nf2csv.1

Revision 1811, 4.7 kB (checked in by mbr, 2 years ago)
added low TTL value example

Line
1	.\" Process this file with
2	.\" groff -man -Tascii foo.1
3	.\"
4	.TH NF2CSV 8 "Jun, 2006" Linux
5	.SH NAME
6	.B nf2csv
7	\- iptables to CSV data
8	.SH SYNOPSIS
9	.B nf2csv [options]
10	.SH DESCRIPTION
11	.B nf2csv
12	Parses iptables log messages and generates comma-separate value formatted data.
13	This is useful to provide input to the
14	.B AfterGlow
15	project (see http://afterglow.sourceforge.net) so iptables logs can be visualized
16	graphically. An interesting application of
17	.B nf2csv
18	and
19	.B AfterGlow
20	is to parse and visualize the iptables logfiles made available by the Honeynet
21	project in their Scan of the Month challenges. The Scan30 and Scan34 challenges
22	(see http://www.honeynet.org/scans/scan30/ and http://www.honeynet.org/scans/scan34/)
23	contain extensive iptables logfiles, and some graphical representations of these
24	can be viewed here: http://www.cipherdyne.org/psad/honeynet/.
25	The
26	.B psad
27	program also has the ability to generate CSV data from iptables logs with its
28	.I --CSV
29	mode.
30	.SH OPTIONS
31	.TP
32	.BR \-f "\fR,\fP " \-\^\-fields\ \<tokens>
33	Specify the set of fields that should be printed from iptables log messages. The
34	most common usage of this argument is
35	.B "SRC DST DPT"
36	to print the source and destination IP addresses, followed by the destination port
37	number. Available fields to print include: SRC, SPT, DST, DPT, PROTO, LEN, IN, TOS, TTL,
38	SEQ, ID, TYPE, CODE (and these can also be referred to as src, dst, sp, dp, proto, ip_len,
39	intf, tos, and ttl). There are several additional fields that are not given specific
40	tags within iptables log messages, and these can be included by specifying one of
41	the following: flags, top_opts, ip_opts, chain, log_prefix, frag_bit, src_mac,
42	dst_mac, and udp_len. Each of these fields accepts a search criteria in the form of
43	a numeric comparison, string match, or IP match. See the EXAMPLES section below for
44	more information.
45	.TP
46	.BR \-u "\fR,\fP " \-\^\-unique-lines
47	Only print unique output lines. This can drastically reduce the output of
48	.B nf2csv
49	depending on the characteristics of the iptables logfile that is being parsed.
50	.TP
51	.BR \-m "\fR,\fP " \-\^\-max-lines\ \<num>
52	Specify the maximum number of output lines
53	.B nf2csv
54	will generate. This is useful for providing a limited set of data to AfterGlow
55	in order to make visualizations more clear and less cluttered.
56	.TP
57	.BR \-r "\fR,\fP " \-\^\-regex\ \<regex>
58	Specify a regular expression that must match against the entire iptables log message
59	in order for it to be included within the CSV output. This allows log messages to
60	be included from the output with all of the flexibility of regular expressions.
61	See the EXAMPLES section below for more information.
62	.TP
63	.BR \-n "\fR,\fP " \-\^\-neg-regex\ \<regex>
64	Specify a regular expression that must not match against the iptables log message
65	in order for it to be included within the CSV output. This allows log messages to
66	be excluded from the output with all of the flexibility of regular expressions.
67	See the EXAMPLES section below for more information.
68	.TP
69	.BR \-s "\fR,\fP " \-\^\-start-line\ \<line>
70	Specify the starting line where
71	.B nf2csv
72	begins to process iptables log data. If you are processing a huge file with
73	thousands of iptables log messages this option can be useful to parse a specific
74	chunk of this data. Also see the
75	.I --end-line
76	option below.
77	.TP
78	.BR \-e "\fR,\fP " \-\^\-end-line\ \<line>
79	Specify the last line of iptables log data that
80	.B nf2csv
81	will parse.
82	.SH EXAMPLES
83	The following examples illustrate the command line arguments that could
84	be supplied to
85	.B nf2csv
86	in a few situations:
87	.PP
88	Print source and destination IP addresses and the destination port number:
89	.PP
90	.B $ nfcsv -f "src dst dp"
91	.PP
92	Same as above, but now require that the source IP come from the 11.11.11.0/24 subnet:
93	.PP
94	.B $ nfcsv -f "src:11.11.11.0/24 dst dp"
95	.PP
96	Display instances of the MyDoom worm:
97	.PP
98	.B $ nfcsv -f "src dst dp:3127"
99	.PP
100	Display packets that have low TTL values:
101	.PP
102	.B $ nfcsv -f "src dst ttl:<10"
103	.PP
104	Display all traffic to or from the host 11.11.11.67 (this sets up an OR condition
105	between the src and dst fields):
106	.PP
107	.B $ nfcsv -f "src dst dp" -r 11.11.11.67
108	.PP
109	Display likely instances of Window Messanger popup spam attempts (note the use of
110	the --regex argument to require minimal lengths on the UDP length field and source
111	port, but the output contains the destination port of 1026):
112	.PP
113	.B $ nfcsv -f "src dst dp" -r "SPT=\d{4}.*LEN=[4-9]\d{2}"
114	.SH "SEE ALSO"
115	.BR psad (8)
116	.SH AUTHOR
117	Michael Rash <mbr@cipherdyne.org>
118	.SH BUGS
119	Send bug reports to mbr@cipherdyne.org. Suggestions and/or comments are
120	always welcome as well.
121	.SH DISTRIBUTION
122	.B nf2csv
123	is distributed with the psad project (http://www.cipherdyne.org/psad/)
124	under the GNU General Public License (GPL), and the latest
125	version may be downloaded from
126	.B http://www.cipherdyne.org/

Note: See TracBrowser for help on using the browser.

Download in other formats:

Original Format