Looking for the latest version? Download The pfl Perl script (30.1 kB)
Name Modified Size Downloads / Week Status
Totals: 3 Items   105.6 kB 3
README 2009-09-21 3.8 kB 11 weekly downloads
pfl 2009-09-21 30.1 kB 11 weekly downloads
pfl-full-mac.osx.tar 2009-09-21 71.7 kB 11 weekly downloads
pfl - An open source IPFW/kernel firewall log processor ***** pfl is a tool written in Perl so that it may be run on any Operating System that has Perl installed. It is completely commandline driven, providing speed and flexibility that is not as readily available (as well as portability) in a GUI. The tool's main purpose is parsing firewall logs created by a *NIX system or a system running IPFW. It then pulls all of the data together into a single, consolidated report and applies various sorting options, as specified by the user. Because it is recommended that the firewall logs be chmoded to 600, pfl should generally be run only as an administrator. ***** Example Runs: Run pfl with default options (sort by Action) against two logs (1 being bz2 compressed). sudo pfl /var/log/appfirewall.log /var/log/appfirewall.log.0.bz2 Run pfl against 5 logs (4 being bz2 compressed) and sort by Action (Deny/Permit), Firewall Rule, Interface (e.g. eth0, en0, lo0), and Sender's address with verbosity set to 2. sudo pfl /var/log/appfirewall.log /var/log/appfirewall.log.0.bz2 /var/log/appfirewall.log.1.bz2 /var/log/appfirewall.log.2.bz2 /var/log/appfirewall.log.3.bz2 /var/log/appfirewall.log.4.bz2 -sa -sr -si --ssender -v -v Get help... pfl --h ***** Version 1.0.5 Change Log: Version 1.0.5 (September 16, 2009) Added ability to write output to a file Added ability to lookup the firewallrules file and extract the comments from the file for the particular rule Debug now provides more information to help troubleshoot Removed foreach against ARGV and replaced with a while to make writing to file command and similar commands better written and better used Fixed math error when checking initial size of ARGV to ensure at least one thing was input... now it's $#ARGV+1<1 (meaning no arguements) pushes help Version 1.0.4 (September 15, 2009) Added protocol information and lookup to replace things like P:112 Fixed bug where some TCP/UDP log entries for fragmented packets may cause an uninitialized variable warning and get dropped from the report... they are now reported with :frag as the port Version 1.0.3 (August 25, 2009) Combined some of the line parsing procedures into a single, faster, more streamlined procedure Fixed compatibility issue between script and perl 5.8.8 regarding some regexs Version 1.0.2 (August 21, 2009) Added ability to sort by to/from IP address Added ability to sort by input file Added ability to sort by port (where applicable) Added debugging flag Added verbose/less-verbose output flag No longer display from's port UNLESS LAND attack (reducing the data more) or the --v/--verbose command is applied Made the system more automated after ensuring it worked properly (e.g. for the rm command the -i was removed) Fixed a bug where only TCP and UDP packets would display (because some other IP types do not have port ranges, such as VRRP) Fixed a bug in the decompression of bzip2 compressed log files where intended file may not be decompressed Version 1.0.1 (June 19, 2009) Made it so that script can parse bzip2 compressed log files (1-level) Version 1.0.0 (June 16, 2009) Created the script TODO: Match fragments with the original log entries to make the count better Clean up the extracting of data from log entries to use less code/variables Add more information when presented -v -v Allow printing any of the data that we can sort by instead of sorting by it (e.g. print that it's TCP/IP/UDP for each line instead of sorting by that) Check port ranges on more than just TCP and UDP packets, where applicable Make it so the tool parses iptables logs, too Allow pushing off the data to dshield.org
Source: README, updated 2009-09-21