Contributed by jose on from the integrated-security dept.
"I know there are quite few XML tutorials on O'Reilly and excellent man pages for pf logging, But I am wondering if anyone had written some tool to convert(offline or seperate process) PF logs to XML?would such work be useful?if combined with Snort's XML then we can have a smarter look at security events.It shouldn't be too hard to write a pflog reader which outputs XML (possibly sending it to another system for alerting). Has anyone done this?Many Companies are promising the definitive correlation enginer/intrusion prevention. and I want to know if it is time for an open source intiative? in other words:
I need your tips on what to do after I finished analyzing snort's XML :)"
(Comments are closed)
By Anonymous Coward () on
http://www.sigmasoft.com/~openbsd/archive/openbsd-tech/200211/msg00173.html
Be sure to read the follow-ups.
Comments
By Anonymous Coward () on
It is simply writing a tool/script/whatever to read PF logs and create an XML log that can be parsed and displayed.
Big difference. :)
By Anonymous Coward () on
since we can use tcpdump on pflog0 then this may be the more general task of piping tcpdump to a perl and do a while(){}loop.At least that what I originally was thinking.
Comments
By Petr R. () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
1-CheckPoint is trying to push their SmartDefense technology.
2-Symantec with ManHunt.
I know there are few others, google for it.it is mostly hype, and sending RST , and I am not sure how deep the analysis goes.
One very interesting project is the Emerald project, this is more of correlation engine that tries to eliminate false positives and beyond.
it is developed by Stanford Research Institute : http://www.sdl.sri.com/projects/emerald/project.html
By paul weissmann () on
www is at http://logreport.org/lire/ .
I think it'd be better if someone with time and knowledge would write a pf-backend for this engine, so a lot of duplicate work could be saved.
Comments
By Anonymous Coward () on
what do you think?
Comments
By paul weissmann () on
but i think support for pf in lire would be worthwile and a good start imho
By Can Erkin Acar () on
Comments
By Anonymous Coward () on
Comments
By Can Erkin Acar () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
I ll have to download and see how much they got done
By Anonymous Coward () on
Comments
By Anonymous Coward () on
http://www.faqs.org/rfcs/rfc3252.html
By djm () on
Comments
By Anonymous Coward () on
By jose () on http://monkey.org/~jose/
i wrote pf2xml for this ... this is more a P0C version at this point, but its at http://monkey.org/~jose/software/pf2xml/pf2xml-0.1 ... a C version should be easy to whip up and remove the hackish dependencies on the right combination of tcpdump flags ... i hope you find it useful, feel free to provide patches and run xmllint on it ...
Comments
By jose () on http://monkey.org/~jose/
now to code a version in C.
Comments
By Anonymous Coward () on
By djm () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
it will provide for a standard format for logging from different device/apps, so one will be able to correlate what actually happened between his IDS,FW,VPN,AV
how do you currently analyze(if you even analyze it) your pf logs?
sure, you could grep and awk for things you want, but do you thing making the data more accessible worth anything to you?
if you have scripts in place that does this, then please share :)
Comments
By djm () on
how do you currently analyze(if you even analyze it) your pf logs?
Like I said, using "tcpdump -r" and filters. Within seconds, I can determine how many packets are blocked from a specific host, or to a specific port.
How do you do that with XML? Just by changing formats, you have to reengineer your most basic tools.
it will provide for a standard format for logging from different device/apps
No it won't. XML isn't some magical format that automatically provides interoperability. Applications need to be taught the schema like any other format. What standard packet format do you propose which retains pf's annotations? RFC3252? :)
so one will be able to correlate what actually happened between his IDS,FW,VPN,AV
At the end of the day, you will still be correllating on common data (timestamps, packet headers), so the format makes no difference here.
Comments
By Anonymous Coward () on
why do I need to teach PF the XML api?!
pf will continue to work the same way, or in any way daniel thinks is best
I dont propose to change PF logging format.I am propsoing offline, or seperate processing of the pflogs to XML.
Why?because I something related to process snort's XML logs, I want to combine it with pf, and/or netfilter logs.the goal is a library that allows developers to do something like this :
IDSXMLLOG sLog;
sLog.open("MyXMLLog");
Event* p=sLog.GetEvent(15);
if(Event->GetIP() == Something)
call_func_x();
I am not saying this cant be done with awk or perl or sed or whatever.I am saying this is quite some work to be able to combine the data
By Anonymous Coward () on
why do I need to teach PF the XML api?!
pf will continue to work the same way, or in any way daniel thinks is best
I dont propose to change PF logging format.I am propsoing offline, or seperate processing of the pflogs to XML.
Why?because I something related to process snort's XML logs, I want to combine it with pf, and/or netfilter logs.the goal is a library that allows developers to do something like this :
IDSXMLLOG sLog;
sLog.open("MyXMLLog");
Event* p=sLog.GetEvent(15);
if(Event->GetIP() == Something)
call_func_x();
I am not saying this cant be done with awk or perl or sed or whatever.I am saying this is quite some work to be able to combine the data
By Anonymous Coward () on
PS. unfortunately my code is not available as it's proprietary, custom written, (and *(&^&^$% ugly, but functional) and I'm not at liberty to disclose it.
Comments
By Anonymous Coward () on
Why not use a DB? because whenI started, there were already ACID, which did a good job with Snort DB tables.there were not any that I am aware of to parse pf and import the data into a DB. and because I want to minimize the number of apps involved. That is why what i wrote was a standalone.
I am going to use jose's script and hopefully soon I ll realease the PF XML logs parser and GUI viewer.
By Paul Hirsch () paul wants no spam at voltagenoir dot org on mailto:paul wants no spam at voltagenoir dot org
That is the genius of using tcpdumps as logs: any old program that can process the format has full access to the entire capture, just like it was picked off the wire.