#!/usr/bin/perl # # $Id: pfilter.pl,v 1.1 2002/11/15 20:27:57 raptor Exp $ # # pfilter.pl v1.0 - OpenBSD PF logs parser/colorizer # Copyright (c) 2002 Raptor # # PFilter filters OpenBSD PF log files parsed by # tcpdump(8) and prints colored messages. Both # /var/log/pflog and pflog0 (for real-time logging) # are supported. # # Tested on OpenBSD 3.2. # # Usage examples: # tcpdump -lnetttv -r /var/log/pflog | pfilter # tcpdump -lnetttv -i pflog0 | pfilter # tcpdump -lnetttv -i pflog0 2>/dev/null | pfilter > /dev/ttyC5 & # # Modules use Term::ANSIColor; use Getopt::Std; use strict; # ANSI Color options $Term::ANSIColor::AUTORESET++; # reset color after each print $SIG{INT} = sub { print "\n"; exit; }; # reset color after ^C # Global vars my ($date, $rule, $src, $dst, $rest); # Command line our ($opt_h); getopts("h"); die "Usage: tcpdump -lnetttv -r /var/log/pflog | pfilter\n tcpdump -lnetttv -i pflog0 | pfilter\n" if ($opt_h); ########### Parse the specified pflog file ########### # Color palette (protocols) my $icmp_color = "bold green"; my $tcp_color = "bold red"; my $udp_color = "bold cyan"; # Color palette (misc) my $normal_color = "white"; my $ip_color = "bold white"; my $rule_color = "bold blue"; # Main loop NEWLINE: while () { ($date, $rule, $src, undef, $dst, $rest) = /^(.+?\s.+?\s.+?\s)(.+?:\s.+?:\s)(.+?\s)(>\s)(.+?:\s)(.*)/; # Normalize variables $rule =~ s/://g; $dst =~ s/:\s/\ /; # Show only interesting things next NEWLINE if ! defined($rest) or (length($rest) < 1); # ICMP traffic if ($rest =~ /icmp/) { &out($icmp_color); } # TCP traffic elsif ($rest =~ /tcp/) { &out($tcp_color); } # UDP traffic elsif ($rest =~ /udp/) { &out($udp_color); } # Other traffic else { &out($normal_color); } } ########### Local functions ########### # Print formatted output sub out { my $color = $_[0]; # Print line print colored($date, $color); print colored($rule, $rule_color); print colored($src, $ip_color); print colored("> ", $color); print colored($dst, $ip_color); print colored($rest, $color); print "\n"; }