[fwAnalog] fwanalog workaround for FreeBSD 4.6.2 and ipfw

From: Hunkirchen (phunkirchen~AT~t-online.de)
Date: Sun Sep 15 2002 - 23:35:26 CEST



Hi!

After my problems with fwanalog under FreeBSD 4.6.2 and ipfw I did some customizing to solve it.
The following is the result. You can just add it in fwanalog (fwanalog.sh) and enable it about teh entry logformat="ipfw" in fwanalog.opts

ipfw ()
{

# fwanalog extension for freebsds ipfw
# 15/Sept/2002 Peter Hunkirchen <phunkirchen~AT~t-online.de>

# Parse ipfw logfiles into an analog-compatible "URL log"

        $zegrep -h "Deny" $inputfiles \
                > $outdir/fwanalog.current
      
        mkdateconvscript

# Create script to convert lines without year to fully specified date
$sed -f $outdir/convdate.sed $outdir/fwanalog.current > $outdir/fwanalog.current.withyear
# Use the script on the current logfile

# Example of converted log line:
# 2002 Sep 15 07:47:04 yepp /kernel: ipfw: 65435 Deny UDP 80.133.123.52:1042 165.132.149.211:4665 out via tun0
# Example of desired output:
# 131....38 - - [31/Mar/2001:00:58:17 +0200] "GET /212....31/TCP/21 HTTP/1.0" 200 \
# 44 "61636" "00....:00" 10 eth1
#
# Which means:
# ip - - [date] "GET Desthost/Protocol/Port" 200 PcktLen "http://Sourceport/" "Macadr" 0 interface
# Sourceport is in the referrer field, macadr in the user-agent, interface
# in the VirtualHost.
# There is no MAC address in ipchains logs.

# Decide if the source or the destination host is included in the
# Blocked Packet Report (option "onehost" in fwanalog.opts)
if [ $onehost = true ]; then reqhost="\$8" # The analog "request" contains the source ip elif [ $onehost = dynip ]; then reqhost="firewall" # The analog "request" contains this string else reqhost="\$10" # The analog "request" contains the destination ip fi
# 1 2 3 4 5 6 7 8 9 10 11 12
13 $perl -pwe "s!^(\d+) +(\w+) +(\d+) ([0-9:]+) .+(Deny|Reject) ([\w-]+) ([0-9.]+):(\d*) ([0-9.]+):(\d*) ([\w-]+) ([\w-] +) ([\w-]+)\$!\$7 - - [\$3/\$2/\$1:\$4 $timezone] \"GET /$reqhost/\$6/\$10/ HTTP/1.0\" 200 1 \"http://\$8/\" \"\" 0 \$13 !" \ $outdir/fwanalog.current.withyear > $outdir/fwanalog.current.log
# $outdir/fwanalog.current.log now contains the data in the Analog URL format.
}

This archive was generated by hypermail 2.1.4 : Sun Sep 15 2002 - 22:42:03 CEST