|
|
S-096: Application Inspection Vulnerability in Cisco Firewall Services Module
|
|
PIX2DLF.IN(1) LogReport's Lire Documentation PIX2DLF.IN(1) NAME
pix2dlf - convert PIX logs to the firewall DLF format SYNOPSIS
pix2dlf DESCRIPTION
This script expects syslog-type logs from a Cisco PIX firewall on stdin. Messages with severity level informational (6) and up should be logged. These look like e.g.: Jan 15 12:58:37 pix1 %PIX-4-106543: Deny tcp src outside:1.2.3.4/1234 dst inside:2.3.4.5/80 by access-group "foo" Jan 16 10:37:09 pix1 %PIX-4-106543: Deny udp src outside:3.4.5.6/137 dst inside:4.5.6.7/137 by access-group "foo" Jan 17 08:43:46 pix1 %PIX-4-106543: Deny icmp src outside:5.6.7.8 dst inside:6.7.8.9 (type 8, code 0) by access-group "foo" Jan 24 00:07:39 pix1 %PIX-6-302000: Teardown TCP connection 178359 faddr 7.8.9.10/102 gaddr 8.9.10.11/21652 laddr 9.10.11.12/4107 duration 0:00:01 bytes 755 (TCP FINs) Jan 24 00:07:45 pix1 %PIX-6-302000: Teardown UDP connection for faddr 10.11.12.13/711 gaddr 11.12.13.14/1259 laddr 12.13.14.15/1259 That is syslog_time_stamp log_host %PIX-Level-Message_number: Message_text See also http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/ syslog/pixemint.htm#xtocid11 . It will output DLF records in the Lire firewall DLF format on STDOUT. For now, only messages %PIX-2-106001 %PIX-2-106002 %PIX-2-106006 %PIX-2-106007 %PIX-3-106010 %PIX-3-106014 %PIX-6-106015 %PIX-1-106021 %PIX-4-106023 %PIX-6-302002 %PIX-6-302006 %PIX-6-302014 %PIX-6-302016 are used. Note that severity level 1 is `alert', 6 is ` informational'. (0 is `emergency', 7 is `debugging'.) EXAMPLES
To process a log as produced by a Cisco PIX: $ pix2dlf < pix.log pix2dlf will be rarely used on its own, but is more likely called by lr_log2report: $ lr_log2report pix < /var/log/pix.log BUGS
This script hasn't yet been tested by a very wide range of log files, and therefore is not mature yet. Studying the Cisco documentation for any changes in the log file format, e.g. between PIX Firewall Version 4.0 and 6.2, has not been done yet. We probably do not support any of the PIX products really fully. We've found documentation for log files for PIX version 4.3, 4.4, 5.0, 5.1, 5.2, 5.3, 6.0, 6.1 and 6.2, but didn't implement all peculiarities found in these docs yet. This script strives to support PIX 6.2 in most common cases. When hacking on this script, beware that log syntax has changed during PIX development. Furthermore, note that some rudimentary state is represented in PIX logs. This state is not used yet in this script. SEE ALSO
"Cisco PIX Firewall System Log Messages" http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/ syslog/pixemsgs.htm VERSION
$Id: pix2dlf.in,v 1.26 2009/03/15 08:10:55 vanbaal Exp $ COPYRIGHT
Copyright (C) 2002 Stichting LogReport Foundation <logreport@logreport.org> This file is part of Lire. Lire is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with http://www.gnu.org/copyleft/gpl.html. THANKS
Roberto dal Zilio and Ketil Adolfsen, for supplying PIX logs for debugging. Anthony (acquant) for fixing bugs. AUTHOR
Initial version by Wessel Dankers <wsl@logreport.org>, based upon Lire's cisco_acl2dlf script. Lots of later changes by Joost van Baal <joostvb@logreport.org>. Lire 2.1.1 2009-03-15 PIX2DLF.IN(1)
