Lire Documentation						 WELF(3pm)

NAME

       Lire::WELF - Base implementation of a WebTrends(tm) Enhanced Log Format parser

SYNOPSIS

       use Lire::WELF;

       my $parser = new Lire::WELF;

       my $welf_rec = $parser->parse( $line );

DESCRIPTION

       This module defines an object able to parse WebTrends(tm) Enhanced Log Format. That log format was defined by WebTrends(tm) for its
       Firewall Suite. It defines an extensible format that is now used by several packet filter and/or proxy firewall.

       The document describing that format is available from http://www.webtrends.com/partners/welfOverview.htm

       A list of products/vendor that supports this format can be found at http://www.webtrends.com/partners/firewall.htm

       You create a WELF parser object using the new() method:

	   my $parser = new Lire::WELF();

       To parse a WELF record you invoke the parser() method with the line containing the record as parameter:

	   my $rec    = $parser->parse( $line );

       The $rec is an hash reference with the WELF field name used as keys and the value of the records as values.

       No value are interpreted or checked in any except for the following:

       time
	   The time field will be converted to epoch time

       quotation
	   The quotation marks used when the value contains spaces are removed.

   WELF EXTENSIONS
       The parser also supports "extensions" to the format found in the field.

       port
	   We will interpret correctly src and dst fields that have the port embededded in them:

	       src=192.168.1.1:1037

       interface
	   A possible :IFNAME will also be interpreted as the interface name:

	       dst=192.168.100.10:23:WAN

       timezone
	   The time field may contains a time zone identifier:

	       time="2001-12-02 12:34:12 UTC"

   Derived Fields
       The parser will generate a few 'derived' to complete the format.

       src_port
	   Will contain the src port portion of the dst field when SonicWall extensions are used.

       dst_port
	   Will contain the interface portion of the dst field when SonicWall extensions are used.

       src_if
	   Will contain the interface portion of the src field when SonicWall extensions are used.

       dst_if
	   Will contain the interface portion of the dst field when SonicWall extensions are used.

AUTHOR

	 Francis J. Lacoste <flacoste@logreport.org>

VERSION

       $Id: WELF.pm,v 1.11 2006/07/23 13:16:30 vanbaal Exp $

COPYRIGHT

       Copyright (C) 2001 Stichting LogReport Foundation LogReport@LogReport.org

       This file is part of Lire.

       Lire is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your option) any later version.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.

       You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with
       http://www.gnu.org/copyleft/gpl.html.

Lire 2.1.1							    2006-07-23								 WELF(3pm)

Linux and UNIX Man Pages

lire::firewall::ipfilterdlfconverter(3pm) [debian man page]

Check Out this Related Man Page