Class: PixParser

Inherits:
Parser show all
Defined in:
lib/gl_tail/parsers/pix-fwsm.rb

Overview

Parser which handles logs from Cisco PIX or FWSM firewalls should also handle ASA logs, with minimal changeā€¦ Leif Sawyer ([email protected])

Instance Attribute Summary

Attributes inherited from Parser

#source

Instance Method Summary collapse

Methods inherited from Parser

#add_activity, #add_event, inherited, #initialize, registry, #server

Constructor Details

This class inherits a constructor from Parser

Instance Method Details

#parse(line) ⇒ Object 



13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
 
# File 'lib/gl_tail/parsers/pix-fwsm.rb', line 13

def parse( line )
   if line.include?(': Built')
       _, firewall, type, direction, srcif, src, srcport, dstif, dst, dstport =
              /^.* \d+ \d+:\d+:\d+ \[?([a-zA-Z0-9\-]+)\/?\]?.* %(FWSM|PIX)-\d+-\d+: Built (\w+)bound \w+ connection \d+ for (\w+):([a-zA-Z0-9.]+)\/([a-zA-Z0-9.]+) \(.*\) to (\w+):([a-zA-Z0-9.]+)\/([a-zA-Z0-9.]+)/.match(line).to_a

       if firewall
         add_activity(:block => 'firewall', :name => firewall)
         if direction == 'out'
           add_activity(:block => 'hosts', :name => src)
           add_activity(:block => 'sites', :name => dst)
         else
           add_activity(:block => 'hosts', :name => dst)
           add_activity(:block => 'sites', :name => src)
         end
         printf("%sbound from %s firewall '%s', srcif=%s, src=%s, srcport=%s, dstif=%s, dst=%s, dstport=%s...\n", direction, type, firewall, srcif, src, srcport, dstif, dst, dstport ) if $VRB > 0
       end

   elsif line.include?('Accessed URL')
         _, firewall, type, client, server, url = /^.* \d+ \d+:\d+:\d+ \[?([a-zA-Z0-9\-]+)\/?\]?.* %(FWSM|PIX)-\d+-\d+: ([a-zA-Z0-9.]+) Accessed URL ([a-zA-Z0-9.]+):(.*)[\?]?/.match(line).to_a
       if firewall
         add_activity(:block => 'firewall', :name => firewall)
         add_activity(:block => 'hosts', :name => client)
         add_activity(:block => 'sites', :name => server)
         add_activity(:block => 'urls', :name => url)
         printf("%s firewall '%s': client %s accessed url %s on host %s\n", type, firewall, client, url, server) if $VRB > 0
       end

#    elsif line.include?(': Deny')
       # Deny udp src outside:_SRC_IP_/_SRC_PORT_ dst inside:_DST_IP_/_DST_PORT_ by access-group "_ACL_NAME"
#       printf("ACL denied access ...\n") if $VRB > 0

#    elsif line.include?('static translation')
       # Teardown static translation from inside:_SRC_IP_ to dmz-anc-csa:_DST_IP_ duration 0:01:00
#       printf("static translation ...\n") if $VRB > 0

   end
end