NAME
POE::Filter::Log::IPTables - filter for processing IPTables logs
SYNOPSIS
use POE::Filter::Log::IPTables;
$filter = POE::Filter::Log::IPTables->new(Syslog => 1);
$arrayref_of_hashrefs = $filter->get($arrayref_of_raw_chunks_from_driver);
DESCRIPTION
The Log::IPTables filter translates iptables log lines into hashrefs.
PUBLIC FILTER METHODS
- new
-
new() creates and initializes a new POE::Filter::Log::IPTables filter. You can pass it "Syslog => 1" if you would like it to attempt to remove syslog timestamps from the log lines. You can pass it "Debug => 1" to turn debugging on.
- get ARRAYREF
-
get() translates iptables log lines into hashrefs.
In the top level of the hashref:
- in_int
-
The interface a packet came in on.
- out_int
-
The interface a packet went out on.
- leftover
-
Any part of the iptables log line that couldn't be parsed.
- line
-
The entire (unmodified) iptables log line.
- ip
-
- src_addr
-
The source address of the IP packet.
- dst_addr
-
The destination address of the IP packet.
- len
-
The length of the IP packet.
- tos
-
The Type of Service of the IP packet.
- prec
-
The Precedence of the IP packet.
- ttl
-
The time to live of the IP packet.
- id
-
The id of the IP packet.
- fragment_flags
-
An arrayref. Can have "CE" (congestion), "DF" (don't fragment), or "MF" (more fragments are coming).
- type
-
The name/number of the protocol that the IP packet encapsulates. This will be 'tcp', 'udp', 'icmp', or a number corresponding to the protocol in /etc/protocols.
- tcp
-
- src_port
-
The source port of the tcp packet.
- dst_port
-
The destination port of the tcp packet.
- window
-
The length of the TCP window.
- res
-
The reserved bits.
- flags
-
An arrayref. Can be any combination of "CWR" (Congestion Window Reduced), "ECE" (Explicit Congestion Notification Echo), "URG" (Urgent), "ACK" (Acknowledgement), "PSH" (Push), "RST" (Reset), "SYN" (Synchronize), or "FIN" (Finished)
- urgp
-
The urgent pointer.
- udp
-
- src_port
-
The source port of the UDP packet.
- dst_port
-
The destination port of the UDP packet.
- len
-
The length of the UDP packet.
- icmp
-
- type
-
The numeric type of the ICMP packet.
- code
-
The numeric code of the ICMP packet.
- error_header
-
Some types of ICMP - 3 (destination unreachable), 4 (source quench), and 11 (time exceeded) - contain the IP and protocol headers that generated the ICMP packet. We parse this recursively, so if the type is one of those numbers, error_header is a hashref that starts again with the top level of the data structure. It may make more sense if you look at a YAML dump, which can be found below...
- id
-
The id of the ICMP echo packet.
- seq
-
The sequence number of the ICMP echo packet.
DATA STRUCTURE OVERVIEW
TCP packet
in_int: eth1
leftover: ~
line: >-
Nov 28 19:52:19 malloc kernel: in: IN=eth1 OUT= MAC= SRC=192.168.1.31 DST=192.168.0.54 LEN=100 TOS=0x00 PREC=0x00 TTL=63 ID=38565 DF PROTO=TCP SPT=25 DPT=1071 WINDOW=57352 RES=0x00 ACK PSH URGP=0
mac: ~
out_int: ~
ip:
dst_addr: 192.168.0.54
fragment_flags:
- DF
id: 38565
len: 100
prec: 0x00
src_addr: 192.168.1.31
tos: 0x00
ttl: 63
type: tcp
tcp:
dst_port: 1071
flags:
- ACK
- PSH
res: 0x00
src_port: 25
urgp: 0
window: 57352
UDP packet
in_int: eth1
leftover: ~
line: >-
Nov 29 10:52:11 malloc kernel: in: IN=eth1 OUT= MAC= SRC=10.9.8.46 DST=192.168.0.208 LEN=801 TOS=0x00 PREC=0x00 TTL=115 ID=3391 PROTO=UDP SPT=31466 DPT=1026 LEN=781
mac: ~
out_int: ~
ip:
dst_addr: 192.168.0.208
id: 3391
len: 801
prec: 0x00
src_addr: 10.9.8.46
tos: 0x00
ttl: 115
type: udp
udp:
dst_port: 1026
len: 781
src_port: 31466
ICMP echo packet
in_int: ppp0
leftover: ~
line: >-
Nov 30 09:54:51 malloc kernel: in: IN=ppp0 OUT= MAC= SRC=10.0.0.34 DST=192.168.143.41 LEN=37 TOS=0x00 PREC=0x00 TTL=115 ID=61772 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=8403
mac: ~
out_int: ~
ip:
dst_addr: 192.168.143.41
id: 61772
len: 37
prec: 0x00
src_addr: 10.0.0.34
tos: 0x00
ttl: 115
type: icmp
icmp:
code: 0
id: 256
seq: 8403
type: 8
ICMP error packet
in_int: ppp0
leftover: ~
line: >-
Nov 28 11:17:33 malloc kernel: in: IN=ppp0 OUT= MAC= SRC=192.168.2.113 DST=192.168.0.223 LEN=492 TOS=0x00 PREC=0x00 TTL=240 ID=39184 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.0.223 DST=192.168.2.113 LEN=464 TOS=0x00 PREC=0x00 TTL=52 ID=58665 DF PROTO=TCP SPT=34373 DPT=80 WINDOW=63712 RES=0x00 ACK PSH FIN URGP=0 ]
mac: ~
out_int: ~>
ip:
dst_addr: 192.168.0.223
id: 39184
len: 492
prec: 0x00
src_addr: 192.168.2.113
tos: 0x00
ttl: 240
type: icmp
icmp:
code: 3
type: 3
error_header:
leftover: ~
line: >-
SRC=192.168.0.223 DST=192.168.2.113 LEN=464 TOS=0x00 PREC=0x00 TTL=52 ID=58665 DF PROTO=TCP SPT=34373 DPT=80 WINDOW=63712 RES=0x00 ACK PSH FIN URGP=0
ip:
dst_addr: 192.168.2.113
fragment_flags:
- DF
id: 58665
len: 464
prec: 0x00
src_addr: 192.168.0.223
tos: 0x00
ttl: 52
type: tcp
tcp:
dst_port: 80
flags:
- ACK
- PSH
- FIN
res: 0x00
src_port: 34373
urgp: 0
window: 63712
SEE ALSO
POE::Filter.
BUGS
There are probably some corner cases that this module can't parse correctly. I haven't tested, in particular, AH, ESP, other non-tcp/udp/icmp protocols, ICMP packets of type 11 (parameter problem), 5 (redirect), and 4 (source quench). It also has some problems with logs from bridging firewalls. I haven't tested ebtables logs at all.
It doesn't even pretend to support IPv6. It shouldn't be too hard to do, but I don't have any IPv6 networks to test with. All the code is in /usr/src/linux/net/ipv6/netfilter/ip6t_LOG.c, though. Patches welcome.
Doesn't support --log-tcp-sequence, --log-tcp-options, or --log-ip-options. It won't throw the whole line out, though, it'll do the best it can and hand you the leftovers in the 'leftover' field of the hashref.
Doesn't support get_one(), get_one_start(), or get_pending(). This means switching from this filter to another filter probably won't work, but I haven't tried it.
Doesn't support put(), though it would be cool to be able to take iptables logs and write the iptables commands used to generate them.
AUTHOR
Paul Visscher, <paulv@cpan.org>
COPYRIGHT AND LICENSE
Copyright (C) 2004 by Paul Visscher
This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.4 or, at your option, any later version of Perl 5 you may have available.