#============================================================================== # # Module: netscreen.pm # # Author: Peter Sundstrom (peter@ginini.com) # # Purpose: Converts native Netscreen logs (V3-V5) to FW1 log export format. # # Version: 1.0.0 # # Source: http://www.ginini.com/software/fwlogsum/converters/ # #============================================================================== use strict; sub Convert { my $input = shift; open INPUT, $input or die "Can not open $input $!\n"; # # For converting protocol numbers to name # my %protocol = ( 0 => 'ip', 1 => 'icmp', 6 => 'tcp', 17 => 'udp' ); # # Output FW1 logexport header (log account format) # print "num;date;time;orig;type;action;i/f_name;i/f_dir;proto;src;dst;rule;service;s_port;icmp-type;icmp-code;bytes;\n"; my $count=0; while () { next unless (/system-notification-00257/); chomp; $count++; Linecount($count) if $verbose; # # If the log has a "zone" entry, it must be a version 5.x format # my ($fwname,$start_time,$policy_id,$proto,$direction,$action,$sent,$rcvd,$src,$dst); if (/src zone/) { ($fwname,$start_time,$policy_id,$proto,$action,$sent,$rcvd,$src,$dst) = /device_id=(\w+).*start_time="(.*?)".*policy_id=(\d+).*proto=(\d+).*action=(\w+) sent=(\d+) rcvd=(\d+) src=(\S+) dst=(\S+)/; $direction='n/a'; } else { ($fwname,$start_time,$policy_id,$proto,$direction,$action,$sent,$rcvd,$src,$dst) = /device_id=(\w+).*start_time="(.*?)".*policy_id=(\d+).*proto=(\d+) direction=(\w+) action=(\w+) sent=(\d+) rcvd=(\d+) src=(\S+) dst=(\S+)/; } my ($icmp_type,$src_port,$dst_port); if (/icmp/) { $icmp_type = /icmp type=(\d+)/; } else { ($src_port,$dst_port) = /src_port=(\w+) dst_port=(\w+)/; } my ($yyyy,$mm,$dd,$time) = $start_time =~ /(\d+)-(\d+)-(\d+) (\d+:\d+:\d+)/; print "$count;$dd$mon{$mm}$yyyy;$time;$fwname;account;"; $action="drop" if ($action eq 'Deny'); $action='accept' if ($action eq 'Permit'); print "$action;n/a;$direction;$protocol{$proto};$src;$dst;$policy_id;"; if (/icmp/) { print ";;$icmp_type;0;\n"; } else { my $bytes = $sent + $rcvd; print "$dst_port;$src_port;;;$bytes\n"; } } close INPUT; } 1;