From owner-freebsd-security Tue Jul 25 18:35:38 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id SAA22078 for security-outgoing; Tue, 25 Jul 1995 18:35:38 -0700 Received: from palmer.demon.co.uk (palmer.demon.co.uk [158.152.50.150]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id SAA22072 for ; Tue, 25 Jul 1995 18:35:34 -0700 Received: from localhost (localhost [127.0.0.1]) by palmer.demon.co.uk (8.6.11/8.6.11) with SMTP id CAA00267 for ; Wed, 26 Jul 1995 02:34:26 +0100 X-Authentication-Warning: palmer.demon.co.uk: Host localhost didn't use HELO protocol To: security@freebsd.org Subject: Firewall log conversion utility.... Date: Wed, 26 Jul 1995 02:34:26 +0100 Message-ID: <265.806722466@palmer.demon.co.uk> From: Gary Palmer Sender: security-owner@freebsd.org Precedence: bulk Hi I've written a short perl script which will take the output of the FreeBSD kernel firewall software (which is pretty unreadable as it's all in dotted IP address format - being kernel level doing DNS lookups is `interesting' :-) ) and turn it into something more readable. e.g. it would take a line like: Jul 26 02:24:35 firewall /kernel: Deny TCP 192.216.222.4:1405 192.216.223.172:23 (which appears in /var/log/messages if you use the logging version of the filter commands, or any other place you specify kernel messages to be sent to) and turn it into: Jul 24 18:11:51 firewall TCP freefall.cdrom.com:1405 mother.cdrom.com:telnet (it removes the kernel name deliberately - I didn't think it was important). It does a DNS lookup on both IP addresses, and also a getservbyport() on both ports, and prints out (or the way I've got it set, mails to root) the results. Anyone else want to see something like this? If so, I'll tidy up my version a bit and send it out... (it's kinda messy at the moment, being my first perl script to touch on doing non-string operations, like getservbyport() :-) ) Gary