1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
10 #include "../plugin_decoders.h"
13 #include "eventinfo.h"
16 /* OpenBSD PF decoder init */
17 void *PF_Decoder_Init()
19 debug1("%s: Initializing PF decoder..", ARGV0);
21 /* There is nothing to do over here */
26 * Will extract the action,srcip,dstip,protocol,srcport,dstport
29 * Mar 30 15:33:26 enigma pf: Mar 30 15:32:33.483712 rule 2/(match) pass in on xl0: 140.211.166.3.6667 > 192.168.2.10.16290: P 7408:7677(269) ack 1773 win 2520 <nop,nop,timestamp 3960674784 2860123562> (DF)
30 * Mar 30 15:47:05.522341 rule 4/(match) block in on lo0: 127.0.0.1.48784 > 127.0.0.1.23: S 1381529123:1381529123(0) win 16384 <mss 33184,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF) [tos 0x10]
31 * Mar 30 15:54:22.171929 rule 3/(match) pass out on xl0: 192.168.2.10.1514 > 192.168.2.190.1030: udp 73
32 * Mar 30 15:54:22.174412 rule 3/(match) pass out on xl0: 192.168.2.10.1514 > 192.168.2.190.1030: udp 89
33 * Mar 30 17:47:40.390143 rule 2/(match) pass in on lo0: 127.0.0.1 > 127.0.0.1: icmp: echo reply
34 * Mar 30 17:47:41.400075 rule 3/(match) pass out on lo0: 127.0.0.1 > 127.0.0.1: icmp: echo request
36 void *PF_Decoder_Exec(Eventinfo *lf)
42 /* tmp_str should be: Mar 30 15:54:22.171929 rule 3/(match) pass out .. */
43 tmp_str = strchr(lf->log, ')');
50 /* Go to the action entry */
52 if (*tmp_str != ' ') {
57 /* tmp_str should be: pass out on xl0: 192.168.2.10.1514 .. */
60 if (*tmp_str == 'p') {
61 os_strdup("pass", lf->action);
62 } else if (*tmp_str == 'b') {
63 os_strdup("block", lf->action);
69 /* Jump to the src ip */
70 tmp_str = strchr(tmp_str, ':');
75 if (*tmp_str != ' ') {
80 /* tmp_str should be: 192.168.2.10.1514 > .. */
81 aux_str = strchr(tmp_str, ' ');
86 /* Set aux_str to 0 for strdup */
89 os_strdup(tmp_str, lf->srcip);
91 /* Aux str has a valid pointer to lf->log now */
95 /* Set the source port if present */
97 while (*tmp_str != '\0') {
98 if (*tmp_str == '.') {
103 if (port_count == 4) {
106 os_strdup(tmp_str, lf->srcport);
113 /* Invalid rest of log */
114 if (*aux_str != '>') {
119 if (*aux_str != ' ') {
124 /* tmp_str should be: 192.168.2.10.1514: .. .. */
125 tmp_str = strchr(aux_str, ':');
130 /* Set aux_str to 0 for strdup */
133 os_strdup(aux_str, lf->dstip);
135 /* tmp str has a valid pointer to lf->log now */
139 /* Get destination port */
142 while (*aux_str != '\0') {
143 if (*aux_str == '.') {
148 if (port_count == 4) {
151 os_strdup(aux_str, lf->dstport);
159 while (*tmp_str != '\0') {
160 if (*tmp_str == ' ') {
163 } else if (*tmp_str == 'u') {
164 os_strdup("UDP", lf->protocol);
165 } else if (*tmp_str == 'i') {
166 os_strdup("ICMP", lf->protocol);
168 os_strdup("TCP", lf->protocol);