[fwAnalog] FreeBSD ipfw

From: Martin Schweizer <schweizer.martin~AT~gmail.com>
Date: Thu Apr 20 2006 - 07:20:22 CEST


(Sorry for my first post which was to larg. Now I snip a lot)

Hello list

I want generate reports from files /var/log/security* from ipfw. I also want only the "Accept" lines and not the "Deny" lines.

Here an example:
Apr 19 11:00:00 saturn /kernel: ipfw: 2400 Accept TCP 206.165.150.204:80 192.168.10.124:1391 in via xl1

Attached you'll find fwanalog.opts and fwanalog. I changed under ipfw() exchange "Deny" with "Accept" but with no success. I alway get the following error:

saturn# fwanalog
Can't open $outdir/fwanalog.current.withyear: No such file or directory saturn#

Awanalog generate the html reports but they are always empty. If I use the stanard configuration with "Deny" the result is also the same. I find out that the file fwanalog.current.withyear exist until the perl line will execute. After the file no longer exists.

I have no idea what is going wrong.

Kind regards,
Martin

fwanalog.opts
#!/bin/sh

###########################################################################
#
# User-changeable options for fwanalog.sh
#
# $Id: fwanalog.opts.freebsd,v 1.16 2005/02/24 15:59:34 bb Exp $
#
###########################################################################
outdir="/usr/home/martin/fwanalog"
# The directory where the output goes to, without / at the end. You need write
# permissions, of course, and should secure this directory with permissions,
# minefields, guard dogs etc. It will be created if you don`t have it yet.

logformat="ipfw"
# What log format your firewall writes.
# Currently available options:
# iptables Linux 2.4 iptables (probably in
/var/log/messages)
# ipchains Linux 2.2 ipchains (probably in
/var/log/messages)
# ipf BSD/Solaris ipfilter (probably in
/var/log/ipflog)
# openbsd this was the same as ipf until OpenBSD 2.9; this also
# seems to work on NetBSD
# freebsd FreeBSD`s output format (probably in /var/log/ipflog)
# ipfw FreeBSD`s ipfw output format
# solarisipf Solaris 8.0 Intel ipf 3.4.20 (using ipmon -sn &)
# pf_30 OpenBSD 3.0 pf binary log format
# fwanalog *must* run on OpenBSD
3.0 for this to work
# (because of the special
tcpdump of OpenBSD)
# zynos ZyNOS (ZyXEL, Netgear) logfile
# pix Cisco Pix (tested with version 6.22/IOS)
# watchguard Watchguard Firebox
# fw1 Checkpoint Firewall-One (not fw-1 NG!)
# sonicwall SonicWall TZ-170 syslog logfile

# Feel free to program a parser for your firewall if it is not supported.
# See the comments in iptables() and ipf()
#
# The officially maintained formats are pf_30 and iptables.

inputfiles_mask="security*" # The name of your logfiles, with a wildcard if you want

inputfiles_dir="/var/log"       # The directory where your logfiles are in,
                                                       #       e.g. /var/log
inputfiles_mtime="1000"         # How old the logfiles can be

# You can change this to your log rotate interval + 1 day (so you
never miss a logfile entry)
inputfiles=`find $inputfiles_dir -maxdepth 1 -name "$inputfiles_mask" -mtime -$inputfiles_mtime | sort -r`

echo $inputfiles

# This should find the names of the logfiles you want to parse
# It MUST return the names in reverse order (chronologically) or you
# will have LOTS of duplicate lines in your log.

onehost=false
# Available options: false true dynip

# Default: false

# Set to true if this firewall runs on one machine only and you want to see
# the source hosts (not the protected target hosts) in the Blocked Packet
# Report. This is suggested if you protect one server, but loses information
# if you protect a network.

# Set to "dynip" if your firewall has a dynamic IP address.

# After changing onehost, you must delete everything in $outdir!

sep_hosts=false
# Set to true if you want fwanalog to create a separate, additional report for
# each attacking host IP.
# WARNING: this can run for hours using 100 % CPU and consume lots of hard
# disk space (up to 25 kB per host) so you can easily fill up your server if
# too many packets from different hosts were blocked.
# Also, this makes only limited sense with onehost mode set to true.
# If you set this option after having used fwanalog, some hosts won`t be
# linked in the report. You can create a report for a host with the
# "-a <IP-address>" command line option.

sep_packets=false
# Like sep_hosts, but for blocked packets.
# The corresponding command line option is "-p <packet>"

# Program invocations - add path if needed

analog="analog"
# Full pathname if you need, or "nice analog" if you want to de-priorize it

date="date" # should be GNU date or one which can print the timezone.

                               # see "timezone" below
grep="grep"     # should be GNU grep

egrep="egrep" # should be GNU egrep
zegrep="zegrep" # this is just a shellscript on most systems. If you don`t
                               # have it, copy it from another Unix-lookalike.
gzcat="gzcat" # needed only on OpenBSD 3.x sed="sed"
perl="perl"
tcpdump="tcpdump" # needed only on OpenBSD 3.x

timezone=`$date +%z`
# Which timezone the server is in. Correct if the server fwanalog runs on
# is not in the timezone the firewall is in.
# The %z option of date is supported on GNU/Linux and OpenBSD,
# but apparently NOT on FreeBSD so you will have to insert your
# timezone difference (e.g. -0500) yourself or use GNU date.

fwanalog:



[snip]

ipfw ()
{

   # fwanalog extension for freebsds ipfw    # 15/Sept/2002 Peter Hunkirchen <phunkirchen@t-online.de>

   # Parse ipfw logfiles into an analog-compatible "URL log"

   $zegrep -h "Accept" $inputfiles \

       > $outdir/fwanalog.current

   mkdateconvscript

   # Create script to convert lines without year to fully specified date

   $sed -f $outdir/convdate.sed $outdir/fwanalog.current > $outdir/fwanalog.current.withyear

   # Use the script on the current logfile

   # Example of converted log line:
   # 2002 Sep 15 07:47:04 yepp /kernel: ipfw: 65435 Deny UDP 80.133.123.52:1042 165.132.149.211:4665 out via tun0

   # Example of desired output:
   # 131....38 - - [31/Mar/2001:00:58:17 +0200] "GET /212....31/TCP/21 HTTP/1.0" 200 \

   #       44 "61636" "00....:00" 10 eth1
   #
   # Which means:
   # ip - - [date] "GET Desthost/Protocol/Port" 200 PcktLen
"http://Sourceport/" "Macadr" 0 interface
   # Sourceport is in the referrer field, macadr in the user-agent, interface
   # in the VirtualHost.
   # There is no MAC address in ipchains logs.

   # Decide if the source or the destination host is included in the    # Blocked Packet Report (option "onehost" in fwanalog.opts)    if [ $onehost = true ]; then

       reqhost="\$8"                           # The analog "request"
contains the source ip

   elif [ $onehost = dynip ]; then

       reqhost="firewall"                      # The analog "request"
contains this string

   else

       reqhost="\$10"                          # The analog "request"
contains the destination ip

   fi

   #               1      2      3     4           5             6
   7         8     9         10    11       12       13
   echo 1
   $perl -pwe "s!^(\d+) +(\w+) +(\d+) ([0-9:]+) .+(Accept|Deny) ([\w-]+) ([0-9.]+):(\d*) ([0-9.]+):(\d*) ([\w-]+) ([\w-]+) ([\w-]+)\$!\$7 - - [\$3/\$2/\$1:\$4 $timezone] \"GET /$reqhost/\$6/\$10/ HTTP/1.0\" 200 1 \"http://\$8/\" \"\" 0 \$13 !" \$outdir/fwanalog.current.withyear > $outdir/fwanalog.current.log

   exit
   # $perl -pwe "s!^(\d+) +(\w+) +(\d+) ([0-9:]+) .+(Deny|Reject) ([\w-]+) ([0-9.]+):(\d*) ([0-9.]+):(\d*) ([\w-]+) ([\w-]+) ([\w-]+)\$!\$7 - - [\$3/\$2/\$1:\$4 $timezone] \"GET /$reqhost/\$6/\$10/ HTTP/1.0\" 200 1 \"http://\$8/\" \"\" 0 \$13 !" \$outdir/fwanalog.current.withyear > $outdir/fwanalog.current.log

   # $outdir/fwanalog.current.log now contains the data in the Analog URL format.
}

[snip]

--
Martin Schweizer
schweizer.martin@gmail.com
Fax: +1 619 3300587
Tel.: +1 619 3300597 (VoIP)
Received on Thu Apr 20 07:20:24 2006

This archive was generated by hypermail 2.1.8 : Thu Sep 14 2006 - 08:22:04 CEST