pfl - An open source IPFW/kernel firewall log processor
*****
pfl is a tool written in Perl so that it may be run on any Operating System that
has Perl installed. It is completely commandline driven, providing speed and
flexibility that is not as readily available (as well as portability) in a GUI.
The tool's main purpose is parsing firewall logs created by a *NIX system or a
system running IPFW. It then pulls all of the data together into a single,
consolidated report and applies various sorting options, as specified by the
user.
Because it is recommended that the firewall logs be chmoded to 600, pfl should
generally be run only as an administrator.
*****
Example Runs:
Run pfl with default options (sort by Action) against two logs (1 being bz2
compressed).
sudo pfl /var/log/appfirewall.log /var/log/appfirewall.log.0.bz2
Run pfl against 5 logs (4 being bz2 compressed) and sort by Action (Deny/Permit),
Firewall Rule, Interface (e.g. eth0, en0, lo0), and Sender's address with verbosity
set to 2.
sudo pfl /var/log/appfirewall.log /var/log/appfirewall.log.0.bz2 /var/log/appfirewall.log.1.bz2 /var/log/appfirewall.log.2.bz2 /var/log/appfirewall.log.3.bz2 /var/log/appfirewall.log.4.bz2 -sa -sr -si --ssender -v -v
Get help...
pfl --h
*****
Version 1.0.5
Change Log:
Version 1.0.5
(September 16, 2009)
Added ability to write output to a file
Added ability to lookup the firewallrules file and extract the comments from
the file for the particular rule
Debug now provides more information to help troubleshoot
Removed foreach against ARGV and replaced with a while to make writing to file
command and similar commands better written and better used
Fixed math error when checking initial size of ARGV to ensure at least one thing
was input... now it's $#ARGV+1<1 (meaning no arguements) pushes help
Version 1.0.4
(September 15, 2009)
Added protocol information and lookup to replace things like P:112
Fixed bug where some TCP/UDP log entries for fragmented packets may cause an
uninitialized variable warning and get dropped from the report... they are
now reported with :frag as the port
Version 1.0.3
(August 25, 2009)
Combined some of the line parsing procedures into a single, faster, more
streamlined procedure
Fixed compatibility issue between script and perl 5.8.8 regarding some regexs
Version 1.0.2
(August 21, 2009)
Added ability to sort by to/from IP address
Added ability to sort by input file
Added ability to sort by port (where applicable)
Added debugging flag
Added verbose/less-verbose output flag
No longer display from's port UNLESS LAND attack (reducing the data more) or
the --v/--verbose command is applied
Made the system more automated after ensuring it worked properly (e.g. for the
rm command the -i was removed)
Fixed a bug where only TCP and UDP packets would display (because some other
IP types do not have port ranges, such as VRRP)
Fixed a bug in the decompression of bzip2 compressed log files where intended
file may not be decompressed
Version 1.0.1
(June 19, 2009)
Made it so that script can parse bzip2 compressed log files (1-level)
Version 1.0.0
(June 16, 2009)
Created the script
TODO:
Match fragments with the original log entries to make the count better
Clean up the extracting of data from log entries to use less code/variables
Add more information when presented -v -v
Allow printing any of the data that we can sort by instead of sorting by it
(e.g. print that it's TCP/IP/UDP for each line instead of sorting by
that)
Check port ranges on more than just TCP and UDP packets, where applicable
Make it so the tool parses iptables logs, too
Allow pushing off the data to dshield.org