#==============================================================================
#
# Module:	icf.pm
#
# Author:	Peter Sundstrom (peter@ginini.com)
#
# Purpose:	Converts Microsoft ICF logs to FW1 logexport format.
#
# Version:	1.0.0
#
# Source:	http://www.ginini.com/software/fwlogsum/converters/
#
#==============================================================================

use strict;

sub Convert {
	my $input = shift;

	open INPUT,$input or die "Can not open $input $!\n";

	#
	# Output FW1 logexport header
	#
	print "num;date;time;orig;type;action;proto;src;dst;s_port;service;icmp-type;icmp-code;bytes\n";

	my (%field,@fields,$action);

	while (<INPUT>) {
		if (/#Fields:/) {
			s/#Fields://;
			@fields=split;
			last;
		}
	}

	die "No Fields header found in $input\n" unless @fields;

	my $count=0;

	while (<INPUT>) {
		next if (/^#/ or /^\S*$/);

		$count++;

		Linecount($count) if $verbose;

		#
		# Create a hash with the field names
		#
		my $position=0;
	
		foreach (split) {
			$_='' if ($_ eq '-');
			$field{$fields[$position]} = $_;
			$position++;
		}
	
		my ($yy,$mm,$dd) = $field{'date'} =~ /(\d+)-(\d+)-(\d+)/;

		print "$count;$dd$mon{$mm}$yy;$field{'time'};ICF;account;";

		#
		# ICF actions can be:
		#
		# OPEN,CLOSE,DROP and INFO-EVENTS-LOST
		#
		if ($field{'action'} eq 'DROP') {
			$action='drop';
		}
		elsif ($field{'action'} =~ /OPEN|CLOSE/) {
			$action='accept';
		}
		else {
			next;
		}

		print "$action;" .  lc($field{'protocol'}) . ';';
	
		print "$field{'src-ip'};$field{'dst-ip'};$field{'src-port'};$field{'dst-port'};$field{'icmptype'};$field{'icmpcode'};$field{'size'}\n";

	}

	close INPUT;
}

1;