#==============================================================================
# Module: pix.pm
#
# Author: Peter Sundstrom (peter@ginini.com)
#
# Purpose: Converts ASA/PIX 5.x/6.x/7.x logs for FW1 logexport format.
#
# Version: 1.5.2
#
# Source: http://www.ginini.com/software/fwlogsum/converters/
#
#==============================================================================
use strict;
my $count=0;
sub Convert {
my $input = shift;
open INPUT, $input or die "Can not open $input $!\n";
my (%direction,$dir,$id);
my ($interface,$faddr,$faddr_port,$gaddr,$gaddr_port,$laddr,$laddr_port,$proto,$icmp_type,$icmp_code,$bytes);
my ($xlatesrc,$xlatedst,$xlatedport,$xlatesport);
print "num;date;time;orig;type;action;i/f_name;i/f_dir;proto;src;dst;service;s_port;xlatesrc;xlatedst;xlatedport;xlatesport;icmp-type;icmp-code;bytes\n";
while () {
next unless (/PIX|ASA/);
# PIX/ASA Deny types:
#
# 1-106021 = Deny tcp|udp reverse path check
# 2-106001 = Deny inbound TCP connection
# 2-106012 = Deny IP incorrect IP options
# 2-106016 = Deny IP spoof from ($IP) to $IP on interface $IP
# 2-106018 = Deny outbound ICMP
# 3-106006 = Deny inbound UDP connection
# 3-106010 = Deny inbound UDP (although PIX6.x manual states this is ICMP)
# 3-106011 = Deny inbound TCP (not mentioned in PIX6.x manual)
# 3-106014 = Deny inbound ICMP
# 3-305005 = No translation group found for tcp|udp|icmp
# 3-305006 = Dst IP is network/broadcast IP, translation creation failed
# 3-307001 = Denied TELNET login session
# 3-309001 = Denied manager connection
# 3-313001 = ICMP against interface
# 3-605001 = HTTP daemon interface $INTF: Connection denied from $IP
# 4-106023 = Deny outbound TCP|UDP|ICMP connection
# 4-400011 = IDS:2001 ICMP unreachable
# 4-400014 = IDS:2004 ICMP echo request
# 4-402101 = decaps: rec'd IPSEC packet has invalid spi
# 4-402106 = Rec'd packet not an IPSEC packet.
# 4-500004 = Invalid transport field
# 5-106100 = access-list drop log messages
# 6-106015 = Deny TCP packets not in PIX connection table
if (/(PIX|ASA)-2-106016/) {
ParseDate($_);
($faddr,$laddr,$interface) = /from \(([\w\-\.]+)\) to ([\w\-\.]+) on interface ([\w\-]+)/;
print "log;drop;$interface;unknown;ip;$faddr;$laddr;;;$faddr;$laddr;;;;;;\n";
next;
}
if (/(PIX|ASA)-2-106018/) {
ParseDate($_);
($icmp_type,$faddr,$laddr) = /packet type (\w+).* src (\w+) dest (\w+)/;
print "log;drop;pix;outbound;icmp;$faddr;$laddr;;;$faddr;$laddr;;;$icmp_type;;;\n";
next;
}
if (/(PIX|ASA)-2-106001/) {
ParseDate($_);
($dir,$faddr,$faddr_port,$laddr,$laddr_port) = /(\w+) TCP.*from ([\d+\.]+)\/(\d+) to ([\d+\.]+)\/(\d+)/;
$dir = lc($dir);
print "log;drop;pix;$dir;tcp;$faddr;$laddr;$laddr_port;$faddr_port;$faddr;$laddr;$laddr_port;$faddr_port;;;\n";
next;
}
if (/(PIX|ASA)-3-106010/) {
ParseDate($_);
($dir,$proto,$interface,$faddr,$faddr_port,$laddr,$laddr_port) = /Deny (\w+) (\w+) src ([\w\-]+):([\d+\.]+)\/(\d+) dst [\w\-]+:([\d+\.]+)\/(\d+)/;
print "log;drop;$interface;$dir;$proto;$faddr;$laddr;$laddr_port;$faddr_port;$faddr;$laddr;$laddr_port;$faddr_port;;;\n";
next;
}
# PIX-3-106011 icmp
# Deny inbound (No xlate) icmp src $INTF:$IP dst $INTF:$IP
# (type $TYPE, code $CODE)
if (/(PIX|ASA)-3-106014/ or (/(PIX|ASA)-3-106011/ and /icmp/)) {
ParseDate($_);
($interface,$faddr,$laddr,$icmp_type,$icmp_code) = /src ([\w\-]+):([\w\-\.]+) dst [\w\-]+:([\w\-\.]+) \(type (\d+), code (\d+)\)/;
print "log;drop;$interface;inbound;icmp;$faddr;$laddr;;;$faddr;$laddr;;;$icmp_type;$icmp_code;\n";
next;
}
# PIX-3-106011 tcp|udp
# Deny inbound (No xlate) tcp|udp src $INTF:$IP/$PORT dst $INTF:$IP/$PORT
if (/(PIX|ASA)-3-106011/ and /tcp|udp/) {
ParseDate($_);
($proto,$interface,$faddr,$faddr_port,$laddr,$laddr_port) = /(tcp|udp) src ([\w\-]+):([\w\-\.]+)\/(\d+) dst [\w\-]+:([\w\-\.]+)\/(\d+)/;
print "log;drop;$interface;inbound;$proto;$faddr;$laddr;$laddr_port;$faddr_port;$faddr;$laddr;$laddr_port;$faddr_port;;;\n";
next;
}
# PIX-3-305005 tcp|udp
# No translation group found for tcp|udp src $INTF/$IP/$PORT
# dst $INTF/$IP/$PORT
#
# PIX-3-305006 tcp|udp
# Dst IP is network/broadcast IP, translation creation failed
# for tcp|udp src $INTF:$IP/$PORT dst $INTF:$IP/$PORT
#
# portmap translation creation failed for tcp|udp src
# $INTF:$IP/$PORT dst $INTF:$IP/$PORT
if ((/(PIX|ASA)-3-305005/ or /(PIX|ASA)-3-305006/) and /tcp|udp/) {
ParseDate($_);
($proto,$interface,$faddr,$faddr_port,$laddr,$laddr_port) = /(tcp|udp) src ([\w\-]+):([\w\-\.]+)\/(\d+) dst [\w\-]+:([\w\-\.]+)\/(\d+)/;
print "log;drop;$interface;inbound;$proto;$faddr;$laddr;$laddr_port;$faddr_port;$faddr;$laddr;$laddr_port;$faddr_port;;;\n";
next;
}
# PIX-3-305005 icmp
# No translation group found for icmp src $INTF/$IP
# dst $INTF/$IP (type $TYPE, code $CODE)
#
# PIX-3-305006 icmp
# Dst IP is network/broadcast IP, translation creation failed
# for icmp src $INTF:$IP dst $INTF:$IP (type $TYPE, code $CODE)
#
# portmap translation creation failed for icmp src
# $INTF:$IP dst $INTF:$IP (type $TYPE, code $CODE)
if ((/(PIX|ASA)-3-305005/ or /(PIX|ASA)-3-305006/) and /icmp/) {
ParseDate($_);
($interface,$faddr,$laddr,$icmp_type,$icmp_code) = /src ([\w\-]+):([\w\-\.]+) dst [\w\-]+:([\w\-\.]+) \(type (\d+), code (\d+)\)/;
print "log;drop;$interface;inbound;icmp;$faddr;$laddr;;;$faddr;$laddr;;;$icmp_type;$icmp_code;\n";
next;
}
# PIX-3-313001 ICMP against interface
# Denied ICMP type=$TYPE, code=$CODE from $IP on interface $INTF
if (/(PIX|ASA)-3-313001/) {
ParseDate($_);
($icmp_type,$icmp_code,$faddr,$interface) = /Denied ICMP type=(\d+), code=(\d+) from ([\w\-\.]+) on interface (\d+)/;
print "log;drop;$interface;inbound;icmp;$faddr;;;;$faddr;;;;$icmp_type;$icmp_code;\n";
next;
}
# PIX-3-610001: NTP daemon interface $INTF: Packet denied from $IP
if (/(PIX|ASA)-3-610001/) {
ParseDate($_);
($interface,$faddr) = /NTP daemon interface (\w+): Packet denied from ([\w\-\.]+)/;
print "log;drop;$interface;inbound;ip;$faddr;;;;$faddr;;;;;;\n";
next;
}
# PIX-4-106023 tcp|udp
# Deny tcp|udp src $INTF/$IP/$PORT dst $INTF/$IP/$PORT
if (/(PIX|ASA)-4-106023/ and /tcp|udp/) {
ParseDate($_);
($proto,$interface,$faddr,$faddr_port,$laddr,$laddr_port) = /Deny (tcp|udp) src ([\w\-]+):([\w\-\.]+)\/(\d+) dst [\w\-]+:([\w\-\.]+)\/(\d+)/;
print "log;drop;$interface;outbound;$proto;$faddr;$laddr;$laddr_port;$faddr_port;$faddr;$laddr;$laddr_port;$faddr_port;;;\n";
next;
}
# PIX-4-106023 icmp
# Deny icmp src $INTF:$IP dst $INTF:$IP (type $TYPE, code $CODE) by access-group "$ACCGRP"
if (/(PIX|ASA)-4-106023/ and /icmp/) {
ParseDate($_);
($interface,$faddr,$laddr,$icmp_type,$icmp_code) = /src ([\w\-]+):([\w\-\.]+) dst [\w\-]+:([\w\-\.]+) \(type (\d+), code (\d+)\)/;
print "log;drop;$interface;inbound;icmp;$faddr;$laddr;;;$faddr;$laddr;;;$icmp_type;$icmp_code;\n";
next;
}
# PIX-4-400011: IDS:2001 ICMP unreachable from $IP to $IP on interface $INTF
# PIX-4-400014: IDS:2004 ICMP echo request from $IP to $IP on interface $INTF
if ((/(PIX|ASA)-4-400014/ and /ICMP/) or (/(PIX|ASA)-4-400011/ and /ICMP/)) {
ParseDate($_);
($faddr,$laddr,$interface) = /from ([\w\-\.]+) to ([\w\-\.]+) on interface ([\w\-]+)/;
print "log;drop;$interface;unknown;icmp;$faddr;$laddr;;;$faddr;$laddr;;;;;\n";
next;
}
# PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi
# for destaddr=$IP, prot=$PROTO, spi=0x... (-...)
if (/(PIX|ASA)-4-402101/) {
ParseDate($_);
($faddr,$proto) = /destaddr=([\w\-\.]+), prot=(\w+),/;
print "log;drop;unknown;inbound;$proto;$faddr;;;;;$faddr;;;;;;\n";
next;
}
# PIX-4-402106: Rec'd packet not an IPSEC packet. (ip)
# dest_addr= $IP, src_addr= $IP, prot= tcp
if (/(PIX|ASA)-4-402106/ and /prot= tcp/) {
ParseDate($_);
($laddr,$faddr,$proto) = /dest_addr= ([\w\-\.]+), src_addr= ([\w\-\.]+), prot= (\w+)/;
print "log;drop;unknown;inbound;$proto;$faddr;$laddr;;;;$faddr;$laddr;;;;;\n";
next;
}
# %PIX-4-500004: Invalid transport field for protocol=6,
# from $IP/$PORT to $IP/$PORT
if (/(PIX|ASA)-4-500004/ and /protocol=6/) {
ParseDate($_);
($proto,$faddr,$faddr_port,$laddr,$laddr_port) = /protocol=(\d+), from ([\w\-\.]+)\/(\d+) to ([\w\-\.]+)\/(\d+)/;
print "log;drop;unknown;unknown;$proto;$faddr;$laddr;$laddr_port;$faddr_port;$faddr;$laddr;$laddr_port;$faddr_port;;;\n";
next;
}
if (/(PIX|ASA)-6-106015/) {
ParseDate($_);
($faddr,$faddr_port,$laddr,$laddr_port) = /.*from ([\w\-\.]+)\/(\d+) to ([\w\-\.]+)\/(\d+)/;
print "log;drop;pix;unknown;tcp;$faddr;$laddr;$laddr_port;$faddr_port;$faddr;$laddr;$laddr_port;$faddr_port;;;\n";
next;
}
# PIX-2-106012
# Deny IP from $IP to $IP, IP options:
#
# PIX-2-106017
# Deny IP due to Land Attack from $IP to $IP
if (/(PIX|ASA)-2-106012/ or /(PIX|ASA)-2-106017/) {
ParseDate($_);
($faddr,$laddr) = /from ([\w\-\.]+) to ([\w\-\.]+)/;
print "log;drop;pix;unknown;ip;$faddr;$laddr;;;$faddr;$laddr;;;;;\n";
next;
}
# PIX-1-106021
# Deny icmp|tcp|udp reverse path check from $IP to $IP on interface $INTF
if (/(PIX|ASA)-1-106021/ and /icmp|tcp|udp/) {
ParseDate($_);
($proto,$faddr,$laddr,$interface) = /(icmp|tcp|udp) reverse path check from ([\w\-\.]+) to ([\w\-\.]+) on interface ([\w\-]+)/;
print "log;drop;$interface;unknown;$proto;$faddr;$laddr;;;$faddr;$laddr;;;;;\n";
next;
}
# PIX-3-307001
# Denied Telnet login session from $IP on interface $INTF
if (/(PIX|ASA)-3-307001/) {
ParseDate($_);
($laddr_port,$faddr,$interface) = /Denied (Telnet) login session from ([\w\-\.]+) on interface ([\w\-]+)/;
print "log;drop;$interface;incoming;admin;$faddr;;$laddr_port;;$faddr;;$laddr_port;;;;\n";
next;
}
# PIX-3-309001: Denied manager connection from $IP
if (/(PIX|ASA)-3-309001/) {
ParseDate($_);
($faddr) = /from ([\w\-\.]+)/;
print "log;drop;unknown;incoming;admin;$faddr;;;;$faddr;;;;;;\n";
next;
}
# %PIX-5-106100: access-list drop log messages
if (/(PIX|ASA)-5-106100/) {
ParseDate($_);
next if /permitted/;
($proto,$interface,$faddr,$faddr_port,$laddr,$laddr_port) = /denied (tcp|udp) ([\w\-]+)\/([\w\-\.]+)\((\d+)\) \-> [\w\-]+\/([\w\-\.]+)\((\d+)\)/;
print "log;drop;$interface;inbound;$proto;$faddr;$laddr;$laddr_port;$faddr_port;$faddr;$laddr;$laddr_port;$faddr_port;;;\n";
next;
}
# PIX-3-605001
# HTTP daemon interface $INTF: Connection denied from $IP
if (/(PIX|ASA)-3-605001/) {
ParseDate($_);
($interface,$faddr) = /interface ([\w\-]+): Connection denied from ([\w\-\.]+)/;
print "log;drop;$interface;incoming;admin;$faddr;;;;$faddr;;;;;;\n";
next;
}
#
# Store connection direction (only for TCP)
#
if (/Built.*TCP connection/) {
m/(\w+) TCP connection (\d+)/;
$direction{$2} = $1;
$dir = $1;
ParseDate($_);
if (/outbound TCP/) {
($faddr,$faddr_port,$xlatesrc,$xlatesport,$laddr,$laddr_port,$xlatedst,$xlatedport) = /for .+:([\d+\.]+)\/(\d+) \(([\d+\.]+)\/(\d+)\) to .+:([\d+\.]+)\/(\d+) \(([\d+\.]+)\/(\d+)\)/;
print "log;accept;pix;$dir;tcp;$laddr;$faddr;$faddr_port;$laddr_port;$xlatedst;$xlatesrc;$xlatesport;$xlatedport;;;;\n";
}
if (/inbound TCP/) {
($faddr,$faddr_port,$xlatesrc,$xlatesport,$laddr,$laddr_port,$xlatedst,$xlatedport) = /for .+:([\d+\.]+)\/(\d+) \(([\d+\.]+)\/(\d+)\) to .+:([\d+\.]+)\/(\d+) \(([\d+\.]+)\/(\d+)\)/;
print "log;accept;pix;$dir;tcp;$faddr;$laddr;$laddr_port;$faddr_port;$xlatedst;$xlatesrc;$xlatedport;$xlatesport;;;;\n";
}
next;
}
#
# Store connection direction (also for UDP)
#
if (/Built.*UDP connection/) {
m/(\w+) UDP connection (\d+)/;
$direction{$2} = $1;
$dir = $1;
ParseDate($_);
if (/outbound UDP/) {
($faddr,$faddr_port,$xlatesrc,$xlatesport,$laddr,$laddr_port,$xlatedst,$xlatedport) = /for .+:([\d+\.]+)\/(\d+) \(([\d+\.]+)\/(\d+)\) to .+:([\d+\.]+)\/(\d+) \(([\d+\.]+)\/(\d+)\)/;
print "log;accept;pix;$dir;udp;$laddr;$faddr;$faddr_port;$laddr_port;$xlatedst;$xlatesrc;$xlatesport;$xlatedport;;;;\n";
}
if (/inbound UDP/) {
($faddr,$faddr_port,$xlatesrc,$xlatesport,$laddr,$laddr_port,$xlatedst,$xlatedport) = /for .+:([\d+\.]+)\/(\d+) \(([\d+\.]+)\/(\d+)\) to .+:([\d+\.]+)\/(\d+) \(([\d+\.]+)\/(\d+)\)/;
print "log;accept;pix;$dir;udp;$faddr;$laddr;$laddr_port;$faddr_port;$xlatedst;$xlatesrc;$xlatedport;$xlatesport;;;;\n";
}
next;
}
#
# The Teardown entries contains the bytes info
#
if (/Teardown/) {
# ParseDate($_);
$id=$1 if (/connection\s+(\d+)/);
if ($direction{$id}) {
$dir = $direction{$id};
delete $direction{$id};
}
else {
$dir = 'unknown';
}
if (/TCP connection/) { # TCP Entry
ParseDate($_);
($faddr,$faddr_port,$laddr,$laddr_port,$bytes) = /for .+:([\d+\.]+)\/(\d+) to .+:([\d+\.]+)\/(\d+).*bytes (\d*)/;
print "account;accept;pix;$dir;tcp;$laddr;$faddr;$laddr_port;$faddr_port;;$faddr;$faddr_port;;;;$bytes\n";
}
if(/UDP connection/) { # UDP entry
ParseDate($_);
($faddr,$faddr_port,$laddr,$laddr_port,$bytes) = /for .+:([\d+\.]+)\/(\d+) to .+:([\d+\.]+)\/(\d+).*bytes (\d*)/;
print "account;accept;pix;$dir;udp;$laddr;$faddr;$laddr_port;$faddr_port;;$faddr;$faddr_port;;;;$bytes\n";
}
next;
}
}
close INPUT;
}
#----------------------------------------------------------------------------
sub ParseDate {
my $line=shift;
$count++;
Linecount($count) if $verbose;
#
# Unfortunately there are many different syslog formats, so this routine tries
# to determine which one is in use.
#
if ($line =~ /\d+-\d+-\d+ /) { # Kiwi syslog
my ($year,$month,$day,$time) = $line =~ /(\d+)-(\d+)-(\d+) (\d+:\d+:\d+)\s+/;
print "$count;$day$month$year;$time;";
}
elsif ($line =~ /\<\d+\>/) {
my ($month,$day,$year,$time) = $line =~ /\<\d+\>(\w+) (\d+) (\d+) (..:..:..): %PIX/;
print "$count;$day$month$year;$time;";
}
elsif ($line =~ /\[\S+\]/) {
my ($month,$day,$year,$time) = $line =~ /\[\S+\] (\w+) (\d+) (\d+) (..:..:..): %PIX/;
print "$count;$day$month$year;$time;";
}
elsif ($line =~ /^\w+\s+\d+/) { # Linux Syslog
my ($month,$day,$time) = $line =~ /^(\w+)\s+(\d+)\s+(\d+:\d+:\d+).*/;
my ($year) = (localtime)[5] + 1900;
print "$count;$day$month$year;$time;";
}
else {
my ($month,$day,$year,$time) = $line =~ /\w+ (\w+) (\d+) (\d+) (..:..:..): %PIX/;
print "$count;$day$month$year;$time;";
}
#
# Attempt to determine PIX origin. PIX 6.3 and later can aggregate
# logs from multiple PIX's.
#
my $orig;
if (/\d:\d:\d: (\S+) : %PIX/) {
$orig=$1;
}
else {
$orig='pix';
}
print "$orig;";
}
1;