#! @PERL@ -w # vim:syntax=perl use strict; use lib '@LR_PERL5LIBDIR@'; use Lire::Syslog; use Lire::DlfSchema; use Lire::Program qw( :msg :dlf ); use Lire::Firewall qw/ firewall_number2names /; use Date::Manip qw(ParseDate UnixDate); # # Mapping of FW1-Actions to LIRE-Actions # my %action2firewall = ( drop => "denied", reject => "denied", accept => "permitted", ); init_dlf_converter( "firewall" ); my $schema = Lire::DlfSchema::load_schema( "firewall" ); my $dlf_maker = $schema->make_hashref2asciidlf_func( qw/time action protocol from_ip from_host from_port rcv_intf to_ip to_host to_port length rule count msg/); my $lines = 0; my $dlflines = 0; my $errorlines = 0; my %DLF; my $beginning = 1; # # process every line of stdin # while (my $line = <>) { my %dlf; my @fields; my %columns; $lines++; # # remove trailing whitespaces and leading pipe-symbols # $line =~ s/\s*$//g; $line =~ s/^\|//g; # # split log entry into fields seperated by "|" # @fields = split(/\|/, $line); # # process each field and store values in hash # foreach my $item (@fields) { (my $type, my $value) = split(/=/, $item); if ($type eq "time") { (my $date, my $time) = ($value =~ /^\s*(.+)\s+(.+)$/); $columns{"date"} = $date; $columns{"time"} = $time; } else { $columns{$type} = $value; } } # # skip invalid entries # next if ((exists($columns{loc})) && (! exists($columns{src}))); # # if the current logfile-entry is a new log entry, send the previous # logentry to stdout and process the current entry # if (exists($columns{loc})) { if ($beginning == 0) { eval { # send previous logentry to stdout if ($DLF{length} == 0) { $DLF{length} = 1; } if ($DLF{count} == 0) { $DLF{count} = 1; } my $dlf = $dlf_maker->( \%DLF ); print join ( " ", @$dlf), "\n"; $dlflines++; }; if ($@) { lr_warn ($@); lr_notice( qq{cannot convert line $. "$_" to firewall dlf, skipping} ); $errorlines++; } foreach my $DLFentry (keys %DLF) { delete($DLF{$DLFentry}); } } # # process current logentry # # # ignore ctl-entries # next if ($columns{action} eq "ctl"); # # convert log-timestamp to unixdate # my $dlfdate = ParseDate($columns{date} . " " . $columns{time}); if (!$dlfdate) { exit; } else { $dlf{time} = UnixDate($dlfdate, "%o"); } # # assign log fields to dlf-fields # $dlf{action} = $action2firewall{$columns{action}} || $columns{action}; $dlf{protocol} = $columns{proto}; $dlf{from_ip} = $columns{src}; $dlf{from_host} = $columns{src}; $dlf{from_port} = $columns{s_port}; $dlf{rcv_intf} = $columns{"i/f_name"}; $dlf{to_ip} = $columns{dst}; $dlf{to_host} = $columns{dst}; $dlf{to_port} = $columns{service}; $dlf{rule} = $columns{rule}; $dlf{length} = exists($columns{bytes}) ? $columns{bytes} : 0; $dlf{count} = exists($columns{packets}) ? $columns{packets} : 0; if (exists($columns{"Attack Info"})) { $dlf{rule} = "SmartDefense"; $dlf{msg} = $columns{"Attack Info"}; } foreach my $dlfentry (keys %dlf) { $DLF{$dlfentry} = $dlf{$dlfentry}; } $beginning = 0; } # # if the current logfile-entry contains additional infos of the # previous logentry, modify the previous entry # else { if (exists($columns{bytes})) { $DLF{length} += $columns{bytes}; } if (exists($columns{packets})) { $DLF{count} += $columns{packets}; } } } eval { # # send previous logentry to stdout # my $dlf = $dlf_maker->( \%DLF ); print join ( " ", @$dlf), "\n"; $dlflines++; }; if ($@) { lr_warn ($@); lr_notice( qq{cannot convert line $. "$_" to firewall dlf, skipping} ); $errorlines++; } end_dlf_converter( $lines, $dlflines, $errorlines ); __END__ =pod =head1 NAME fw1_lea2dlf - convert Check Point FireWall-1 NG logs to firewall DLF =head1 SYNOPSIS B I =head1 DESCRIPTION B converts Check Point FireWall-1 NG logs into firewall DLF format. Input for this converter is the output of fw1-loggrabber, a simple LEA (Log Export Api) client. =head1 ACTIVATION INSTRUCTIONS This DLF converter isn't activated by default in Lire. It requires the Date::Manip perl module and the fw1-loggrabber tool. Date::Manip can be installed from CPAN. fw1-loggrabber is available from http://sourceforge.net/projects/fw1-loggrabber . If both of these components are installed, you can activate the fw1_lea DLF conveter by uncommenting its line in the file @sysconfdir@/@PACKAGE@/address.cf =head1 OTHER NOTES Beware! In case you're getting a lot of warnings complaining about UTF-8 characters, looking like: all all UNSET fw1_lea2dlf warning Malformed UTF-8 character (unexpected non-continuation byte 0x7a, immediately after start byte 0xe3) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 5931. , and your locale is UTF-8 enabled, there is a workaround: Set the LANG and LC_CTYPE environment variables to en_US instead of e.g. en_US.UTF-8. You can do this temporarily within the call of the converter: LANG=en_US LC_CTYPE=en_US ./fw12dlf < /your/log/file =head1 fw1-loggrabber fw1-loggrabber is build using OPSEC's Software Development Kit. OPSEC (Open Platform for Security, http://www.opsec.com/) is an open, multi-vendor security framework. Some notes about fw1-loggrabber quoted here. ******************************************************** FW1-LOGGRABBER Author: Torsten Fellhauer current Version: 1.0 ******************************************************** 1) Prerequisites 2) How to Build 3) How to Use 4) Change History ******************************************************** 1) Prerequisites a) for running FW1-LOGGRABBER FW1-LOGGRABBER is statically linked and can therefore be run on the following systems: * Linux (Tested distributions are Red Hat, SuSE and De- bian with Kernel Versions 2.2.x and 2.4.x) * Solaris SPARC (Tested versions are Solaris 8 and 9) * Windows NT/2000/XP (currently no W32 of FW1-LOGGRABBER is available yet and therefore not yet tested) b) for building FW1-LOGGRABBER FW1-LOGGRABBER uses API-functions from Checkpoints' OPSEC SDK. In order to be able to build applications which are using this SDK, a very special build environ- ment has to be used. Currently building FW1-LOGGRABBER is supported only for Solaris SPARC platform and the Linux platform. * Linux - Red Hat 6.2 - gcc 2.95.1 - Checkpoint OPSEC SDK NG-FP3 for Linux 2.2 * Solaris SPARC - Solaris 8 - gcc 2.95.2 - Checkpoint OPSEC SDK NG-FP3 for Solaris SPARC * Windows - EDITME 3) How to Use a) Configure FW1 to enable LEA-Protocol In order to be able to use this tool with a Checkpoint FW-1 installation, the following tasks have to be done: * modify $FWDIR/conf/fwopsec.conf and define the port for unauthenticated lea connections. # lea_server auth_port 18184 lea_server port 50001 * bounce FW1 (cpstop / cpstart) to activate changes * add rule to policy to enable connections on port 50001 to the FW-1 Management-Server b) Usage of FW1-LOGGRABBER FW1-LOGGRABBER is statically linked and therefore not dependent of OPSEC libraries. The binary can be run on any Linux or Solaris SPARC system. Command-Line Options: -s IP-Address of FW1-Management-Server -p unauthenticated LEA-Port of FW1-Server -f exact name of FW1-Logfile or pattern to be matched on FW1-Logfiles. --resolve Resolve IP-Addresses to Names --noresolve Do not resolve IP-Addresses to Names --showfiles Only show available FW1-Logfiles and exit. --debug Enable debug-mode of FW1-LOGGRABBER Examples: o fw1-loggrabber -s 192.168.2.254 -p 50001 --showfiles Show all logfiles that are available on the FW1-Manage- ment-Server with the IP-Address 192.168.2.254. The LEA- Port the Management-Server is listening for unauthenti- cated connections is 50001. o fw1-loggrabber -s 192.168.2.254 -p 50001 Show all logentries of the default FW1-Logfile (fw.log) on the FW1-Management-Server with the IP-Address 192.168.2.254 and the LEA-Port 50001. o fw1-loggrabber -s 192.168.2.254 -p 50001 -f 2003-03-27_213652.log Show all logentries of the specified logfile. If the Log- file doesn't exist on the specified FW1-Management-Server, no entries are returned. o fw1-loggrabber -s 192.168.2.254 -p 50001 -f 2003-03 Show all logentries of all logfiles on the FW1-Management- Server, that contain the pattern "2003-03", i.e. all Log- Files from March 2003 o fw1-loggrabber -s 192.168.2.254 -p 50001 -f fw.adtlog Show all logentries of audit logfile on FW1-Management-Server 4) Change History * 1.0 - Initial Version (2003/03/30) o get all available FW1-Logfiles o get data of one or more FW1-Logfiles 5) Features to be implemented * Implementation of authenticated connections * Win32 build =head1 EXAMPLES To process a log as produced by FW-1: $ fw1-loggrabber -s 192.168.2.254 -p 50001 -f fw.log | fw12dlf fw1_lea2dlf will be rarely used on its own, but is more likely called by lr_log2report: $ fw1-loggrabber -s 192.168.2.254 -p 50001 -f fw.log | \ lr_log2report fw1_lea =head1 BUGS / TO DO This convertor needs perl's Date::Manip library. It'd better use another module for this, used by more Lire code. The status and licensing of fw1-loggrabber is unknown. =head1 SEE ALSO Unfortunately, Check Point supplies no easily available documentation: http://www.checkpoint.com/support/technical/documents/index.html is password protected. Some notes about the FireWall-1 product are on http://www.checkpoint.com/products/protect/firewall-1.html . =head1 AUTHORS Torsten Fellhauer =head1 VERSION $Id: fw1_lea2dlf.in,v 1.9 2006/07/23 13:16:35 vanbaal Exp $ =head1 COPYRIGHT Copyright (C) 2003 Torsten Fellhauer This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with http://www.gnu.org/copyleft/gpl.html. =cut # Local Variables: # mode: cperl # End: