Provided by: lire-devel-doc_2.1.1-2.1_all 
NAME
Lire::Firewall::IpfilterDlfConverter - convert ipf (ipmon) logs to firewall DLF
DESCRIPTION
Lire::Firewall::IpfilterDlfConverter converts Ipfilter logs into firewall DLF format.
Input for this converter is the standard ipf syslog log file as produced by ipmon. IP
Filter is shipped with FreeBSD, OpenBSD (up to 2.9) and some other OS's.
EXAMPLE
A ipfilter logfile which looks like
Oct 30 07:42:29 rolle ipmon[16747]: 07:42:28.585962 ie0 @0:9
b 192.168.48.1,45085 -> 192.168.48.2,22 PR tcp len 20 64 -S OUT
Oct 30 07:40:24 rolle ipmon[16747]: 07:40:23.631307 ep1 @0:6
b 192.168.26.5,113 -> 192.168.26.1,3717 PR tcp len 20 40 -AR OUT
Oct 30 07:42:29 rolle ipmon[16747]: 07:42:28.585962 ie0 @0:9
b 192.168.48.1,45085 -> 192.168.48.2,22 PR tcp len 20 64 -S OUT
Oct 30 07:44:11 rolle ipmon[16747]: 07:44:10.605416 2x ep1 @0:15
b 192.168.26.1,138 -> 192.168.26.255,138 PR udp len 20 257 IN
Oct 30 07:44:34 rolle ipmon[16747]: 07:44:33.891869 ie0 @0:10
b 192.168.48.1,23406 -> 192.168.48.2,22 PR tcp len 20 64 -S OUT
Oct 30 07:49:13 rolle ipmon[16747]: 07:49:12.554420 ep1 @0:15
b 210.132.100.117 -> 192.168.26.5 PR icmp len 20 56 icmp 3/3 for
192.168.26.5,61915 - 210.132.100.117,53 PR udp len 20 23040 IN
Oct 30 07:50:23 rolle ipmon[16747]: 07:50:22.908107 ep1 @0:15
b 210.132.100.117 -> 192.168.26.5 PR icmp len 20 56 icmp 3/3 for
192.168.26.5,4480 - 210.132.100.117,53 PR udp len 20 19712 IN
Oct 30 07:56:11 rolle ipmon[16747]: 07:56:11.113029 2x ep1 @0:15
b 192.168.26.1,138 -> 192.168.26.255,138 PR udp len 20 257 IN
(that's: .... 'PR' protocol 'len' length_of_ip_headers_saved packetlength direction) will
get converted to something like
994398737 denied igmp 100.187.115.1 - ep1 LIRE_NOTAVAIL \
224.0.0.2 - 56
994398861 denied igmp 100.187.115.1 - ep1 LIRE_NOTAVAIL \
224.0.0.1 - 56
994398862 denied igmp 100.187.115.1 - ep1 LIRE_NOTAVAIL \
224.0.0.2 - 56
994406849 denied udp 192.168.26.4 137 ie0 LIRE_NOTAVAIL \
192.168.26.255 137 116
994406850 denied udp 192.168.26.4 137 ie0 LIRE_NOTAVAIL \
192.168.26.255 137 116
994406866 denied udp 192.168.26.4 137 ie0 LIRE_NOTAVAIL \
192.168.26.255 137 98
SEE ALSO
ipl(4) for description of log structure.
The ipmon.c source (e.g. on
http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/ \
src/usr.sbin/ipmon/Attic/ipmon.c?rev=1.27& \
content-type=text/plain&hideattic=0
) for the specification of the log syntax.
The IP Filter webpage on http://coombs.anu.edu.au/~avalon/ip-filter.html
AUTHOR
Joost van Baal <joostvb@logreport.org>, Wessel Dankers <wsl@logreport.org>
VERSION
$Id: IpfilterDlfConverter.pm,v 1.7 2009/03/15 08:10:55 vanbaal Exp $
COPYRIGHT
Copyright (C) 2001-2003 Stichting LogReport Foundation LogReport@LogReport.org
This program is free software; you can redistribute it and/or modify it under the terms of
the GNU General Public License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program
(see COPYING); if not, check with http://www.gnu.org/copyleft/gpl.html.