Wednesday, July 29, 2009

Parsing Vista Firewall Logs: Part III

For speed, control, and simplicity, gawk is almost impossible to beat in parsing simple text logs like pfirewall.log. The script below will give you a numerically sorted list by count of the references to Src IPs in pfirewall.log for allowed packets. These sorts give a count (first column) of the unique IPs in numerical order. Note that gawk makes quick work of this searches.

gawk '$3 == "ALLOW" {print $5}' pfirewall.log | sort -nr | uniq -c | sort -nr 

  6849 192.168.0.4
  4317 127.0.0.1
  3014 192.168.200.87
  1577 10.10.10.74
  725 192.168.168.246
  680 172.17.5.143
  595 fe80::9536:4516:f99:3705
  557 ::1
  350 fe80::645d:d71d:f845:ac71
  265 192.168.150.10
  261 169.254.172.113
  214 0.0.0.0
  122 10.10.10.82
  107 85.13.200.108
...

Now we add the Src IP ports:

gawk '$3 == "ALLOW" {print $5" "$7}' pfirewall.log | sort -nr | uniq -c | sort -nr 

  1609 127.0.0.1 58915
  1341 127.0.0.1 58912
  214 0.0.0.0 68
  132 fe80::9536:4516:f99:3705 -
  128 192.168.0.4 137
  116 fe80::645d:d71d:f845:ac71 -
  107 85.13.200.108 20
  106 ::1 -
  106 127.0.0.1 -
  96 127.0.0.1 52845
  76 fe80::ffff:ffff:fffe -
  73 127.0.0.1 53249
  72 169.254.172.113 137  
....

Now we add the DestIP and Dest Ports:

gawk '$3 == "ALLOW" {print $5" "$6" "$8}' pfirewall.log | sort -nr | uniq -c | sort -nr

  1609 127.0.0.1 127.0.0.1 58915
  1364 192.168.0.4 192.168.0.1 53
  1341 127.0.0.1 127.0.0.1 58912
  720 192.168.0.4 208.113.141.123 80
  668 127.0.0.1 239.255.255.250 1900
  661 192.168.200.87 192.168.200.1 53
  461 fe80::9536:4516:f99:3705 ff02::1:3 5355
  389 10.10.10.74 10.10.10.1 53
  379 192.168.0.4 192.168.0.245 80
  235 192.168.0.4 69.63.176.175 80
  233 fe80::645d:d71d:f845:ac71 ff02::1:3 5355
  214 0.0.0.0 255.255.255.255 67
  172 192.168.0.4 224.0.0.252 5355
....

Now we sort SrcIP, DestIP, DestPort by uniq IP:

gawk '$3 == "ALLOW" {print $5" "$6" "$8}' pfirewall.log | sort -k 1,3 | uniq -c 

  214 0.0.0.0 255.255.255.255 67
  25 10.0.0.4 10.0.0.255 137
  7 10.0.0.4 224.0.0.22 -
  1 10.0.0.4 224.0.0.252 137
  63 10.0.0.4 224.0.0.252 5355
  1 10.0.0.4 239.255.255.250 3702
  1 10.10.10.10 224.0.0.1 -
  1 10.10.10.74 10.10.10.1 137
  13 10.10.10.74 10.10.10.1 2060
  389 10.10.10.74 10.10.10.1 53
  1 10.10.10.74 10.10.10.1 67
  19 10.10.10.74 10.10.10.255 137
  2 10.10.10.74 12.129.210.71 80
  2 10.10.10.74 12.129.210.76 80
...

As above, but now sorted by count of Uniq IP:

gawk '$3 == "ALLOW" {print $5" "$6" "$8}' pfirewall.log | sort -k 1,3 | uniq -c | sort -nr

  1609 127.0.0.1 127.0.0.1 58915
  1364 192.168.0.4 192.168.0.1 53
  1341 127.0.0.1 127.0.0.1 58912
  720 192.168.0.4 208.113.141.123 80
  664 127.0.0.1 239.255.255.250 1900
  661 192.168.200.87 192.168.200.1 53
  461 fe80::9536:4516:f99:3705 ff02::1:3 5355
  389 10.10.10.74 10.10.10.1 53
  379 192.168.0.4 192.168.0.245 80
  235 192.168.0.4 69.63.176.175 80
  233 fe80::645d:d71d:f845:ac71 ff02::1:3 5355
  214 0.0.0.0 255.255.255.255 67
  172 192.168.0.4 224.0.0.252 5355
  167 169.254.172.113 224.0.0.252 5355
  154 172.17.5.143 172.17.5.1 53
  147 192.168.0.4 207.115.66.86 80
  140 192.168.150.10 192.168.150.1 53
  136 192.168.200.87 206.223.158.41 443
...
Posted by Ryan M. Ferris at 4:54 PM
Labels:

1 comment:

Subscribe to: Post Comments (Atom)