NAME

POE::Filter::Log::IPTables - filter for processing IPTables logs

SYNOPSIS

use POE::Filter::Log::IPTables;

$filter = POE::Filter::Log::IPTables->new(Syslog => 1);
$arrayref_of_hashrefs = $filter->get($arrayref_of_raw_chunks_from_driver);

DESCRIPTION

The Log::IPTables filter translates iptables log lines into hashrefs.

PUBLIC FILTER METHODS

new

new() creates and initializes a new POE::Filter::Log::IPTables filter. You can pass it "Syslog => 1" if you would like it to attempt to remove syslog timestamps from the log lines. You can pass it "Debug => 1" to turn debugging on.

get ARRAYREF

get() translates iptables log lines into hashrefs.

In the top level of the hashref:

in_int

The interface a packet came in on.

out_int

The interface a packet went out on.

leftover

Any part of the iptables log line that couldn't be parsed.

line

The entire (unmodified) iptables log line.

ip
src_addr

The source address of the IP packet.

dst_addr

The destination address of the IP packet.

len

The length of the IP packet.

tos

The Type of Service of the IP packet.

prec

The Precedence of the IP packet.

ttl

The time to live of the IP packet.

id

The id of the IP packet.

fragment_flags

An arrayref. Can have "CE" (congestion), "DF" (don't fragment), or "MF" (more fragments are coming).

type

The name/number of the protocol that the IP packet encapsulates. This will be 'tcp', 'udp', 'icmp', or a number corresponding to the protocol in /etc/protocols.

tcp
src_port

The source port of the tcp packet.

dst_port

The destination port of the tcp packet.

window

The length of the TCP window.

res

The reserved bits.

flags

An arrayref. Can be any combination of "CWR" (Congestion Window Reduced), "ECE" (Explicit Congestion Notification Echo), "URG" (Urgent), "ACK" (Acknowledgement), "PSH" (Push), "RST" (Reset), "SYN" (Synchronize), or "FIN" (Finished)

urgp

The urgent pointer.

udp
src_port

The source port of the UDP packet.

dst_port

The destination port of the UDP packet.

len

The length of the UDP packet.

icmp
type

The numeric type of the ICMP packet.

code

The numeric code of the ICMP packet.

error_header

Some types of ICMP - 3 (destination unreachable), 4 (source quench), and 11 (time exceeded) - contain the IP and protocol headers that generated the ICMP packet. We parse this recursively, so if the type is one of those numbers, error_header is a hashref that starts again with the top level of the data structure. It may make more sense if you look at a YAML dump, which can be found below...

id

The id of the ICMP echo packet.

seq

The sequence number of the ICMP echo packet.

DATA STRUCTURE OVERVIEW

TCP packet

in_int: eth1
leftover: ~
line: >-
  Nov 28 19:52:19 malloc kernel: in: IN=eth1 OUT= MAC= SRC=192.168.1.31 DST=192.168.0.54 LEN=100 TOS=0x00 PREC=0x00 TTL=63 ID=38565 DF PROTO=TCP SPT=25 DPT=1071 WINDOW=57352 RES=0x00 ACK PSH URGP=0 
mac: ~
out_int: ~
ip:
  dst_addr: 192.168.0.54
  fragment_flags:
    - DF
  id: 38565
  len: 100
  prec: 0x00
  src_addr: 192.168.1.31
  tos: 0x00
  ttl: 63
  type: tcp
  tcp:
    dst_port: 1071
    flags:
      - ACK
      - PSH
    res: 0x00
    src_port: 25
    urgp: 0
    window: 57352

UDP packet

in_int: eth1
leftover: ~
line: >-
  Nov 29 10:52:11 malloc kernel: in: IN=eth1 OUT= MAC= SRC=10.9.8.46 DST=192.168.0.208 LEN=801 TOS=0x00 PREC=0x00 TTL=115 ID=3391 PROTO=UDP SPT=31466 DPT=1026 LEN=781 
mac: ~
out_int: ~
ip:
  dst_addr: 192.168.0.208
  id: 3391
  len: 801
  prec: 0x00
  src_addr: 10.9.8.46
  tos: 0x00
  ttl: 115
  type: udp
  udp:
    dst_port: 1026
    len: 781
    src_port: 31466

ICMP echo packet

in_int: ppp0
leftover: ~
line: >-
  Nov 30 09:54:51 malloc kernel: in: IN=ppp0 OUT= MAC= SRC=10.0.0.34 DST=192.168.143.41 LEN=37 TOS=0x00 PREC=0x00 TTL=115 ID=61772 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=8403 
mac: ~
out_int: ~
ip:
  dst_addr: 192.168.143.41
  id: 61772
  len: 37
  prec: 0x00
  src_addr: 10.0.0.34
  tos: 0x00
  ttl: 115
  type: icmp
  icmp:
    code: 0
    id: 256
    seq: 8403
    type: 8

ICMP error packet

in_int: ppp0
leftover: ~
line: >-
  Nov 28 11:17:33 malloc kernel: in: IN=ppp0 OUT= MAC= SRC=192.168.2.113 DST=192.168.0.223 LEN=492 TOS=0x00 PREC=0x00 TTL=240 ID=39184 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.0.223 DST=192.168.2.113 LEN=464 TOS=0x00 PREC=0x00 TTL=52 ID=58665 DF PROTO=TCP SPT=34373 DPT=80 WINDOW=63712 RES=0x00 ACK PSH FIN URGP=0 ]
mac: ~
out_int: ~>
ip:
  dst_addr: 192.168.0.223
  id: 39184
  len: 492
  prec: 0x00
  src_addr: 192.168.2.113
  tos: 0x00
  ttl: 240
  type: icmp
  icmp:
    code: 3
    type: 3
    error_header:
      leftover: ~
      line: >-
        SRC=192.168.0.223 DST=192.168.2.113 LEN=464 TOS=0x00 PREC=0x00 TTL=52 ID=58665 DF PROTO=TCP SPT=34373 DPT=80 WINDOW=63712 RES=0x00 ACK PSH FIN URGP=0
      ip:
        dst_addr: 192.168.2.113
        fragment_flags:
          - DF
        id: 58665
        len: 464
        prec: 0x00
        src_addr: 192.168.0.223
        tos: 0x00
        ttl: 52
        type: tcp
        tcp:
          dst_port: 80
          flags:
            - ACK
            - PSH
            - FIN
          res: 0x00
          src_port: 34373
          urgp: 0
          window: 63712
    

SEE ALSO

POE::Filter.

BUGS

There are probably some corner cases that this module can't parse correctly. I haven't tested, in particular, AH, ESP, other non-tcp/udp/icmp protocols, ICMP packets of type 11 (parameter problem), 5 (redirect), and 4 (source quench). It also has some problems with logs from bridging firewalls. I haven't tested ebtables logs at all.

It doesn't even pretend to support IPv6. It shouldn't be too hard to do, but I don't have any IPv6 networks to test with. All the code is in /usr/src/linux/net/ipv6/netfilter/ip6t_LOG.c, though. Patches welcome.

Doesn't support --log-tcp-sequence, --log-tcp-options, or --log-ip-options. It won't throw the whole line out, though, it'll do the best it can and hand you the leftovers in the 'leftover' field of the hashref.

Doesn't support get_one(), get_one_start(), or get_pending(). This means switching from this filter to another filter probably won't work, but I haven't tried it.

Doesn't support put(), though it would be cool to be able to take iptables logs and write the iptables commands used to generate them.

AUTHOR

Paul Visscher, <paulv@cpan.org>

COPYRIGHT AND LICENSE

Copyright (C) 2004 by Paul Visscher

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.4 or, at your option, any later version of Perl 5 you may have available.