frafra/cisco-fwsm-parser.py

## cisco-fwsm-parser.py
#!/usr/bin/env python3
#
# cisco-fwsm-parser.py
#
# Copyright (C) 2015 - Francesco Frassinelli
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

import ipaddress # requires python >= 3.3
import datetime

lines = [
    """Feb  3 02:23:54 10.253.1.9 : %FWSM-4-410001: Dropped UDP DNS reply from ese_outside:81.4.122.140/53 to ese_dmz1:159.213.62.238/27518; packet length 607 bytes exceeds configured limit of 512 bytes""",
    """Feb  3 02:25:38 10.253.1.9 : %FWSM-4-106023: Deny udp src ese_outside:71.6.216.52/41887 dst ese_dmz1:159.213.62.237/5351 by access-group "outside_in" [0x0, 0x0]""",
    """Feb  3 02:25:49 10.253.1.9 : %FWSM-4-313004: Denied ICMP type=3, from laddr 172.16.1.252 on interface ese_dmz1 to 10.1.6.116: no matching session""",
]

def parseLocation(location):
    interface, address = location.split(':')
    ip, port = address.split('/')
    return interface, ipaddress.ip_address(ip), int(port)

def code106023(fields):
    result = {}
    result.update(dict(zip(['srcInterface', 'srcIP', 'srcPort'],
                           parseLocation(fields[1]))))
    result.update(dict(zip(['dstInterface', 'dstIP', 'dstPort'],
                           parseLocation(fields[3]))))
    result['group'] = fields[6].strip('"')
    return result

def code313004(fields):
    result = {}
    result['type'] = int(fields[0].rstrip(',').split('=')[1])
    result['srcIP'] = ipaddress.ip_address(fields[3])
    result['srcInterface'] = fields[6]
    result['dstIP'] = ipaddress.ip_address(fields[8].rstrip(':'))
    result['message'] = ' '.join(fields[9:])
    return result

def code410001(fields):
    """packet length exceeds configured limit"""
    result = {}
    result.update(dict(zip(['srcInterface', 'srcIP', 'srcPort'],
                           parseLocation(fields[3]))))
    result.update(dict(zip(['dstInterface', 'dstIP', 'dstPort'],
                           parseLocation(fields[5].rstrip(';')))))
    result['packetLength'] = int(fields[8])
    result['packetLengthLimit'] = int(fields[14])
    return result

def parse(line, year=datetime.datetime.now().year): # year workaround
    result = {}
    header, postheader = line.split(' : ')
    fullcode, message = postheader.split(': ', 1)
    timestamp, ip = header.rstrip().rsplit(' ', 1)
    result['date'] = datetime.datetime.strptime('%d %s' % (year, timestamp), '%Y %b %d %H:%M:%S')
    device, version, code = fullcode.split('-')
    result['name'] = device.lstrip('%')
    result['version'] = int(version)
    result['code'] = int(code)
    result['ip'] = ipaddress.ip_address(ip)
    action, packet, *postaction = message.split(' ')
    result['action'] = action.lower()
    result['protocol'] = packet.upper()
    if 'code'+code in globals():
        specific = globals()['code'+code](postaction)
        result.update(specific)
    else:
        result['raw'] = ' '.join(postaction)
    return result

for line in lines:
    print(parse(line))

"""Current output:
{'ip': IPv4Address('10.253.1.9'), 'dstPort': 27518, 'srcIP': IPv4Address('81.4.122.140'), 'version': 4, 'protocol': 'UDP', 'packetLengthLimit': 512, 'action': 'dropped', 'dstInterface': 'ese_dmz1', 'date': datetime.datetime(2015, 2, 3, 2, 23, 54), 'code': 410001, 'srcPort': 53, 'dstIP': IPv4Address('159.213.62.238'), 'srcInterface': 'ese_outside', 'name': 'FWSM', 'packetLength': 607}
{'ip': IPv4Address('10.253.1.9'), 'dstPort': 5351, 'srcIP': IPv4Address('71.6.216.52'), 'version': 4, 'protocol': 'UDP', 'action': 'deny', 'dstInterface': 'ese_dmz1', 'date': datetime.datetime(2015, 2, 3, 2, 25, 38), 'group': 'outside_in', 'code': 106023, 'srcPort': 41887, 'dstIP': IPv4Address('159.213.62.237'), 'srcInterface': 'ese_outside', 'name': 'FWSM'}
{'ip': IPv4Address('10.253.1.9'), 'srcInterface': 'ese_dmz1', 'version': 4, 'protocol': 'ICMP', 'message': 'no matching session', 'action': 'denied', 'srcIP': IPv4Address('172.16.1.252'), 'date': datetime.datetime(2015, 2, 3, 2, 25, 49), 'code': 313004, 'dstIP': IPv4Address('10.1.6.116'), 'name': 'FWSM', 'type': 3}
"""
	#!/usr/bin/env python3
	#
	# cisco-fwsm-parser.py
	#
	# Copyright (C) 2015 - Francesco Frassinelli
	#
	# This program is free software; you can redistribute it and/or modify
	# it under the terms of the GNU General Public License as published by
	# the Free Software Foundation; either version 3 of the License, or
	# (at your option) any later version.
	#
	# This program is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	# GNU General Public License for more details.
	#
	# You should have received a copy of the GNU General Public License
	# along with this program. If not, see <http://www.gnu.org/licenses/>.

	import ipaddress # requires python >= 3.3
	import datetime

	lines = [
	"""Feb 3 02:23:54 10.253.1.9 : %FWSM-4-410001: Dropped UDP DNS reply from ese_outside:81.4.122.140/53 to ese_dmz1:159.213.62.238/27518; packet length 607 bytes exceeds configured limit of 512 bytes""",
	"""Feb 3 02:25:38 10.253.1.9 : %FWSM-4-106023: Deny udp src ese_outside:71.6.216.52/41887 dst ese_dmz1:159.213.62.237/5351 by access-group "outside_in" [0x0, 0x0]""",
	"""Feb 3 02:25:49 10.253.1.9 : %FWSM-4-313004: Denied ICMP type=3, from laddr 172.16.1.252 on interface ese_dmz1 to 10.1.6.116: no matching session""",
	]

	def parseLocation(location):
	interface, address = location.split(':')
	ip, port = address.split('/')
	return interface, ipaddress.ip_address(ip), int(port)

	def code106023(fields):
	result = {}
	result.update(dict(zip(['srcInterface', 'srcIP', 'srcPort'],
	parseLocation(fields[1]))))
	result.update(dict(zip(['dstInterface', 'dstIP', 'dstPort'],
	parseLocation(fields[3]))))
	result['group'] = fields[6].strip('"')
	return result

	def code313004(fields):
	result = {}
	result['type'] = int(fields[0].rstrip(',').split('=')[1])
	result['srcIP'] = ipaddress.ip_address(fields[3])
	result['srcInterface'] = fields[6]
	result['dstIP'] = ipaddress.ip_address(fields[8].rstrip(':'))
	result['message'] = ' '.join(fields[9:])
	return result

	def code410001(fields):
	"""packet length exceeds configured limit"""
	result = {}
	result.update(dict(zip(['srcInterface', 'srcIP', 'srcPort'],
	parseLocation(fields[3]))))
	result.update(dict(zip(['dstInterface', 'dstIP', 'dstPort'],
	parseLocation(fields[5].rstrip(';')))))
	result['packetLength'] = int(fields[8])
	result['packetLengthLimit'] = int(fields[14])
	return result

	def parse(line, year=datetime.datetime.now().year): # year workaround
	result = {}
	header, postheader = line.split(' : ')
	fullcode, message = postheader.split(': ', 1)
	timestamp, ip = header.rstrip().rsplit(' ', 1)
	result['date'] = datetime.datetime.strptime('%d %s' % (year, timestamp), '%Y %b %d %H:%M:%S')
	device, version, code = fullcode.split('-')
	result['name'] = device.lstrip('%')
	result['version'] = int(version)
	result['code'] = int(code)
	result['ip'] = ipaddress.ip_address(ip)
	action, packet, *postaction = message.split(' ')
	result['action'] = action.lower()
	result['protocol'] = packet.upper()
	if 'code'+code in globals():
	specific = globals()['code'+code](postaction)
	result.update(specific)
	else:
	result['raw'] = ' '.join(postaction)
	return result

	for line in lines:
	print(parse(line))

	"""Current output:
	{'ip': IPv4Address('10.253.1.9'), 'dstPort': 27518, 'srcIP': IPv4Address('81.4.122.140'), 'version': 4, 'protocol': 'UDP', 'packetLengthLimit': 512, 'action': 'dropped', 'dstInterface': 'ese_dmz1', 'date': datetime.datetime(2015, 2, 3, 2, 23, 54), 'code': 410001, 'srcPort': 53, 'dstIP': IPv4Address('159.213.62.238'), 'srcInterface': 'ese_outside', 'name': 'FWSM', 'packetLength': 607}
	{'ip': IPv4Address('10.253.1.9'), 'dstPort': 5351, 'srcIP': IPv4Address('71.6.216.52'), 'version': 4, 'protocol': 'UDP', 'action': 'deny', 'dstInterface': 'ese_dmz1', 'date': datetime.datetime(2015, 2, 3, 2, 25, 38), 'group': 'outside_in', 'code': 106023, 'srcPort': 41887, 'dstIP': IPv4Address('159.213.62.237'), 'srcInterface': 'ese_outside', 'name': 'FWSM'}
	{'ip': IPv4Address('10.253.1.9'), 'srcInterface': 'ese_dmz1', 'version': 4, 'protocol': 'ICMP', 'message': 'no matching session', 'action': 'denied', 'srcIP': IPv4Address('172.16.1.252'), 'date': datetime.datetime(2015, 2, 3, 2, 25, 49), 'code': 313004, 'dstIP': IPv4Address('10.1.6.116'), 'name': 'FWSM', 'type': 3}
	"""