[fwAnalog] Fwd: fwanalog-0.6.9: FreeBSD & PF

From: Rudi Kramer <rudi.kramer~AT~gmail.com>
Date: Mon Sep 11 2006 - 21:17:41 CEST


Hey Everyone,

I'm trying to setup fwanalgo 6.9 on freebsd 6.1 running PF.

I thought that since openBSD and FreeBSD both use tcpdump to read the pflog files that I might be able to use it without any modifications but I was mistaken :)

[root@firestarter /]# fwanalog

tcpdump: bad dump file format
tcpdump: bad dump file format
tcpdump: bad dump file format
tcpdump: bad dump file format

reading from file -, link-type PFLOG (OpenBSD pflog file) tcpdump: bad dump file format
tcpdump: bad dump file format
Analog found 368 corrupt lines. Please consider sending /root/fwanalog.out/analog.err to
so the author is able to fix the problem.

Here is a bit of the analog.,err file:

/]# less /root/fwanalog.out/analog.err
analog: analog version 6.0/Unix
C: 840038 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 717

C:                         *

C: 1. 683051 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 20
C:                *

C: 2. 713604 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 20
C:                *

C: 2. 166504 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 20
C:                *

C: 2. 620014 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 20
C:                *

C: 000007 rule 1/0(match): block out on rl0: 192.168.y.y.7130 > 192.168.x.x.28961: UDP, length 21
C:                         *

C: 000006 rule 1/0(match): block out on rl0: 192.168.y.y.7130 > 192.168.x.x.28970: UDP, length 21
C:                         *

C: 000005 rule 1/0(match): block out on rl0: 192.168.y.y.7130 > 192.168.x.x.28971: UDP, length 21
C:                         *

C: 000072 rule 1/0(match): block out on rl0: 192.168.y.y.7130 > 192.168.x.x.28961: UDP, length 5
C:                         *

C: 000220 rule 1/0(match): block out on rl0: 192.168.y.y.7130 > 192.168.x.x.28961: UDP, length 5
C:                         *

C: 170323 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 719
C:                         *

C: 3. 837820 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 20
C:                *

C: 000978 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20700: UDP, length 95
C:                         *

C: 1. 812360 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20700: UDP, length 95
C:                *

C: 091026 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20700: UDP, length 95
C:                         *

C: 2. 004020 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20700: UDP, length 95
C:                *

C: 2. 072190 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 20
C:                *

C: 037231 rule 0/0(match): block in on rl0: 192.168.x.x.54581 > 72.14.205.27.25: tcp 0
C:                         *

C: 035805 rule 0/0(match): block in on rl0: 192.168.x.x.56408 > 64.233.167.27.25: tcp 0
C:                         *

C: 000135 rule 0/0(match): block in on rl0: 192.168.x.x.65268 > 64.233.167.114.25: tcp 0
C:                         *

C: 034422 rule 0/0(match): block in on rl0: 192.168.x.x.51157 > 66.249.83.27.25: tcp 0
C:                         *

C: 000128 rule 0/0(match): block in on rl0: 192.168.x.x.53756 > 66.249.83.114.25: tcp 0
C:                         *

C: 033363 rule 0/0(match): block in on rl0: 192.168.x.x.63945 > 64.233.183.27.25: tcp 0
C:                         *

C: 033049 rule 0/0(match): block in on rl0: 192.168.x.x.59844 > 64.233.163.27.25: tcp 0
C:                         *

C: 3. 212966 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 20
C:                *

C: 3. 195765 rule 0/0(match): block in on tun0: 165.145.192.x.1130 > 165.145.242.86.139: tcp 0
C:                *

C: 514890 rule 0/0(match): block in on tun0: 165.145.192.x.1130 > 165.145.242.86.139: tcp 0
C:                         *

C: 548445 rule 0/0(match): block in on tun0: 165.145.192.x.1130 > 165.145.242.86.139: tcp 0
C:                         *

C: 111784 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 20
C:                         *

C: 2. 110890 rule 0/0(match): block in on tun0: 165.145.192.x.3454 > 165.145.242.86.445: tcp 0
C:                *

C: 640534 rule 0/0(match): block in on tun0: 165.145.192.x.3454 > 165.145.242.86.445: tcp 0
C:                         *

C: 409399 rule 0/0(match): block in on tun0: 165.145.192.x.3454 > 165.145.242.86.445: tcp 0
C:                         *

C: 006543 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 719
C:                         *

C: 2. 773857 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 20
C:                *

C: 2. 155568 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 20
C:                *

C: 000056 rule 1/0(match): block out on rl0: 192.168.0.2.7130 > 192.168.x.x.28961: UDP, length 21
C:                         *

C: 000005 rule 1/0(match): block out on rl0: 192.168.0.2.7130 > 192.168.x.x.28970: UDP, length 21
C:                         *

C: 000006 rule 1/0(match): block out on rl0: 192.168.0.2.7130 > 192.168.x.x.28971: UDP, length 21
C:                         *

C: 000040 rule 1/0(match): block out on rl0: 192.168.0.2.7130 > 192.168.x.x.28961: UDP, length 5
C:                         *

C: 000105 rule 1/0(match): block out on rl0: 192.168.0.2.7130 > 192.168.x.x.28961: UDP, length 5
C:                         *

C: 2. 014795 rule 0/0(match): block in on tun0: 87.105.169.93.46954 > 165.145.242.86.47476: UDP, length 19
C:                *

C: 086234 rule 0/0(match): block in on tun0: 87.105.169.93.4069 > 165.145.242.86.47476: tcp 0
C:                         *

C: 907381 rule 0/0(match): block in on tun0: 87.105.169.93.4069 > 165.145.242.86.47476: tcp 0
C:                         *

C: 3. 046921 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 20
C:                *

C: 126141 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 720
C:                         *

C: 850160 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 20
C:                         *

C: 126141 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 720
C:                         *

C: 850160 rule 0/0(match): block in on rl0: 192.168.x.x.28960 > 63.146.124.40.20710: UDP, length 20
C:                         *

analog: Warning L: Large number of corrupt lines in logfile   /root/fwanalog.out/fwanalog.all.log: turn debugging on or try different   LOGFORMAT
  (For help on all errors and warnings, see docs/errors.html)     Current logfile format:
      %S %j %u [%d/%M/%Y:%h:%n:%j] "%j%w%r%wHTTP%j" %c %b "%j" "%j" %t %v\n

It looks like the log file format is not correct but I have no idea how to correct it?

Can somone shed some light on my quandry?

Thanks
RickJ Received on Mon Sep 11 21:17:43 2006

This archive was generated by hypermail 2.1.8 : Thu Sep 14 2006 - 08:22:04 CEST