 |
;===============================================================================
;
; Filtering script for the Windows firewall log file pfirewall.log
;
; The same technique shown here can also be used to process the data in a
; server log from Apache or IIS (Microsoft Internet Information Server);
; you will simply extract fields with different names. The similar style
; of the W3C log file format and pfirewall.log is hardly a coincidence!
;
; This script was designed for use with the Parse-O-Matic Power Tool
;
;===============================================================================
;
; Obviously this script can be greatly enhanced to allow for selective
; filtering of various kinds. You could make this capability convenient
; to use by setting up the option boxes in the Config section, but this
; technique is not shown in this basic demo script.
;
; During a test here at Pinnacle, using a 2.5 GHz computer, the
; unaltered script took about 45 seconds to churn through a 4-megabyte
; log file, outputting 2105 lines it considered "interesting".
;
;===============================================================================
; Main Step
;===============================================================================
; Ignore null lines and comments
;-------------------------------------------------------------------------------
If $Data = '' Done
If $Data[1] = '#' Done
;-------------------------------------------------------------------------------
; Parse out the fields
;-------------------------------------------------------------------------------
Date = Parse $Data '' ' ' 'Cut'
Time = Parse $Data '' ' ' 'Cut'
Action = Parse $Data '' ' ' 'Cut'
Protocol = Parse $Data '' ' ' 'Cut'
SrcIP = Parse $Data '' ' ' 'Cut'
DstIP = Parse $Data '' ' ' 'Cut'
SrcPort = Parse $Data '' ' ' 'Cut'
DstPort = Parse $Data '' ' ' 'Cut'
Size = Parse $Data '' ' ' 'Cut'
TCPFlags = Parse $Data '' ' ' 'Cut'
TCPSyn = Parse $Data '' ' ' 'Cut'
TCPAck = Parse $Data '' ' ' 'Cut'
TCPWin = Parse $Data '' ' ' 'Cut'
ICMPType = Parse $Data '' ' ' 'Cut'
ICMPCode = Parse $Data '' ' ' 'Cut'
Info = Parse $Data '' ' ' 'Cut'
Path = $Data
;-------------------------------------------------------------------------------
; Ignore anything on Port 80 (http)
;-------------------------------------------------------------------------------
If SrcPort = 80 Done
If DstPort = 80 Done
;-------------------------------------------------------------------------------
; Look for signs that something interesting is happening
;-------------------------------------------------------------------------------
Test = Size TCPFlags TCPSyn TCPAck TCPWin ICMPType ICMPCode Info Path
If Test = '---------' Done
;-------------------------------------------------------------------------------
; Output
;-------------------------------------------------------------------------------
OutCSV '' 'Init'
OutCSV Date
OutCSV Time
OutCSV Action
OutCSV Protocol
OutCSV SrcIP
OutCSV DstIP
OutCSV SrcPort
OutCSV DstPort
Call MaybeNull Size
Call MaybeNull TCPFlags
Call MaybeNull TCPSyn
Call MaybeNull TCPAck
Call MaybeNull TCPWin
Call MaybeNull ICMPType
Call MaybeNull ICMPCode
Call MaybeNull Info
Call MaybeNull Path
OutCSV '' 'Done'
Done
;===============================================================================
; Procedures
;===============================================================================
Procedure MaybeNull
If MaybeNull = '-' OutCSV ''
Otherwise OutCSV MaybeNull
End
   
Parse-O-Matic Free, Basic, Business and Enterprise are data conversion tools that allow you to parse, convert, mine, import and export data files, reports, web capture, logs, legacy databases, text, CSV (comma separated; comma delimited), ASCII, EBCDIC, and almost any data format that you may have.
|