#!/usr/bin/perl## Parse pflog (values will be inserted to PGSQL soon)##

1. #!/usr/bin/perl
2. #
3. # Parse pflog (values will be inserted to PGSQL soon)
4. #
5. # TODO:
6. #
7. # 4) Get data in database table(s)
8.  
9.  
10. use strict;
11. use DBI;
12. use CGI ();
13. use HTML::Template ();
14. use Time::ParseDate;
15. use Time::Local qw( timelocal_nocheck );
16.  
17. our ($db_name, $db_host, $db_user, $db_pass, $log);
18. require "/etc/pflog/pf.conf";
19.  
20. ##### WTF???????
21. #my $dbh = DBI->connect("DBI:Pg:dbname=$db_name, host=localhost, user=$db_user, password=$db_pass", {'RaiseError' => 1});
22.  
23. $dbh->{AutoCommit} = 0;
24. my $existing = check_existing();
25.  
26.  
27. my $insert_stmt = "insert into log (date, rulenum, action, direction, interface, proto, src_host, src_port, dst_host, dst_port, id) values (?,?,?,?,?,?,?,?,?,?,NULL)";
28. my $sth = $dbh->prepare($insert_stmt);
29. my $rules = get_rules();
30. my @new_regex;
31. my $count;
32.  
33. unless (-f $log) { die "Can't open file: $!"; }
34.  
35. open (LOGFILE, "$log") || die "LOLWAT?";
36. while(<LOGFILE>) {
37. chomp;
38. my $parseResult = $_;
39. my ($date, $direction, $action, $interface, $src_host, $src_port, $dst_host, $dst_port, $proto, $rulenum);
40. SWITCH: {
41. if ($parseResult =~ /(\w+ * \d+ \d+:.\d:.\d+) \d+.\d+.\d+.\d+\/\d+.\d+.\d+.\d+ +.* rule (\d+)\/\d+\(match\): (\w+) (\w+) \w+ (\w+): +.* proto (TCP|UDP) +.* (\d+.\d+.\d+.\d+).(\d+) > (\d+.\d+.\d+.\d+).(\d+)+.* /){
42. my ($date1) = ($1);
43. my $time1 = parsedate($date1);
44. ($date, $rulenum, $action, $direction, $interface, $proto, $src_host, $src_port, $dst_host, $dst_port) = ($time1, $2, $3, $4, $5, $6, $7, $8, $9, $10);
45. #print "$date, $rulenum, $action, $direction, $interface, $proto, $src_host, $src_port, $dst_host, $dst_port\n";
46. $sth->execute($date, $rulenum, $action, $direction, $interface, $proto, $src_host, $src_port, $dst_host, $dst_port);
47. last SWITCH;
48. }
49. if ($parseResult =~ /(\w+ * \d+ \d+:.\d:.\d+) \d+.\d+.\d+.\d+\/\d+.\d+.\d+.\d+ +.* rule (\d+)\/\d+\(match\): (\w+) (\w+) \w+ (\w+): +.* proto (\w+) +.* (\d+.\d+.\d+.\d+) > (\d+.\d+.\d+.\d+): /){
50. my ($date1) = ($1);
51. my $time1 = parsedate($date1);
52. ($date, $rulenum, $action, $direction, $interface, $proto, $src_host, $src_port, $dst_host, $dst_port) = ($time1, $2, $3, $4, $5, $6, $7, "NULL", $8, "NULL");
53. #print "$date $proto $src_host $src_port $dst_host $dst_port $rulenum $action $direction $interface\n";
54. $sth->execute($date, $rulenum, $action, $direction, $interface, $proto, $src_host, $src_port, $dst_host, $dst_port);
55. last SWITCH;
56. }
57. if ($parseResult =~ /(\w+ * \d+ \d+:.\d:.\d+) \d+.\d+.\d+.\d+\/\d+.\d+.\d+.\d+ +.* proto (TCP|UDP|ICMP) +.* (\d+.\d+.\d+.\d+).(\d+) > (\d+.\d+.\d+.\d+).(\d+)+.* /){
58. my ($date1) = ($1);
59. my $time1 = parsedate($date1);
60. ($date, $proto, $src_host, $src_port, $dst_host, $dst_port, $rulenum, $action, $direction, $interface) = ($time1, $2, $3, $4, $5, $6, "NULL", "NULL", "NULL", "NULL");
61.  
62. $sth->execute($date, $rulenum, $action, $direction, $interface, $proto, $src_host, $src_port, $dst_host, $dst_port);
63. last SWITCH;
64. }
65. else
66. {
67. last SWITCH;
68. }
69. }
70. $dbh->commit;
71. };
72. close(LOGFILE);
73.  
74. sub check_existing {
75. my $select = "select date, rulenum, src_host from log";
76. my $sth = $dbh->prepare($select);
77. $sth->execute || die $dbh->stderr;
78. my %existing;
79. while (my $result = ($sth->fetchrow_hashref)) {
80. my $timestamp = $result->{'date'} . " " . $result->{'src_host'};
81. $existing{$timestamp} = 1;
82. }
83. return \%existing;
84. }
85.  
86. sub insert_table {
87. my ($date, $direction, $action, $interface, $src_host, $src_port, $dst_host, $dst_port, $proto, $rulenum) = @_;
88. my @timestamp = localtime(time);
89. $date =~ /^(\w+) (\d+) (\d+)\:(\d+)\:(\d+)$/;
90. my ($month, $mday, $hour, $min, $sec, $year) = ($1, $2, $3, $4, $5, $timestamp[5]);
91. my %months = qw( Jan 0 Feb 1 Mar 2 Apr 3 May 4 Jun 5 Jul 6 Aug 7 Sep 8 Oct 9 Nov 10 Dec 11 );
92. my $epoch = timelocal_nocheck($sec, $min, $hour, $mday, $months{$month}, $year);
93. unless ($existing->{"$epoch"}) {
94. $sth->execute($date, $direction, $action, $interface, $src_host, $src_port, $dst_host, $dst_port, $proto, $rules->{$rulenum});
95. }
96. return;
97. }
98. ########## Write a cron to pull or push the rules <--------- TODO!
99. sub get_rules {
100. my %rules;
101. open(RULES, "/bin/cat /var/log/pflog/rules.txt | grep -E \"^@\" |");
102. while (<RULES>) {
103. chomp;
104. /\@(\d+) (\w+.*)/;
105. my ($index, $text) = ($1, $2);
106. $text =~ s/\</\</g;
107. $text =~ s/\>/\>/g;
108. $rules{$index} = $text;
109. }
110. close(RULES);
111. return \%rules;
112. }