/* fiwali.flex - flex scanner to analyze iptables-firewall output Copyright (C) 2003 Michael Besteck This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. The author can be contacted by email to info@cydro.de Copyright (C) 2003 Michael Besteck, info@cydro.de */ /* To build: 1. flex -8 fiwali.flex 2. gcc -o fiwali lex.yy.c Allgemeine Funktionsweise: Untersucht Eingabezeilen auf Ausgaben von iptables-Firewall, ermittelt den Namen des Hosts, von dem geblockte Pakete stammen und gibt diese Informationen formatiert aus. Scans input lines for iptables-firewall output, gets literal name of source host and outputs formatted information Usage: a) get (past) information stored in /var/log/messages 1. get online 2. "sudo cat /var/log/messages | fiwali" 3. end with [Ctrl]-[C] b) get "run-time" information while online 1. get online 2. "sudo tail -n1 -f /var/log/messages | fiwali" 3. end with [Ctrl]-[C] Details: http://www.cydro.de/cydro/TechInfo/LinuxOnGericom.html */ %{ /* VARIABLES */ #include #include int nrports=779; char * ports[779][2] = { "Reserved()", "0", "TCP Port Service Multiplexer(tcpmux)", "1", "Management Utility(compressne)", "2", "Compression Process(compressne)", "3", "Unassigned()", "4", "Remote Job Entry(rje)", "5", "Unassigned()", "6", "Echo(echo)", "7", "Unassigned()", "8", "Discard(discard)", "9", "Unassigned()", "10", "Active Users(systa)", "11", "Unassigned()", "12", "Daytime(daytime)", "13", "Unassigned()", "14", "Unassigned [was netstat]()", "15", "Unassigned()", "16", "Quote of the Day(qotd)", "17", "Message Send Protocol(msp)", "18", "Character Generator(chargen)", "19", "File Transfer [Default Data](ftp-data)", "20", "File Transfer [Control](ftp)", "21", "Unassigned()", "22", "Telnet(telne)", "23", "any private mail system()", "24", "Simple Mail Transfer(smtp)", "25", "Unassigned()", "26", "NSW User System FE(nsw-fe)", "27", "Unassigned()", "28", "MSG ICP(msg-icp)", "29", "Unassigned()", "30", "MSG Authentication(msg-auth)", "31", "Unassigned()", "32", "Display Support Protocol(dsp)", "33", "Unassigned()", "34", "any private printer server()", "35", "Unassigned()", "36", "Time(time)", "37", "Route Access Protocol(rap)", "38", "Resource Location Protocol(rlp)", "39", "Unassigned()", "40", "Graphics(graphics)", "41", "Host Name Server(nameserver)", "42", "Who Is(nicname)", "43", "MPM FLAGS Protocol(mpm-flags)", "44", "Message Processing Module [recv](mpm)", "45", "MPM [default send](mpm-snd)", "46", "NI FTP(ni-ftp)", "47", "Digital Audit Daemon(auditd)", "48", "Login Host Protocol(login)", "49", "Remote Mail Checking Protocol(re-mail-ck)", "50", "IMP Logical Address Maintenance(la-main)", "51", "XNS Time Protocol(xns-time)", "52", "Domain Name Server(domain)", "53", "XNS Clearinghouse(xns-ch)", "54", "ISI Graphics Language(isi-gl)", "55", "XNS Authentication(xns-auth)", "56", "any private terminal access()", "57", "XNS Mail(xns-mail)", "58", "any private file service()", "59", "Unassigned()", "60", "NI MAIL(ni-mail)", "61", "ACA Services(acas)", "62", "Unassigned()", "63", "Communications Integrator (CI)(covia)", "64", "TACACS-Database Service(tacacs-ds)", "65", "Oracle SQL*NET(sql*ne)", "66", "Bootstrap Protocol Server(bootps)", "67", "Bootstrap Protocol Client(bootpc)", "68", "Trivial File Transfer(tftp)", "69", "Gopher(gopher)", "70", "Remote Job Service(netrjs-1)", "71", "Remote Job Service(netrjs-2)", "72", "Remote Job Service(netrjs-3)", "73", "Remote Job Service(netrjs-4)", "74", "any private dial out service()", "75", "Distributed External Object Store(deos)", "76", "any private RJE service()", "77", "vettcp(vettcp)", "78", "Finger(finger)", "79", "World Wide Web HTTP(www-http)", "80", "HOSTS2 Name Server(hosts2-ns)", "81", "XFER Utility(xfer)", "82", "MIT ML Device(mit-ml-dev)", "83", "Common Trace Facility(ctf)", "84", "MIT ML Device(mit-ml-dev)", "85", "Micro Focus Cobol(mfcobol)", "86", "any private terminal link()", "87", "Kerberos(kerberos)", "88", "SU/MIT Telnet Gateway(su-mit-tg)", "89", "DNSIX Securit Attribute Token Map(dnsix)", "90", "MIT Dover Spooler(mit-dov)", "91", "Network Printing Protocol(npp)", "92", "Device Control Protocol(dcp)", "93", "Tivoli Object Dispatcher(objcall)", "94", "SUPDUP(supdup)", "95", "DIXIE Protocol Specification(dixie)", "96", "Swift Remote Vitural File Protocol(swift-rvf)", "97", "TAC News(tacnews)", "98", "Metagram Relay(metagram)", "99", "[unauthorized use](newacc)", "100", "NIC Host Name Server(hostname)", "101", "ISO-TSAP(iso-tsap)", "102", "Genesis Point-to-Point Trans Net(gppitnp)", "103", "ACR-NEMA Digital Imag. & Comm. 300(acr-nema)", "104", "Mailbox Name Nameserver(csnet-ns)", "105", "3COM-TSMUX(3com-tsmux)", "106", "Remote Telnet Service(rtelne)", "107", "SNA Gateway Access Server(snagas)", "108", "Post Office Protocol - Version 2(pop2)", "109", "Post Office Protocol - Version 3(pop3)", "110", "SUN Remote Procedure Call(sunrpc)", "111", "McIDAS Data Transmission Protocol(mcidas)", "112", "Authentication Service(auth)", "113", "Audio News Multicast(audionews)", "114", "Simple File Transfer Protocol(sftp)", "115", "ANSA REX Notify(ansanotify)", "116", "UUCP Path Service(uucp-path)", "117", "SQL Services(sqlserv)", "118", "Network News Transfer Protocol(nntp)", "119", "CFDPTKT(cfdptk)", "120", "Encore Expedited Remote Pro.Call(erpc)", "121", "SMAKYNET(smakyne)", "122", "Network Time Protocol(ntp)", "123", "ANSA REX Trader(ansatrader)", "124", "Locus PC-Interface Net Map Ser(locus-map)", "125", "Unisys Unitary Login(unitary)", "126", "Locus PC-Interface Conn Server(locus-con)", "127", "GSS X License Verification(gss-xlicen)", "128", "Password Generator Protocol(pwdgen)", "129", "cisco FNATIVE(cisco-fna)", "130", "cisco TNATIVE(cisco-tna)", "131", "cisco SYSMAINT(cisco-sys)", "132", "Statistics Service(statsrv)", "133", "INGRES-NET Service(ingres-ne)", "134", "Location Service(loc-srv)", "135", "PROFILE Naming System(profile)", "136", "NETBIOS Name Service(netbios-ns)", "137", "NETBIOS Datagram Service(netbios-dgm)", "138", "NETBIOS Session Service(netbios-ssn)", "139", "EMFIS Data Service(emfis-data)", "140", "EMFIS Control Service(emfis-cntl)", "141", "Britton-Lee IDM(bl-idm)", "142", "Interim Mail Access Protocol v2(imap2)", "143", "NewS(news)", "144", "UAAC Protocol(uaac)", "145", "ISO-IP0(iso-tp0)", "146", "ISO-IP(iso-ip)", "147", "CRONUS-SUPPORT(cronus)", "148", "AED 512 Emulation Service(aed-512)", "149", "SQL-NET(sql-ne)", "150", "HEMS(hems)", "151", "Background File Transfer Program(bftp)", "152", "SGMP(sgmp)", "153", "NETSC(netsc-prod)", "154", "NETSC(netsc-dev)", "155", "SQL Service(sqlsrv)", "156", "KNET/VM Command/Message Protocol(knet-cmp)", "157", "PCMail Server(pcmail-srv)", "158", "NSS-Routing(nss-routing)", "159", "SGMP-TRAPS(sgmp-traps)", "160", "SNMP(snmp)", "161", "SNMPTRAP(snmptrap)", "162", "CMIP/TCP Manager(cmip-man)", "163", "CMIP/TCP Agent(cmip-agen)", "164", "Xerox(xns-courier)", "165", "Sirius Systems(s-ne)", "166", "NAMP(namp)", "167", "RSVD(rsvd)", "168", "SEND(send)", "169", "Network PostScript(print-srv)", "170", "Network Innovations Multiplex(multiplex)", "171", "Network Innovations CL/1(cl/1)", "172", "Xyplex(xyplex-mux)", "173", "MAILQ(mailq)", "174", "VMNET(vmne)", "175", "GENRAD-MUX(genrad-mux)", "176", "X Display Manager Control Protocol(xdmcp)", "177", "NextStep Window Server(nextstep)", "178", "Border Gateway Protocol(bgp)", "179", "Intergraph(ris)", "180", "Unify(unify)", "181", "Unisys Audit SITP(audi)", "182", "OCBinder(ocbinder)", "183", "OCServer(ocserver)", "184", "Remote-KIS(remote-kis)", "185", "KIS Protocol(kis)", "186", "Application Communication Interface(aci)", "187", "Plus Five\'s MUMPS(mumps)", "188", "Queued File Transport(qf)", "189", "Gateway Access Control Protocol(gacp)", "190", "Prospero Directory Service(prospero)", "191", "OSU Network Monitoring System(osu-nms)", "192", "Spider Remote Monitoring Protocol(srmp)", "193", "Internet Relay Chat Protocol(irc)", "194", "DNSIX Network Level Module Audit(dn6-nlm-aud)", "195", "DNSIX Session Mgt Module Audit Redir(dn6-smm-red)", "196", "Directory Location Service(dls)", "197", "Directory Location Service Monitor(dls-mon)", "198", "SMUX(smux)", "199", "IBM System Resource Controller(src)", "200", "AppleTalk Routing Maintenance(at-rtmp)", "201", "AppleTalk Name Binding(at-nbp)", "202", "AppleTalk Unused(at-3)", "203", "AppleTalk Echo(at-echo)", "204", "AppleTalk Unused(at-5)", "205", "AppleTalk Zone Information(at-zis)", "206", "AppleTalk Unused(at-7)", "207", "AppleTalk Unused(at-8)", "208", "Trivial Authenticated Mail Protocol(tam)", "209", "ANSI Z39.50(z39.50)", "210", "Texas Instruments 914C/G Terminal(914c/g)", "211", "ATEXSSTR(ane)", "212", "IPX(ipx)", "213", "VM PWSCS(vmpwscs)", "214", "Insignia Solutions(softpc)", "215", "Access Technology License Server(atls)", "216", "dBASE Unix(dbase)", "217", "Netix Message Posting Protocol(mpp)", "218", "Unisys ARPs(uarps)", "219", "Interactive Mail Access Protocol v3(imap3)", "220", "Berkeley rlogind with SPX auth(fln-spx)", "221", "Berkeley rshd with SPX auth(rsh-spx)", "222", "Certificate Distribution Center(cdc)", "223", "Unassigned()", "242", "Survey Measurement(sur-meas)", "243", "Unassigned()", "244", "LINK(link)", "245", "Display Systems Protocol(dsp3270)", "246", "Prospero Data Access Protocol(pdap)", "344", "Perf Analysis Workbench(pawserv)", "345", "Zebra server(zserv)", "346", "Fatmen Server(fatserv)", "347", "Cabletron Management Protocol(csi-sgwp)", "348", "Clearcase(clearcase)", "371", "Unix Listserv(ulistserv)", "372", "Legent Corporation(legent-1)", "373", "Legent Corporation(legent-2)", "374", "Hassle(hassle)", "375", "Amiga Envoy Network Inquiry Proto(nip)", "376", "NEC Corporation(tnETOS)", "377", "NEC Corporation(dsETOS)", "378", "TIA/EIA/IS-99 modem client(is99c)", "379", "TIA/EIA/IS-99 modem server(is99s)", "380", "hp performance data collector(hp-collector)", "381", "hp performance data managed node(hp-managed-node)", "382", "hp performance data alarm manager(hp-alarm-mgr)", "383", "A Remote Network Server System(arns)", "384", "IBM Application(ibm-app)", "385", "IBM Application(ibm-app)", "385", "ASA Message Router Object Def.(asa)", "386", "Appletalk Update-Based Routing Pro.(aurp)", "387", "Unidata LDM Version 4(unidata-ldm)", "388", "Lightweight Directory Access Protocol(ldap)", "389", "UIS(uis)", "390", "SynOptics SNMP Relay Port(synotics-relay)", "391", "SynOptics Port Broker Port(synotics-broker)", "392", "Data Interpretation System(dis)", "393", "EMBL Nucleic Data Transfer(embl-nd)", "394", "NETscout Control Protocol(netcp)", "395", "Novell Netware over IP(netware-ip)", "396", "Multi Protocol Trans. Net.(mptn)", "397", "Kryptolan(kryptolan)", "398", "Unassigned()", "399", "Workstation Solutions(work-sol)", "400", "Uninterruptible Power Supply(ups)", "401", "Genie Protocol(genie)", "402", "decap(decap)", "403", "nced(nced)", "404", "ncld(ncld)", "405", "Interactive Mail Support Protocol(imsp)", "406", "Timbuktu(timbuktu)", "407", "Prospero Resource Manager Sys. Man.(prm-sm)", "408", "Prospero Resource Manager Node Man.(prm-nm)", "409", "DECLadebug Remote Debug Protocol(decladebug)", "410", "Remote MT Protocol(rm)", "411", "Trap Convention Port(synoptics-trap)", "412", "SMSP(smsp)", "413", "InfoSeek(infoseek)", "414", "BNet(bne)", "415", "Silverplatter(silverplatter)", "416", "Onmux(onmux)", "417", "Hyper-G(hyper-g)", "418", "Ariel(ariel1)", "419", "SMPTE(smpte)", "420", "Ariel(ariel2)", "421", "Ariel(ariel3)", "422", "IBM Operations Planning and Control Start(opc-job-star)", "423", "IBM Operations Planning and Control Track(opc-job-track)", "424", "ICAD(icad-el)", "425", "smartsdp(smartsdp)", "426", "Server Location(svrloc)", "427", "OCS_CMU(ocs_cmu)", "428", "OCS_AMU(ocs_amu)", "429", "UTMPSD(utmpsd)", "430", "UTMPCD(utmpcd)", "431", "IASD(iasd)", "432", "NNSP(nnsp)", "433", "MobileIP-Agent(mobileip-agen)", "434", "MobilIP-MN(mobilip-mn)", "435", "DNA-CML(dna-cml)", "436", "comscm(comscm)", "437", "dsfgw(dsfgw)", "438", "dasp Thomas Obermair(dasp)", "439", "sgcp(sgcp)", "440", "decvms-sysmgt(decvms-sysmg)", "441", "cvc_hostd(cvc_hostd)", "442", "https MCom(https)", "443", "Simple Network Paging Protocol(snpp)", "444", "Microsoft-DS(microsoft-ds)", "445", "DDM-RDB(ddm-rdb)", "446", "DDM-RFM(ddm-dfm)", "447", "DDM-BYTE(ddm-byte)", "448", "AS Server Mapper(as-servermap)", "449", "TServer(tserver)", "450", "remote process execution;(exec)", "512", "remote login a la telnet;(login)", "513", "like exec, but automatic(cmd)", "514", "spooler(printer)", "515", "Unassigned()", "516", "like tenex link, but across(talk)", "517", "(ntalk)", "518", "unixtime(utime)", "519", "extended file name server(efs)", "520", "imeserver(timed)", "525", "newdate(tempo)", "526", "rpc(courier)", "530", "chat(conference)", "531", "readnews(netnews)", "532", "for emergency broadcasts(netwall)", "533", "Apertus Technologies Load Determination(apertus-ldp)", "539", "uucpd(uucp)", "540", "uucp-rlogin Stuart Lynne(uucp-rlogin)", "541", "Unassigned()", "542", "(klogin)", "543", "krcmd(kshell)", "544", "new-who(new-rwho)", "550", "(dsf)", "555", "rfs server(remotefs)", "556", "rmonitord(rmonitor)", "560", "(monitor)", "561", "chcmd(chshell)", "562", "Unassigned()", "563", "plan 9 file service(9pfs)", "564", "whoami(whoami)", "565", "demon(meter)", "570", "udemon(meter)", "571", "Sun IPC server(ipcserver)", "600", "nqs(nqs)", "607", "Cray Unified Resource Manager(urm)", "606", "Sender-Initiated/Unsolicited File Transfer(sift-uf)", "608", "npmp-trap(npmp-trap)", "609", "npmp-local(npmp-local)", "610", "npmp-gui(npmp-gui)", "611", "ginad(ginad)", "634", "(mdqs)", "666", "doom Id Software(doom)", "666", "doom Id Software(doom)", "666", "errlog copy/server daemon(elcsd)", "704", "EntrustManager(entrustmanager)", "709", "IBM NetView DM/6000 Server/Client(netviewdm1)", "729", "IBM NetView DM/6000 send/tcp(netviewdm2)", "730", "IBM NetView DM/6000 send/tcp(netviewdm3)", "731", "netGW(netgw)", "741", "Network based Rev. Cont. Sys.(netrcs)", "742", "Flexible License Manager(flexlm)", "744", "Fujitsu Device Control(fujitsu-dev)", "747", "Russell Info Sci Calendar Manager(ris-cm)", "748", "kerberos administration(kerberos-adm)", "749", "(rfile)", "750", "(pump)", "751", "(qrh)", "752", "(rrh)", "753", "send(tell)", "754", "(nlogin)", "758", "(con)", "759", "(ns)", "760", "(rxe)", "761", "(quotad)", "762", "(cycleserv)", "763", "(omserv)", "764", "(webster)", "765", "phone(phonebook)", "767", "(vid)", "769", "(cadlock)", "770", "(rtip)", "771", "(cycleserv2)", "772", "(submi)", "773", "(rpasswd)", "774", "(entomb)", "775", "(wpages)", "776", "(wpgs)", "780", "Concert(concer)", "786", "(mdbs_daemon)", "800", "(device)", "801", "Central Point Software(xtreelic)", "996", "(maitrd)", "997", "(busboy)", "998", "(garcon)", "999", "(puprouter)", "999", "(cadlock)", "1000", "Reserved()", "1023", "Reserved()", "1024", "network blackjack(blackjack)", "1025", "BBN IAD(iad1)", "1030", "BBN IAD(iad2)", "1031", "BBN IAD(iad3)", "1032", "Installation Bootstrap Proto. Serv.(instl_boots)", "1067", "Installation Bootstrap Proto. Cli.(instl_bootc)", "1068", "Socks(socks)", "1080", "Anasoft License Manager(ansoft-lm-1)", "1083", "Anasoft License Manager(ansoft-lm-2)", "1084", "Network File Access(nfa)", "1155", "SNI R&D network(nerv)", "1222", "(hermes)", "1248", "Alta Analytics License Manager(alta-ana-lm)", "1346", "multi media conferencing(bbn-mmc)", "1347", "multi media conferencing(bbn-mmx)", "1348", "Registration Network Protocol(sbook)", "1349", "Registration Network Protocol(editbench)", "1350", "Digital Tool Works (MIT)(equationbuilder)", "1351", "Lotus Note(lotusnote)", "1352", "Relief Consulting(relief)", "1353", "RightBrain Software(rightbrain)", "1354", "Intuitive Edge(intuitive edge)", "1355", "CuillaMartin Company(cuillamartin)", "1356", "Electronic PegBoard(pegboard)", "1357", "CONNLCLI(connlcli)", "1358", "FTSRV(ftsrv)", "1359", "MIMER(mimer)", "1360", "LinX(linx)", "1361", "TimeFlies(timeflies)", "1362", "Network DataMover Requester(ndm-requester)", "1363", "Network DataMover Server(ndm-server)", "1364", "Network Software Associates(adapt-sna)", "1365", "Novell NetWare Comm Service Platform(netware-csp)", "1366", "DCS(dcs)", "1367", "ScreenCast(screencas)", "1368", "GlobalView to Unix Shell(gv-us)", "1369", "Unix Shell to GlobalView(us-gv)", "1370", "Fujitsu Config Protocol(fc-cli)", "1371", "Fujitsu Config Protocol(fc-ser)", "1372", "Chromagrafx(chromagrafx)", "1373", "EPI Software Systems(molly)", "1374", "Bytex(bytex)", "1375", "IBM Person to Person Software(ibm-pps)", "1376", "Cichlid License Manager(cichlid)", "1377", "Elan License Manager(elan)", "1378", "Integrity Solutions(dbreporter)", "1379", "Telesis Network License Manager(telesis-licman)", "1380", "Apple Network License Manager(apple-licman)", "1381", "(udt_os)", "1382", "GW Hannaway Network License Manager(gwha)", "1383", "Objective Solutions License Manager(os-licman)", "1384", "Atex Publishing License Manager(atex_elmd)", "1385", "CheckSum License Manager(checksum)", "1386", "Computer Aided Design Software Inc LM(cadsi-lm)", "1387", "Objective Solutions DataBase Cache(objective-dbc)", "1388", "Document Manager(iclpv-dm)", "1389", "Storage Controller(iclpv-sc)", "1390", "Storage Access Server(iclpv-sas)", "1391", "Print Manager(iclpv-pm)", "1392", "Network Log Server(iclpv-nls)", "1393", "Network Log Client(iclpv-nlc)", "1394", "PC Workstation Manager software(iclpv-wsm)", "1395", "DVL Active Mail(dvl-activemail)", "1396", "Audio Active Mail(audio-activmail)", "1397", "Video Active Mail(video-activmail)", "1398", "Cadkey License Manager(cadkey-licman)", "1399", "Cadkey Tablet Daemon(cadkey-table)", "1400", "Goldleaf License Manager(goldleaf-licman)", "1401", "Prospero Resource Manager(prm-sm-np)", "1402", "Prospero Resource Manager(prm-nm-np)", "1403", "Infinite Graphics License Manager(igi-lm)", "1404", "IBM Remote Execution Starter(ibm-res)", "1405", "NetLabs License Manager(netlabs-lm)", "1406", "DBSA License Manager(dbsa-lm)", "1407", "Sophia License Manager(sophia-lm)", "1408", "Here License Manager(here-lm)", "1409", "HiQ License Manager(hiq)", "1410", "AudioFile(af)", "1411", "InnoSys(innosys)", "1412", "Innosys-ACL(innosys-acl)", "1413", "IBM MQSeries(ibm-mqseries)", "1414", "DBStar(dbstar)", "1415", "Novell LU6.2(novell-lu6.2)", "1416", "Timbuktu Service 1 Port(timbuktu-srv1)", "1417", "Timbuktu Service 1 Port(timbuktu-srv1)", "1417", "Timbuktu Service 2 Port(timbuktu-srv2)", "1418", "Timbuktu Service 3 Port(timbuktu-srv3)", "1419", "Timbuktu Service 4 Port(timbuktu-srv4)", "1420", "Gandalf License Manager(gandalf-lm)", "1421", "Autodesk License Manager(autodesk-lm)", "1422", "Essbase Arbor Software(essbase)", "1423", "Hybrid Encryption Protocol(hybrid)", "1424", "Zion Software License Manager(zion-lm)", "1425", "Satellite-data Acquisition System 1(sas-1)", "1426", "mloadd monitoring tool(mloadd)", "1427", "Informatik License Manager(informatik-lm)", "1428", "Hypercom NMS(nms)", "1429", "Hypercom TPDU(tpdu)", "1430", "Reverse Gosip Transport(rgtp)", "1431", "Blueberry Software License Manager(blueberry-lm)", "1432", "Microsoft-SQL-Server(ms-sql-s)", "1433", "Microsoft-SQL-Monitor(ms-sql-m)", "1434", "IBM CISC(ibm-cics)", "1435", "Satellite-data Acquisition System 2(sas-2)", "1436", "Tabula(tabula)", "1437", "Eicon Security Agent/Server(eicon-server)", "1438", "Eicon X25/SNA Gateway(eicon-x25)", "1439", "Eicon Service Location Protocol(eicon-slp)", "1440", "Cadis License Management(cadis-1)", "1441", "Cadis License Management(cadis-2)", "1442", "Integrated Engineering Software(ies-lm)", "1443", "Marcam License Management(marcam-lm)", "1444", "Proxima License Manager(proxima-lm)", "1445", "Optical Research Associates License Manager(ora-lm)", "1446", "Applied Parallel Research LM(apri-lm)", "1447", "OpenConnect License Manager(oc-lm)", "1448", "PEport(pepor)", "1449", "Tandem Distributed Workbench Facility(dwf)", "1450", "IBM Information Management(infoman)", "1451", "GTE Government Systems License Man(gtegsc-lm)", "1452", "Genie License Manager(genie-lm)", "1453", "interHDL License Manager(interhdl_elmd)", "1454", "interHDL License Manager(interhdl_elmd)", "1454", "ESL License Manager(esl-lm)", "1455", "DCA(dca)", "1456", "Valisys License Manager(valisys-lm)", "1457", "Nichols Research Corp.(nrcabq-lm)", "1458", "Proshare Notebook Application(proshare1)", "1459", "Proshare Notebook Application(proshare2)", "1460", "IBM Wireless LAN(ibm_wrless_lan)", "1461", "World License Manager(world-lm)", "1462", "Nucleus(nucleus)", "1463", "MSL License Manager(msl_lmd)", "1464", "Pipes Platform(pipes)", "1465", "Ocean Software License Manager(oceansoft-lm)", "1466", "CSDMBASE(csdmbase)", "1467", "CSDM(csdm)", "1468", "Active Analysis Limited License Manager(aal-lm)", "1469", "Universal Analytics(uaiac)", "1470", "csdmbase(csdmbase)", "1471", "csdm(csdm)", "1472", "OpenMath(openmath)", "1473", "Telefinder(telefinder)", "1474", "Taligent License Manager(taligent-lm)", "1475", "clvm-cfg(clvm-cfg)", "1476", "ms-sna-server(ms-sna-server)", "1477", "ms-sna-base(ms-sna-base)", "1478", "dberegister(dberegister)", "1479", "PacerForum(pacerforum)", "1480", "AIRS(airs)", "1481", "Miteksys License Manager(miteksys-lm)", "1482", "AFS License Manager(afs)", "1483", "Confluent License Manager(confluen)", "1484", "LANSource(lansource)", "1485", "nms_topo_serv(nms_topo_serv)", "1486", "LocalInfoSrvr(localinfosrvr)", "1487", "DocStor(docstor)", "1488", "dmdocbroker(dmdocbroker)", "1489", "insitu-conf(insitu-conf)", "1490", "anynetgateway(anynetgateway)", "1491", "stone-design-1(stone-design-1)", "1492", "netmap_lm(netmap_lm)", "1493", "ica(ica)", "1494", "cvc(cvc)", "1495", "liberty-lm(liberty-lm)", "1496", "rfx-lm(rfx-lm)", "1497", "Watcom-SQL(watcom-sql)", "1498", "Federico Heinz Consultora(fhc)", "1499", "VLSI License Manager(vlsi-lm)", "1500", "Satellite-data Acquisition System 3(sas-3)", "1501", "Shiva(shivadiscovery)", "1502", "Databeam(imtc-mcs)", "1503", "EVB Software Engineering License Manager(evb-elm)", "1504", "Funk Software, Inc.(funkproxy)", "1505", "ingres(ingreslock)", "1524", "oracle(orasrv)", "1525", "Prospero Directory Service non-priv(prospero-np)", "1525", "Prospero Data Access Prot non-priv(pdap-np)", "1526", "oracle(tlisrv)", "1527", "oracle(coauthor)", "1529", "(issd)", "1600", "(nkd)", "1650", "proshare conf audio(proshareaudio)", "1651", "proshare conf video(prosharevideo)", "1652", "proshare conf data(prosharedata)", "1653", "proshare conf request(prosharereques)", "1654", "proshare conf notify(prosharenotify)", "1655", "netview-aix-1(netview-aix-1)", "1661", "netview-aix-2(netview-aix-2)", "1662", "netview-aix-3(netview-aix-3)", "1663", "netview-aix-4(netview-aix-4)", "1664", "netview-aix-5(netview-aix-5)", "1665", "netview-aix-6(netview-aix-6)", "1666", "cisco license management(licensedaemon)", "1986", "cisco RSRB Priority 1 port(tr-rsrb-p1)", "1987", "cisco RSRB Priority 2 port(tr-rsrb-p2)", "1988", "cisco RSRB Priority 3 port(tr-rsrb-p3)", "1989", "MHSnet system(mshne)", "1989", "cisco STUN Priority 1 port(stun-p1)", "1990", "cisco STUN Priority 2 port(stun-p2)", "1991", "cisco STUN Priority 3 port(stun-p3)", "1992", "IPsendmsg(ipsendmsg)", "1992", "cisco SNMP TCP port(snmp-tcp-por)", "1993", "cisco serial tunnel port(stun-por)", "1994", "cisco perf port(perf-por)", "1995", "cisco Remote SRB port(tr-rsrb-por)", "1996", "cisco Gateway Discovery Protocol(gdp-por)", "1997", "cisco X.25 service (XOT)(x25-svc-por)", "1998", "cisco identification port(tcp-id-por)", "1999", "(callbook)", "2000", "(dc)", "2001", "(globe)", "2002", "(mailbox)", "2004", "(berkne)", "2005", "(invokator)", "2006", "(dectalk)", "2007", "(conf)", "2008", "(news)", "2009", "(search)", "2010", "raid(raid-cc)", "2011", "(ttyinfo)", "2012", "(raid-am)", "2013", "(troff)", "2014", "(cypress)", "2015", "(bootserver)", "2016", "(cypress-sta)", "2017", "(terminaldb)", "2018", "(whosockami)", "2019", "(xinupageserver)", "2020", "(servexec)", "2021", "(down)", "2022", "(xinuexpansion3)", "2023", "(xinuexpansion4)", "2024", "(ellpack)", "2025", "(scrabble)", "2026", "(shadowserver)", "2027", "(submitserver)", "2028", "(device2)", "2030", "(blackboard)", "2032", "(glogger)", "2033", "(scoremgr)", "2034", "(imsldoc)", "2035", "(objectmanager)", "2038", "(lam)", "2040", "(interbase)", "2041", "(isis)", "2042", "(isis-bcas)", "2043", "(rimsl)", "2044", "(cdfunc)", "2045", "(sdfunc)", "2046", "(dls)", "2047", "(dls-monitor)", "2048", "(shilp)", "2049", "Data Link Switch Read Port Number(dlsrpn)", "2065", "Data Link Switch Write Port Number(dlswpn)", "2067", "Advanced Training System Program(ats)", "2201", "Resource Tracking system server(rtsserv)", "2500", "Resource Tracking system client(rtsclien)", "2501", "HP 3000 NS/VT block mode telnet(hp-3000-telne)", "2564", "world wide web - development(www-dev)", "2784", "(NSWS)", "3049", "cc:mail/lotus(ccmail)", "3264", "DEC Notes(dec-notes)", "3333", "MAPPER network node manager(mapper-nodemgr)", "3984", "MAPPER TCP/IP server(mapper-mapethd)", "3985", "MAPPER workstation server(mapper-ws_ethd)", "3986", "Bull Apprise portmapper(bmap)", "3421", "Unidata UDT OS(udt_os)", "3900", "NUTS Daemon(nuts_dem)", "4132", "NUTS Bootp Server(nuts_bootp)", "4133", "UNICALL(unicall)", "4343", "KRB524(krb524)", "4444", "remote file access server(rfa)", "4672", "(commplex-main)", "5000", "(commplex-link)", "5001", "radio free ethernet(rfe)", "5002", "TelepathStart(telelpathstar)", "5010", "TelepathAttack(telelpathattack)", "5011", "multimedia conference control tool(mmcc)", "5050", "(rmonitor_secure)", "5145", "America-Online(aol)", "5190", "(padl2sim)", "5236", "HA cluster heartbeat(hacl-hb)", "5300", "HA cluster general services(hacl-gs)", "5301", "HA cluster configuration(hacl-cfg)", "5302", "HA cluster probing(hacl-probe)", "5303", "(hacl-local)", "5304", "(hacl-tes)", "5305", "X Window System(x11)", "6000", "X Window System(x11)", "6001", "X Window System(x11)", "6002", "X Window System(x11)", "6003", "X Window System(x11)", "6004", "X Window System(x11)", "6005", "X Window System(x11)", "6006", "X Window System(x11)", "6007", "X Window System(x11)", "6008", "X Window System(x11)", "6009", "X Window System(x11)", "6010", "X Window System(x11)", "6011", "X Window System(x11)", "6012", "X Window System(x11)", "6013", "X Window System(x11)", "6014", "X Window System(x11)", "6015", "X Window System(x11)", "6016", "X Window System(x11)", "6017", "X Window System(x11)", "6018", "X Window System(x11)", "6019", "X Window System(x11)", "6020", "X Window System(x11)", "6021", "X Window System(x11)", "6022", "X Window System(x11)", "6023", "X Window System(x11)", "6024", "X Window System(x11)", "6025", "X Window System(x11)", "6026", "X Window System(x11)", "6027", "X Window System(x11)", "6028", "X Window System(x11)", "6029", "X Window System(x11)", "6030", "X Window System(x11)", "6031", "X Window System(x11)", "6032", "X Window System(x11)", "6033", "X Window System(x11)", "6034", "X Window System(x11)", "6035", "X Window System(x11)", "6036", "X Window System(x11)", "6037", "X Window System(x11)", "6038", "X Window System(x11)", "6039", "X Window System(x11)", "6040", "X Window System(x11)", "6041", "X Window System(x11)", "6042", "X Window System(x11)", "6043", "X Window System(x11)", "6044", "X Window System(x11)", "6045", "X Window System(x11)", "6046", "X Window System(x11)", "6047", "X Window System(x11)", "6048", "X Window System(x11)", "6049", "X Window System(x11)", "6050", "X Window System(x11)", "6051", "X Window System(x11)", "6052", "X Window System(x11)", "6053", "X Window System(x11)", "6054", "X Window System(x11)", "6055", "X Window System(x11)", "6056", "X Window System(x11)", "6057", "X Window System(x11)", "6058", "X Window System(x11)", "6059", "X Window System(x11)", "6060", "X Window System(x11)", "6061", "X Window System(x11)", "6062", "X Window System(x11)", "6063", "HP SoftBench Sub-Process Control(sub-process)", "6111", "Meta Corporation License Manager(meta-corp)", "6141", "Aspen Technology License Manager(aspentec-lm)", "6142", "Watershed License Manager(watershed-lm)", "6143", "StatSci License Manager - 1(statsci1-lm)", "6144", "StatSci License Manager - 2(statsci2-lm)", "6145", "Lone Wolf Systems License Manager(lonewolf-lm)", "6146", "Montage License Manager(montage-lm)", "6147", "(xdsxdm)", "6558", "file server itself(afs3-fileserver)", "7000", "callbacks to cache managers(afs3-callback)", "7001", "users & groups database(afs3-prserver)", "7002", "volume location database(afs3-vlserver)", "7003", "AFS/Kerberos authentication service(afs3-kaserver)", "7004", "volume managment server(afs3-volser)", "7005", "error interpretation service(afs3-errors)", "7006", "basic overseer process(afs3-bos)", "7007", "server-to-server updater(afs3-update)", "7008", "remote cache manager service(afs3-rmtsys)", "7009", "onlinet uninterruptable power supplies(ups-online)", "7010", "X Font Service(font-service)", "7100", "FODMS FLIP(fodms)", "7200", "(man)", "9535", "(isode-dua)", "17007" }; char tmpbuf[0x200]; char hint[0x100]; char time[0x100]; char proto[0x100]; char dport[0x100]; char sport[0x100]; char srcip[0x100]; int ml = 31; /* formatted output */ int foundFIWALI = 0; /* flag */ long nrBlocks = 0; /* count (for extension) */ %} %option noyywrap %pointer FIWA_LINE ^.*" SRC=".*"DST=".*"PROTO="*$ TIME " "[[:digit:]]{2}":"[[:digit:]]{2}":"[[:digit:]]{2}" " LOG_HINT_PREFIX " kernel: " LOG_HINT .* LOG_HINT_POSTFIX ":IN=" SRC_PREFIX " SRC=" SRC [^ ]* SRC_POSTFIX " " PROTO_PREFIX " PROTO=" PROTO [[:alpha:]]+ PROTO_POSTFIX " " SPORT_PREFIX " SPT=" SPORT [[:digit:]]+ SPORT_POSTFIX " " DPORT_PREFIX " DPT=" DPORT [[:digit:]]+ DPORT_POSTFIX " " %{ /* CODE */ void hello() { printf("\n=== fiwali firewall watcher (iptables) ===\n"); printf("For details see source fiwali.flex\n"); printf("or http://www.cydro.de/cydro/TechInfo/LinuxOnGericom.html\n"); printf("typical usage: \"tail -n1 -f /var/log/messages | fiwali\"\n"); printf("Copyright (C) 2003 Michael Besteck, info@cydro.de\n"); printf("License: Gnu public license\n"); printf("Waiting for input on stdin, end with [Ctrl]-[C]\n"); } /* for extension only */ void summary() { printf("=== SUMMARY: Nr.of blocked packets: %ul ===\n", nrBlocks);} void printml(char *s) { int i; int d=ml-strlen(s); if (d<0) d=0; printf("%s",s); for (i=0; i 0xffff)) return strdup("-not assigned-"); idx0 = psearch; px = 0x10000; if (idx0>=nrports) idx0=nrports-1; while ((idx0 >= 0) && (px >= psearch)) { px = atoi(ports[idx0][1]); if (psearch == px) desc = strdup(ports[idx0][0]); --idx0; } if (desc==NULL) return strdup("-not assigned-"); else return desc; } void prDetails() {printml("Block details:"); printf("%s\n", hint);} void prTime() {printml("Time:"); printf("%s\n", time);} void prProto() {printml("Protocol:"); printf("%s\n", proto);} void prSport() { char *desc; desc = portdescr(sport); printml("Source port on remote host:"); printf("%s, %s\n", sport, desc); free(desc); } void prDport() { char *desc; desc = portdescr(dport); printml("Destination port on localhost:"); printf("%s, %s\n", dport, desc); free(desc); } void prSrc() { tmpbuf[0] = (char) 0x0; strcat(tmpbuf, "/usr/bin/host "); strcat(tmpbuf, srcip); printml("Source IP-address:"); printf("%s\n", srcip); //printml("Source host:"); printf("%s\n",tmpbuf); // OFFLINE test printf("Source host:\n"); system(tmpbuf); // ONLINE } void clear() { tmpbuf[0]= hint[0]= time[0]= proto[0]= dport[0]= sport[0]= srcip[0]=(char)0x0; } %} %% {FIWA_LINE} { printf("\n======== FIREWALL BLOCK PACKET ========\n"); foundFIWALI=1; printf("\a"); REJECT; } {LOG_HINT_PREFIX}{LOG_HINT}{LOG_HINT_POSTFIX} { /* 9 = LOG_HINT_PREFIX-size */ /* 4 = LOG_HINT_POSTFIX-size */ if (foundFIWALI) { ++nrBlocks; strncpy(hint, yytext+9, yyleng-9-4); hint[yyleng-9-4]=(char)0x0; } } . {} {TIME} { if (foundFIWALI) { strncpy(time, yytext+1, yyleng-1-1); time[yyleng-1-1]=(char) 0x0; } } {PROTO_PREFIX}{PROTO}/{PROTO_POSTFIX} { if (foundFIWALI) { strncpy(proto, yytext+7, yyleng-7); proto[yyleng-7]=(char) 0x0; } } {DPORT_PREFIX}{DPORT}/{DPORT_POSTFIX} { if (foundFIWALI) { strncpy(dport, yytext+5, yyleng-5); dport[yyleng-5]=(char) 0x0; } } {SPORT_PREFIX}{SPORT}/{SPORT_POSTFIX} { if (foundFIWALI) { strncpy(sport, yytext+5, yyleng-5); sport[yyleng-5]=(char) 0x0; } } {SRC_PREFIX}{SRC}/{SRC_POSTFIX} { if (foundFIWALI) { strncpy(srcip, yytext+5, yyleng-5); srcip[yyleng-5] = (char) 0x0; } } \n { if (foundFIWALI) { prTime(); prDetails(); prProto(); prDport(); prSport(); prSrc(); clear(); foundFIWALI=0; } } %% main(int argc, char *argv[]) { hello(); foundFIWALI=0; clear(); yylex(); summary(); exit(0); } /* eof */