fwlogwatch-1.2/0000755000076400001440000000000011454326217012061 5ustar bwusersfwlogwatch-1.2/Makefile0000644000076400001440000001016411454321551013517 0ustar bwusers# Copyright (C) 2000-2010 Boris Wesslowski # $Id: Makefile 710 2010-10-10 11:28:41Z bw $ # You might want to add -DSHORT_NAMES to CFLAGS if you only intend to analyze # log formats with short list/chain/branch/interface names like ipchains. # You can also add -DLOGDOTS if your Cisco log host logs FQDNs and you only # want the hostnames in the output. # -DHAVE_IPV6 enables IPv6 support for the status web server. # -DHAVE_ADNS enables support for asynchronous DNS lookups. # Linux CC = gcc CFLAGS = -DHAVE_ZLIB -DHAVE_GETTEXT -pipe -O2 -Wall #-pedantic -Wpointer-arith #-g #-p LDFLAGS = #-g #-static -p LIBS = -lcrypt -lz #-ladns #-lc_p # Solaris #LIBS = -lnsl -lsocket -lcrypt -lz # #CC = gcc #CFLAGS = -DSOLARIS -DHAVE_ZLIB -DHAVE_GETTEXT -pipe -O2 -Wall #-pedantic #-g #LDFLAGS = #-g # #CC = cc #CFLAGS = -DSOLARIS -DHAVE_ZLIB -DHAVE_GETTEXT -v -fast -xCC # OpenBSD #CC = gcc #CFLAGS = -DHAVE_ZLIB -DHAVE_GETTEXT -pipe -O2 -Wall -I/usr/local/include #LIBS = -L/usr/local/lib -lz -lintl # FreeBSD #CC = gcc #CFLAGS = -DHAVE_ZLIB -DHAVE_GETTEXT -pipe -O2 -Wall -I/usr/local/include #LIBS = -L/usr/local/lib -lcrypt -lz -lintl LEX = flex LFLAGS = -B --nounput #-f #-p -p -d INSTALL = install INSTALL_PROGRAM = $(INSTALL) -s -m 0755 INSTALL_SCRIPT = $(INSTALL) -m 0755 INSTALL_DATA = $(INSTALL) -m 0644 INSTALL_DIR = /usr/local CONF_DIR = /etc LOCALE_DIR = /usr OBJS = cisco_ios.o cisco_pix.o compare.o ipchains.o ipfilter.o ipfw.o \ lancom.o main.o modes.o net.o netfilter.o netscreen.o output.o \ parser.o rcfile.o resolve.o response.o snort.o utils.o whois.o all: fwlogwatch cisco_ios.o: main.h utils.h cisco_pix.o: main.h utils.h compare.o: compare.h main.h output.h utils.h ipchains.o: main.h utils.h ipfilter.o: main.h utils.h ipfw.o: main.h utils.h lancom.o: main.h utils.h main.o: main.h modes.h parser.h rcfile.h utils.h modes.o: compare.h main.h net.h output.h parser.h rcfile.h \ resolve.h response.h utils.h whois.h net.o: compare.h main.h output.h resolve.h response.h utils.h netfilter.o: main.h utils.h netscreen.o: main.h utils.h output.o: main.h output.h resolve.h utils.h whois.h parser.o: cisco_ios.h cisco_pix.h compare.h ipchains.h ipfilter.h \ ipfw.h main.h netfilter.h netscreen.h parser.h snort.h rcfile.o: main.h parser.h rcfile.h utils.h resolve.o: main.h resolve.h utils.h response.o: main.h response.h utils.h snort.o: main.h utils.h utils.o: main.h whois.o: main.h utils.h fwlogwatch: $(OBJS) $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) install: all $(INSTALL_PROGRAM) fwlogwatch $(INSTALL_DIR)/sbin/fwlogwatch $(INSTALL_SCRIPT) contrib/fwlw_notify $(INSTALL_DIR)/sbin/fwlw_notify $(INSTALL_SCRIPT) contrib/fwlw_respond $(INSTALL_DIR)/sbin/fwlw_respond $(INSTALL_DATA) fwlogwatch.8 $(INSTALL_DIR)/share/man/man8/fwlogwatch.8 install-config: $(INSTALL_DATA) fwlogwatch.config $(CONF_DIR)/fwlogwatch.config install-i18n: cd po; make $(INSTALL_DATA) po/de.mo $(LOCALE_DIR)/share/locale/de/LC_MESSAGES/fwlogwatch.mo $(INSTALL_DATA) po/ja.mo $(LOCALE_DIR)/share/locale/ja/LC_MESSAGES/fwlogwatch.mo $(INSTALL_DATA) po/pt.mo $(LOCALE_DIR)/share/locale/pt/LC_MESSAGES/fwlogwatch.mo $(INSTALL_DATA) po/sv.mo $(LOCALE_DIR)/share/locale/sv/LC_MESSAGES/fwlogwatch.mo $(INSTALL_DATA) po/zh_CN.mo $(LOCALE_DIR)/share/locale/zh_CN/LC_MESSAGES/fwlogwatch.mo $(INSTALL_DATA) po/zh_TW.mo $(LOCALE_DIR)/share/locale/zh_TW/LC_MESSAGES/fwlogwatch.mo install-rhinit: $(INSTALL_SCRIPT) contrib/fwlogwatch.init.redhat $(CONF_DIR)/rc.d/init.d/fwlogwatch uninstall: @rm -f $(INSTALL_DIR)/sbin/fwlogwatch \ $(INSTALL_DIR)/sbin/fwlw_notify \ $(INSTALL_DIR)/sbin/fwlw_respond \ $(INSTALL_DIR)/share/man/man8/fwlogwatch.8 \ $(LOCALE_DIR)/share/locale/de/LC_MESSAGES/fwlogwatch.mo \ $(LOCALE_DIR)/share/locale/ja/LC_MESSAGES/fwlogwatch.mo \ $(LOCALE_DIR)/share/locale/pt/LC_MESSAGES/fwlogwatch.mo \ $(LOCALE_DIR)/share/locale/sv/LC_MESSAGES/fwlogwatch.mo \ $(LOCALE_DIR)/share/locale/zh_CN/LC_MESSAGES/fwlogwatch.mo \ $(LOCALE_DIR)/share/locale/zh_TW/LC_MESSAGES/fwlogwatch.mo \ $(CONF_DIR)/fwlogwatch.config \ clean: rm -f *.o *~ *.bak fwlogwatch cd po; make clean indent: indent --k-and-r-style --indent-level 2 --line-length 180 *.c *.h fwlogwatch-1.2/whois.c0000644000076400001440000001423211453062534013356 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: whois.c 706 2010-10-06 12:02:36Z bw $ */ #include #include #include #include #include #include #ifndef SOLARIS #include #else #include #endif #include #include #include "main.h" #include "utils.h" #define QUAD2IP(a,b,c,d) ((a)<<24 | (b)<<16 | (c<<8) | (d)) #define PREFIX2MASK(n) (~0UL<<(32-(n))) struct whois_entry *whois_first = NULL; extern struct options opt; int whois_get_type(char *type) { int cnt = 0, retval = -1; char buffer[WHOISCMDLEN]; signed char c; read(opt.whois_sock, &c, 1); while ((c != '\n') && (c != EOF) && (cnt < WHOISCMDLEN)) { buffer[cnt] = c; cnt++; read(opt.whois_sock, &c, 1); } buffer[cnt] = '\0'; switch (buffer[0]) { case 'A': *type = buffer[0]; retval = atoi(&buffer[1]); break; case 'C': *type = buffer[0]; retval = 0; break; default: *type = '\0'; } return (retval); } void whois_read_socket(char *buf, int len) { int cnt = 0, retval; bzero(buf, len); while (cnt < len) { retval = read(opt.whois_sock, (char *) (buf + cnt), (len - cnt)); cnt += retval; } *(buf + len) = '\0'; #ifdef WHOIS_DEBUG fprintf(stderr, "--- WHOIS_DEBUG ---\n%s--- WHOIS_DEBUG ---\n", buf); fflush(stdout); #endif } char *whois_read_data() { int retval; char type, *data = NULL; while (1) { retval = whois_get_type(&type); if (type == 'A') { data = xmalloc(retval + 1); whois_read_socket(data, retval); } else { break; } } return (data); } char *whois_get_from_as(int asn) { char cmdstr[WHOISCMDLEN], *data; snprintf(cmdstr, WHOISCMDLEN, "!man,AS%d\n", asn); write(opt.whois_sock, cmdstr, strlen(cmdstr)); data = whois_read_data(); return (data); } void whois_search_desc(struct whois_entry *we) { char *obj, *descs, *desce; obj = whois_get_from_as(we->as_number); if (obj != NULL) { descs = strstr(obj, "descr:"); if (descs != NULL) { descs += 6; while ((*descs == ' ') || (*descs == '\t')) descs++; desce = strchr(descs, '\n'); if (desce != NULL) *desce = '\0'; we->as_descr = xmalloc(strlen(descs) + 1); xstrncpy(we->as_descr, descs, strlen(descs) + 1); } free(obj); } } void whois_from_ip(struct in_addr ip, struct whois_entry *we) { char cmdstr[WHOISCMDLEN], *data, *descs, *desce; we->as_number = 0; we->ip_route = NULL; we->ip_descr = NULL; we->as_descr = NULL; snprintf(cmdstr, WHOISCMDLEN, "!r%s/32,l\n", inet_ntoa(ip)); write(opt.whois_sock, cmdstr, strlen(cmdstr)); data = whois_read_data(); if (data != NULL) { descs = desce = data; while (*descs != '\0') { if ((we->as_number == 0) && (strstr(descs, "origin:") == descs)) { descs += 7; while ((*descs == ' ') || (*descs == '\t')) descs++; descs += 2; desce = strchr(descs, '\n'); if (desce != NULL) *desce = '\0'; we->as_number = atoi(descs); whois_search_desc(we); descs = desce + 1; } else if ((we->ip_route == NULL) && (strstr(descs, "route:") == descs)) { descs += 6; while ((*descs == ' ') || (*descs == '\t')) descs++; desce = strchr(descs, '\n'); if (desce != NULL) *desce = '\0'; we->ip_route = xmalloc(strlen(descs) + 1); xstrncpy(we->ip_route, descs, strlen(descs) + 1); descs = desce + 1; } else if ((we->ip_descr == NULL) && (strstr(descs, "descr:") == descs)) { descs += 6; while ((*descs == ' ') || (*descs == '\t')) descs++; desce = strchr(descs, '\n'); if (desce != NULL) *desce = '\0'; we->ip_descr = xmalloc(strlen(descs) + 1); xstrncpy(we->ip_descr, descs, strlen(descs) + 1); descs = desce + 1; } else { descs++; } } free(data); } if (we->as_number > 0) { if (we->ip_route == NULL) { we->ip_route = xmalloc(2); xstrncpy(we->ip_route, "-", 2); } if (we->ip_descr == NULL) { we->ip_descr = xmalloc(2); xstrncpy(we->ip_descr, "-", 2); } if (we->as_descr == NULL) { we->as_descr = xmalloc(2); xstrncpy(we->as_descr, "-", 2); } } } struct whois_entry *whois(struct in_addr ip) { char adds[WHOISROUTELEN]; struct in_addr net, addr; struct whois_entry *we; unsigned long int tmp_ip; if (opt.whois_sock == -1) return NULL; tmp_ip = ntohl(ip.s_addr); if ((tmp_ip == QUAD2IP(0, 0, 0, 0)) || ((tmp_ip & PREFIX2MASK(8)) == QUAD2IP(127, 0, 0, 0)) || ((tmp_ip & PREFIX2MASK(8)) == QUAD2IP(10, 0, 0, 0)) || ((tmp_ip & PREFIX2MASK(12)) == QUAD2IP(172, 16, 0, 0)) || ((tmp_ip & PREFIX2MASK(16)) == QUAD2IP(192, 168, 0, 0)) || (tmp_ip == QUAD2IP(255, 255, 255, 255))) return NULL; we = whois_first; while (we != NULL) { xstrncpy(adds, we->ip_route, WHOISROUTELEN); net.s_addr = ip.s_addr & parse_cidr(adds); convert_ip(adds, &addr); if (addr.s_addr == net.s_addr) { if (opt.verbose) fprintf(stderr, _("Looking up whois info for %s from cache\n"), inet_ntoa(ip)); return (we); } we = we->next; } if (opt.verbose) fprintf(stderr, _("Looking up whois info for %s\n"), inet_ntoa(ip)); we = xmalloc(sizeof(struct whois_entry)); whois_from_ip(ip, we); if (we->as_number != 0) { we->next = whois_first; whois_first = we; return (we); } else { return (NULL); } } void whois_connect(const char *whois_server) { struct hostent *he; struct sockaddr_in sin; int sock, retval; he = gethostbyname(whois_server); if (he == NULL) { fprintf(stderr, _("lookup failed: %s\n"), whois_server); exit(EXIT_FAILURE); } sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock == -1) { perror("socket"); exit(EXIT_FAILURE); } sin.sin_family = AF_INET; sin.sin_port = htons(WHOIS); bcopy(he->h_addr, &sin.sin_addr, he->h_length); retval = connect(sock, (struct sockaddr *) &sin, sizeof(sin)); if (retval == -1) { perror("connect"); exit(EXIT_FAILURE); } write(sock, "!!\n", 3); opt.whois_sock = sock; } void whois_close() { int retval; write(opt.whois_sock, "q\n", 2); retval = close(opt.whois_sock); if (retval == -1) perror("close"); opt.whois_sock = -1; } fwlogwatch-1.2/net.h0000644000076400001440000000032711453062534013020 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: net.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _NET_H #define _NET_H void prepare_socket(void); void handshake(int linenum, int hitnum, int ignored); #endif fwlogwatch-1.2/AUTHORS0000644000076400001440000000012511145337041013121 0ustar bwusers$Id: AUTHORS 683 2009-02-13 18:38:25Z bw $ Boris Wesslowski fwlogwatch-1.2/rcfile.c0000644000076400001440000003105611453062534013474 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: rcfile.c 706 2010-10-06 12:02:36Z bw $ */ #include #include #include #include #include #include #include "rcfile.h" #include "main.h" #include "parser.h" #include "utils.h" extern struct options opt; char *get_one_parameter(char *string, unsigned char mode) { char *pnt; while (*string == ' ' || *string == '\t' || *string == '=') ++string; pnt = string; while (*pnt != '\n' && *pnt != ' ' && *pnt != '\t' && *pnt != '\0' && (mode == HASH_IGNORE || *pnt != '#')) ++pnt; *pnt = '\0'; return string; } char *get_parameter(char *string) { char *pnt; while (*string == ' ' || *string == '\t' || *string == '=') ++string; pnt = string; while (*pnt != '\n' && *pnt != '#' && *pnt != '\0') ++pnt; *pnt = '\0'; return string; } int get_num_parameter(char *string, char *rcfile, int linenum) { char *pnt; while (*string == ' ' || *string == '\t' || *string == '=') ++string; pnt = string; while (*pnt != '\n' && *pnt != ' ' && *pnt != '#' && *pnt != '\t' && *pnt != '\0') { if (!isdigit((int) *pnt)) fprintf(stderr, _("Error in configuration file '%s' line %d: not a number\n"), rcfile, linenum); ++pnt; } *pnt = '\0'; return atoi(string); } unsigned char get_yes_or_no(char *string, char *rcfile, int linenum) { char *pnt; while (*string == ' ' || *string == '\t' || *string == '=') ++string; pnt = string; while (*pnt != '\n' && *pnt != ' ' && *pnt != '#' && *pnt != '\t' && *pnt != '\0') ++pnt; *pnt = '\0'; if ((strncasecmp(string, "yes", 3) == 0) || (strncasecmp(string, "on", 2) == 0) || (strncasecmp(string, "true", 4) == 0)) { return YES; } else if ((strncasecmp(string, "no", 2) == 0) || (strncasecmp(string, "off", 3) == 0) || (strncasecmp(string, "false", 5) == 0)) { return NO; } else { fprintf(stderr, _("Error in configuration file '%s' line %d, assuming 'true'\n"), rcfile, linenum); return YES; } } void parse_rcfile(char *input, char *rcfile, int linenum) { char *command; while (*input == ' ' || *input == '\t') ++input; if (*input == '#' || *input == '\n') return; command = strdup(input); /* Include files */ if (strncasecmp(command, "include_file", 12) == 0) { xstrncpy(opt.rcfile, get_one_parameter(command + 13, HASH_ENDS_INPUT), FILESIZE); read_rcfile(opt.rcfile, MUST_EXIST); } /* Global options */ else if (strncasecmp(command, "verbose", 7) == 0) { opt.verbose = opt.verbose + get_yes_or_no(command + 8, rcfile, linenum); } else if (strncasecmp(command, "resolve_hosts", 13) == 0) { opt.resolve = get_yes_or_no(command + 14, rcfile, linenum); } else if (strncasecmp(command, "resolve_services", 16) == 0) { opt.sresolve = get_yes_or_no(command + 17, rcfile, linenum); } else if (strncasecmp(command, "input", 5) == 0) { add_input_file(get_one_parameter(command + 6, HASH_ENDS_INPUT)); } /* Evaluation options */ else if (strncasecmp(command, "parser", 6) == 0) { xstrncpy(opt.format_sel, get_one_parameter(command + 7, HASH_ENDS_INPUT), SHORTLEN); } else if (strncasecmp(command, "src_ip", 6) == 0) { opt.src_ip = get_yes_or_no(command + 7, rcfile, linenum); } else if (strncasecmp(command, "dst_ip", 6) == 0) { opt.dst_ip = get_yes_or_no(command + 7, rcfile, linenum); } else if (strncasecmp(command, "protocol", 8) == 0) { opt.proto = get_yes_or_no(command + 9, rcfile, linenum); } else if (strncasecmp(command, "src_port", 8) == 0) { opt.src_port = get_yes_or_no(command + 9, rcfile, linenum); } else if (strncasecmp(command, "dst_port", 8) == 0) { opt.dst_port = get_yes_or_no(command + 9, rcfile, linenum); } else if (strncasecmp(command, "tcp_opts", 8) == 0) { opt.opts = get_yes_or_no(command + 9, rcfile, linenum); } else if (strncasecmp(command, "exclude_src_host", 16) == 0) { add_exclude_hpb(get_one_parameter(command + 16, HASH_ENDS_INPUT), PARSER_MODE_HOST | PARSER_MODE_SRC | PARSER_MODE_NOT); } else if (strncasecmp(command, "exclude_src_port", 16) == 0) { add_exclude_hpb(get_one_parameter(command + 16, HASH_ENDS_INPUT), PARSER_MODE_PORT | PARSER_MODE_SRC | PARSER_MODE_NOT); } else if (strncasecmp(command, "exclude_dst_host", 16) == 0) { add_exclude_hpb(get_one_parameter(command + 16, HASH_ENDS_INPUT), PARSER_MODE_HOST | PARSER_MODE_NOT); } else if (strncasecmp(command, "exclude_dst_port", 16) == 0) { add_exclude_hpb(get_one_parameter(command + 16, HASH_ENDS_INPUT), PARSER_MODE_PORT | PARSER_MODE_NOT); } else if (strncasecmp(command, "include_src_host", 16) == 0) { add_exclude_hpb(get_one_parameter(command + 16, HASH_ENDS_INPUT), PARSER_MODE_HOST | PARSER_MODE_SRC); } else if (strncasecmp(command, "include_src_port", 16) == 0) { add_exclude_hpb(get_one_parameter(command + 16, HASH_ENDS_INPUT), PARSER_MODE_PORT | PARSER_MODE_SRC); } else if (strncasecmp(command, "include_dst_host", 16) == 0) { add_exclude_hpb(get_one_parameter(command + 16, HASH_ENDS_INPUT), PARSER_MODE_HOST); } else if (strncasecmp(command, "include_dst_port", 16) == 0) { add_exclude_hpb(get_one_parameter(command + 16, HASH_ENDS_INPUT), PARSER_MODE_PORT); } else if (strncasecmp(command, "exclude_chain", 13) == 0) { add_exclude_hpb(get_parameter(command + 14), PARSER_MODE_CHAIN | PARSER_MODE_NOT); } else if (strncasecmp(command, "include_chain", 13) == 0) { add_exclude_hpb(get_parameter(command + 14), PARSER_MODE_CHAIN); } else if (strncasecmp(command, "exclude_branch", 14) == 0) { add_exclude_hpb(get_parameter(command + 15), PARSER_MODE_BRANCH | PARSER_MODE_NOT); } else if (strncasecmp(command, "include_branch", 14) == 0) { add_exclude_hpb(get_parameter(command + 15), PARSER_MODE_BRANCH); } /* Sorting options */ else if (strncasecmp(command, "sort_order", 10) == 0) { xstrncpy(opt.sort_order, get_one_parameter(command + 11, HASH_ENDS_INPUT), MAXSORTSIZE); } /* Output options */ else if (strncasecmp(command, "title", 5) == 0) { xstrncpy(opt.title, get_parameter(command + 6), TITLESIZE); } else if (strncasecmp(command, "stylesheet", 10) == 0) { xstrncpy(opt.stylesheet, get_one_parameter(command + 11, HASH_ENDS_INPUT), CSSSIZE); } else if (strncasecmp(command, "textcolor", 9) == 0) { xstrncpy(opt.textcol, get_one_parameter(command + 10, HASH_IGNORE), COLORSIZE); } else if (strncasecmp(command, "bgcolor", 7) == 0) { xstrncpy(opt.bgcol, get_one_parameter(command + 8, HASH_IGNORE), COLORSIZE); } else if (strncasecmp(command, "rowcolor1", 9) == 0) { xstrncpy(opt.rowcol1, get_one_parameter(command + 10, HASH_IGNORE), COLORSIZE); } else if (strncasecmp(command, "rowcolor2", 9) == 0) { xstrncpy(opt.rowcol2, get_one_parameter(command + 10, HASH_IGNORE), COLORSIZE); } /* Log summary mode */ else if (strncasecmp(command, "data_amount", 11) == 0) { opt.datalen = get_yes_or_no(command + 12, rcfile, linenum); } else if (strncasecmp(command, "start_times", 11) == 0) { opt.stimes = get_yes_or_no(command + 12, rcfile, linenum); } else if (strncasecmp(command, "end_times", 9) == 0) { opt.etimes = get_yes_or_no(command + 10, rcfile, linenum); } else if (strncasecmp(command, "duration", 8) == 0) { opt.duration = get_yes_or_no(command + 9, rcfile, linenum); } else if (strncasecmp(command, "html", 4) == 0) { opt.html = get_yes_or_no(command + 5, rcfile, linenum); } else if (strncasecmp(command, "output", 6) == 0) { opt.use_out = 1; xstrncpy(opt.outputfile, get_one_parameter(command + 7, HASH_ENDS_INPUT), FILESIZE); } else if (strncasecmp(command, "recent", 6) == 0) { opt.recent = parse_time(get_one_parameter(command + 7, HASH_ENDS_INPUT)); } else if (strncasecmp(command, "at_least", 8) == 0) { opt.least = get_num_parameter(command + 9, rcfile, linenum); } else if (strncasecmp(command, "maximum", 7) == 0) { opt.max = get_num_parameter(command + 8, rcfile, linenum); } else if (strncasecmp(command, "whois_lookup", 12) == 0) { opt.whois_lookup = get_yes_or_no(command + 13, rcfile, linenum); } else if (strncasecmp(command, "sender", 6) == 0) { xstrncpy(opt.sender, get_parameter(command + 7), EMAILSIZE); } else if (strncasecmp(command, "recipient", 9) == 0) { xstrncpy(opt.recipient, get_parameter(command + 10), EMAILSIZE); } else if (strncasecmp(command, "cc", 2) == 0) { xstrncpy(opt.cc, get_parameter(command + 3), EMAILSIZE); } /* Realtime response mode */ else if (strncasecmp(command, "realtime_response", 17) == 0) { if (get_yes_or_no(command + 18, rcfile, linenum) == YES) { if ((opt.mode != LOG_SUMMARY) && (opt.mode != REALTIME_RESPONSE)) { mode_error(); } opt.mode = REALTIME_RESPONSE; } } else if (strncasecmp(command, "ipchains_check", 14) == 0) { opt.ipchains_check = get_yes_or_no(command + 15, rcfile, linenum); } else if (strncasecmp(command, "pidfile", 7) == 0) { xstrncpy(opt.pidfile, get_one_parameter(command + 8, HASH_ENDS_INPUT), FILESIZE); } else if (strncasecmp(command, "run_as", 6) == 0) { xstrncpy(opt.run_as, get_one_parameter(command + 7, HASH_ENDS_INPUT), USERSIZE); } else if (strncasecmp(command, "stateful_start", 14) == 0) { opt.stateful_start = get_yes_or_no(command + 15, rcfile, linenum); } else if (strncasecmp(command, "alert_threshold", 15) == 0) { opt.threshold = get_num_parameter(command + 16, rcfile, linenum); } else if (strncasecmp(command, "notify", 6) == 0) { if (get_yes_or_no(command + 7, rcfile, linenum) == YES) { opt.response = opt.response | OPT_NOTIFY; } else { opt.response = opt.response & ~OPT_NOTIFY; } } else if (strncasecmp(command, "respond", 7) == 0) { if (get_yes_or_no(command + 8, rcfile, linenum) == YES) { opt.response = opt.response | OPT_RESPOND; } else { opt.response = opt.response & ~OPT_RESPOND; } } else if (strncasecmp(command, "notification_script", 19) == 0) { xstrncpy(opt.notify_script, get_one_parameter(command + 20, HASH_ENDS_INPUT), FILESIZE); } else if (strncasecmp(command, "response_script", 15) == 0) { xstrncpy(opt.respond_script, get_one_parameter(command + 16, HASH_ENDS_INPUT), FILESIZE); } else if (strncasecmp(command, "known_host", 10) == 0) { add_known_host(get_one_parameter(command + 11, HASH_ENDS_INPUT)); } else if (strncasecmp(command, "server_status", 13) == 0) { opt.status = get_yes_or_no(command + 14, rcfile, linenum); } else if (strncasecmp(command, "bind_to", 7) == 0) { xstrncpy(opt.listenif, get_one_parameter(command + 8, HASH_ENDS_INPUT), IP6LEN); } else if (strncasecmp(command, "listen_port", 11) == 0) { opt.listenport = get_num_parameter(command + 12, rcfile, linenum); } else if (strncasecmp(command, "listen_to", 9) == 0) { xstrncpy(opt.listento, get_one_parameter(command + 10, HASH_ENDS_INPUT), IPLEN); } else if (strncasecmp(command, "status_user", 11) == 0) { xstrncpy(opt.user, get_one_parameter(command + 12, HASH_ENDS_INPUT), USERSIZE); } else if (strncasecmp(command, "status_password", 15) == 0) { xstrncpy(opt.password, get_one_parameter(command + 16, HASH_ENDS_INPUT), PASSWORDSIZE); } else if (strncasecmp(command, "refresh", 7) == 0) { opt.refresh = get_num_parameter(command + 8, rcfile, linenum); } /* Show log times mode */ else if (strncasecmp(command, "show_log_times", 14) == 0) { if ((opt.mode != LOG_SUMMARY) && (opt.mode != SHOW_LOG_TIMES)) { mode_error(); } opt.mode = SHOW_LOG_TIMES; } else { fprintf(stderr, _("Unrecognized option in configuration file '%s' line %d\n"), rcfile, linenum); exit(EXIT_FAILURE); } free(command); } unsigned char read_rcfile(char *rcfile, unsigned char must_exist) { char buf[BUFSIZE], *name; FILE *fd; int linenum = 1, retval; struct stat info; if (!must_exist) { retval = stat(rcfile, &info); if (retval == -1) { return EXIT_FAILURE; } if (!S_ISREG(info.st_mode)) { fprintf(stderr, _("%s is not a regular file, ignoring.\n"), rcfile); return EXIT_FAILURE; } } name = strdup(rcfile); if (opt.verbose) fprintf(stderr, _("Opening configuration file '%s'\n"), name); fd = fopen(name, "r"); if (fd == NULL) { fprintf(stderr, "fopen %s: %s\n", name, strerror(errno)); exit(EXIT_FAILURE); } while (fgets(buf, BUFSIZE, fd)) { parse_rcfile(buf, name, linenum); linenum++; } if (opt.verbose) fprintf(stderr, _("Closing '%s'\n"), name); xstrncpy(opt.rcfile, name, FILESIZE); free(name); retval = fclose(fd); if (retval == EOF) { perror("fclose"); exit(EXIT_FAILURE); } return EXIT_SUCCESS; } fwlogwatch-1.2/CREDITS0000644000076400001440000000577011145337041013104 0ustar bwusers$Id: CREDITS 683 2009-02-13 18:38:25Z bw $ This program was written by Boris Wesslowski Thanks go to the following persons: Oliver Goebel for looking after this program as a RUS-CERT project and some comments. Florian Weimer for a very nice code review. Torkil Zachariassen for comments on the first public release. Shane Koster for reporting a time calculation problem. Diego M. Vadell for reporting an ipchains log format difference in old kernels. Didier Contis for information and examples of the Cisco log file formats. Werner Fleck / for reporting ipchains parser omissions and building a first debian package. Michael Reichardt for reporting various problems. Pekka Savola for further examples of Cisco log formats. Martin Hein for contributing to ipfilter support. sh00p for reports about OpenBSD and ipfilter. Neil McCalden for a first version of port exclusion support. Carl Wilhelm Soderstrom and James Ralston for improvements of the rpm spec file. Tobias Hunger for contributing to the improved response mode. Diederick van Dijk for contributing to Cisco PIX support. Andreas Pfaller for contributing to netfilter support and doing some debugging. Alberto Gonzalez Iniesta for maintaining the debian package. Sherwood Herben for contributing to realtime response mode. Robert Malmgren and Dan Larsson for contributing to FreeBSD support. Ivan F. Martinez for various suggestions and the Portuguese translation. Oden Eriksson for the Swedish translation. Xiaojun Yang for the simplified Chinese translation and doing a guided implementation of the Windows XP and NetScreen parsers. Ying-Chieh Liao for the traditional Chinese translation. Hugo van der Kooij for various suggestions. Peter Bray for comments on the Makefile and the ipfilter parser. Kimura Fuyuki for FreeBSD portability fixes. Kyle Amon for contributing a first version of the PHP frontend. Bram Vandoren for contributing to output limiting. Mirko Zeibig for contributing to the Elsa Lancom parser. Ronald Ruijgrok for pushing me to extend CSS support. Andrew Beresford for suggesting fwsm support. Robert Oschwald for contributing a SuSE init script. fwlogwatch-1.2/snort.l0000644000076400001440000001110211453062534013374 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: snort.l 706 2010-10-06 12:02:36Z bw $ */ %option prefix="snort" %option outfile="snort.c" %option noyywrap %{ #define YY_NO_INPUT #include #include #include #include "main.h" #include "utils.h" extern struct options opt; void snort_parse_date(char *input); void snort_parse_branch(char *input); void snort_parse_ip(char *input, unsigned char mode); %} MONTH "Jan"|"Feb"|"Mar"|"Apr"|"May"|"Jun"|"Jul"|"Aug"|"Sep"|"Oct"|"Nov"|"Dec" STRING [a-zA-Z0-9._-]* STRING2 [ -Z\\^-~]* STRING3 [a-zA-Z(][ a-zA-Z0-9()/._-]*[a-zA-Z)] LOGHOST [0-9.a-zA-Z()_:-]* DIGIT [0-9] NUMBER {DIGIT}+ OCTET {DIGIT}{1,3} PORT {DIGIT}{1,5} PROTO "TCP"|"UDP"|"ICMP" %% {MONTH}[ ]{1,2}{DIGIT}{1,2}[ ]{DIGIT}{2}:{DIGIT}{2}:{DIGIT}{2}[ ]{LOGHOST} snort_parse_date(snorttext); "snort: " /* ignore */ "snort["{NUMBER}"]: " /* ignore */ "["{NUMBER}":"{NUMBER}":"{DIGIT}"]" /* ignore */ {STRING3} xstrncpy(opt.line->chainlabel, snorttext, SHORTLEN); opt.parser=opt.parser|SNORT_CHAIN; "[Classification: "{STRING2}"]" snort_parse_branch(snorttext+17); "[Priority: "{DIGIT}"]:" /* ignore */ "{"{PROTO}"}"[ ]{OCTET}"."{OCTET}"."{OCTET}"."{OCTET} snort_parse_ip(snorttext+1, SNORT_OPT_SRC); "{"{PROTO}"}"[ ]{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}":"{PORT} snort_parse_ip(snorttext+1, SNORT_OPT_SRC|SNORT_OPT_PORT); "-> "{OCTET}"."{OCTET}"."{OCTET}"."{OCTET} snort_parse_ip(snorttext, SNORT_OPT_DST); "-> "{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}":"{PORT} snort_parse_ip(snorttext, SNORT_OPT_DST|SNORT_OPT_PORT); "spp_portscan: ".* opt.parser=SNORT_NO_HIT; "spp_stream4: ".* opt.parser=SNORT_NO_HIT; [ ]+ /* ignore whitespace */ [\n] /* ignore */ {STRING} if(opt.verbose) fprintf(stderr, "Unrecognized token: %s\n", snorttext); . if(opt.verbose) fprintf(stderr, "Unrecognized character: %s\n", snorttext); %% void snort_parse_date(char *input) { int retval, day, hour, minute, second; char smonth[4]; retval = sscanf(input, "%3s %2d %2d:%2d:%2d %32s", smonth, &day, &hour, &minute, &second, opt.line->hostname); if (retval != 6) return; build_time(smonth, day, hour, minute, second); opt.parser = opt.parser | SNORT_DATE; } void snort_parse_branch(char *input) { char *ptr; ptr = strchr(input, ']'); *ptr = '\0'; xstrncpy(opt.line->branchname, input, SHORTLEN); opt.parser = opt.parser | SNORT_BRANCH; } void snort_parse_ip(char *input, unsigned char mode) { char ip[IPLEN]; int retval, host1, host2, host3, host4; if ((mode & SNORT_OPT_SRC) != 0) { char proto[8]; if ((mode & SNORT_OPT_PORT) != 0) { retval = sscanf(input, "%8s %3d.%3d.%3d.%3d:%5d", proto, &host1, &host2, &host3, &host4, &opt.line->sport); if (retval != 6) return; } else { retval = sscanf(input, "%8s %3d.%3d.%3d.%3d", proto, &host1, &host2, &host3, &host4); if (retval != 5) return; } if (strncmp(proto, "TCP", 3) == 0) opt.line->protocol = 6; else if (strncmp(proto, "UDP", 3) == 0) opt.line->protocol = 17; else if (strncmp(proto, "ICMP", 4) == 0) opt.line->protocol = 1; if (opt.line->protocol != 0) opt.parser = opt.parser | SNORT_PROTO; } else if ((mode & SNORT_OPT_DST) != 0) { if ((mode & SNORT_OPT_PORT) != 0) { retval = sscanf(input, "-> %3d.%3d.%3d.%3d:%5d", &host1, &host2, &host3, &host4, &opt.line->sport); if (retval != 5) return; } else { retval = sscanf(input, "-> %3d.%3d.%3d.%3d", &host1, &host2, &host3, &host4); if (retval != 4) return; } } else { return; } snprintf(ip, IPLEN, "%d.%d.%d.%d", host1, host2, host3, host4); if ((mode & SNORT_OPT_SRC) != 0) { if (convert_ip(ip, &opt.line->shost) == IN_ADDR_ERROR) return; opt.parser = opt.parser | SNORT_SRC; } else if ((mode & SNORT_OPT_DST) != 0) { if (convert_ip(ip, &opt.line->dhost) == IN_ADDR_ERROR) return; opt.parser = opt.parser | SNORT_DST; } } unsigned char flex_snort(char *input, int linenum) { opt.parser = 0; init_line(); snort_scan_string(input); snortlex(); snort_delete_buffer(YY_CURRENT_BUFFER); xstrncpy(opt.line->interface, "-", SHORTLEN); opt.line->count = 1; if (opt.parser & SNORT_NO_HIT) return PARSE_NO_HIT; if (opt.parser == (SNORT_DATE | SNORT_CHAIN | SNORT_BRANCH | SNORT_PROTO | SNORT_SRC | SNORT_DST)) { return PARSE_OK; } else { if (opt.verbose) fprintf(stderr, "snort parse error in line %d, ignoring.\n", linenum); if (opt.verbose == 2) fprintf(stderr, "input was: \"%s\"\n", input); return PARSE_WRONG_FORMAT; } } fwlogwatch-1.2/ChangeLog0000644000076400001440000001573011454321551013635 0ustar bwusers$Id: ChangeLog 710 2010-10-10 11:28:41Z bw $ Version 1.2 2010-10-10 - Extended netfilter and Cisco PIX/ASA parsers - Removed interactive reporting mode - Removed Windows XP firewall log parser - Large amounts of fixes Version 1.1 2006-04-17 - Several parser modifications triggered by log submissions - Added GNU adns support - Various small fixes Version 1.0 2004-04-25 - Made status page interactive - Added dynamic memory allocation and fixed memory leaks - Added basic ipfw and fwsm support - Added stateful start to realtime response mode - Added command line option to set report title - Added port number to -X option - Added CIDR support for host inclusion/exclusion - Created web page for submission of unrecognized entries - Updated HTML DTD to XHTML 1.1 - Updated CSS and inverted the color scheme - Small parser improvements - Various small fixes Version 0.9.3 2003-06-23 - Added inclusion/exclusion functions to the command line - Added external stylesheet embedding in realtime response mode - All html colors are done with css styles now - Unified some output functions, small cleanups - Small parser improvements - Various small fixes Version 0.9.2 2003-04-08 - Fixed problems with multiple input file support, whois resolver and status web server page reload Version 0.9.1 2003-03-22 - Added multiple input file support - Various small fixes Version 0.9 2002-08-20 - Added NetScreen support - Added basic PIX version 6 support to Cisco PIX parser - Added Elsa Lancom support contributed by Mirko Zeibig - Added -M (maximum) option as suggested by Bram Vandoren - Added php frontend (rewrite of a script by Kyle Amon) - Added IPv6 support to status web server - Various small fixes Version 0.8.1 2002-05-15 - Modified several output functions to improve portability Version 0.8 2002-05-08 - Added Snort support - Added support for sending summaries by email (-T option) - Made zlib and gettext support compile time options (-V shows options used) - Changes in the parsers and CIDR code - Various small fixes Version 0.7.1 2002-04-04 was not officially released Version 0.7 2002-03-27 - Several realtime response improvements - Added support for configuration changes while running - Added support for include files in configuration files - Status page can be sorted and supports the at_least option - SIGUSR1 reopens the log file, SIGHUP rereads the configuration file - Documentation was updated - HTML output now mostly uses inline CSS for colors and fonts - Added support for external stylesheets and basic HTML color names - The default configuration file is not parsed anymore if an alternative configuration file is specified - Rewrote parts of the ipfilter parser to support resolved IP addresses in logs - Various small fixes Version 0.6 2002-02-24 - Added chain and branch selection/exclusion options - Added Windows XP firewall log parser - Added option to drop privileges when running as daemon - Added traditional chinese translation (the existing is simplified chinese) - Various small fixes Version 0.5.2 2002-01-27 - Added 'title' option: The title of the summary and the realtime response status page can be customized in the configuration file - Added -e option: 'show end times', -t now only shows start times - Added -N option: 'resolve service names' is a new option and off by default now - Added swedish translation - I18n adjustments, small fixes Version 0.5.1 2001-11-18 - Various fixes: whois code, mode selection, endianness problems, realtime response with destination/port distinction, forward chain blocking for iptables, international encoding, portability - Added chinese and portuguese translations Version 0.5 2001-10-11 - Added internationalization support with german as first language - Added support for input from stdin in all modes - Added options to specify paths for notifications and response scripts - Made the check for correct ipchains rules a config file option - Modified realtime response reaction behaviour when attacker insists - Added display of selected parser options in realtime response status page - Added automatic refresh of realtime response status page - FreeBSD portablility fixes - Various small fixes Version 0.4 2001-08-19 - Added whois information lookup - Added sorting by end time - Changed pid file handling - Renamed and introduced new listen_to option (bind_to) - Implemented SIGHUP handling (e.g. for log rotation) - Updated CGI scripts - Added init script for redhat linux - Various small fixes Version 0.3.1 2001-05-25 - Rewrote netfilter prefix parsing code - Made long list/chain/branch/interface names the default - Fixed a sorting stability problem - OpenBSD portability changes - Various small fixes Version 0.3 2001-04-08 - Rewrote realtime response mode to use external scripts for notifications and responses - Added a first version of Cisco PIX parser - Added 'last message repeated' handling code - Unrecognized text is now only displayed in verbose mode Version 0.2.1 2001-03-09 - Added compressed input file support - Added total packet length sum option - Added support for long chain/branch/interface names - Modified time output (summary shows times of packet log entries, log times mode shows times of all entries) - Various small fixes and cleanups Version 0.2 2001-02-10 - Added ipfilter support - Added host and port selection/exclusion support - Added support for parser selection - Realtime response mode is available also in non-ipchains and non-root environments now - Various small fixes Version 0.1.3 2001-01-22 - Replaced the sorting algorithm with a stunningly fast linked list mergesort - Added two more sorting modes - Added PID file for realtime response mode - Added CIDR notation support to known host feature Version 0.1.2 2001-01-16 - Fixed some remaining problems in realtime response mode Version 0.1.1 2001-01-12 - Various small fixes Version 0.1 2001-01-07 - Rewrote IP Address handling code - Small parser and output extensions - Added mode collision detection - Fixed time calculation problem and warp detection Version 0.0.28 2000-12-26 - Rewrote ipchains parser (converted to flex) - Added support for Cisco uptime log format Version 0.0.27 2000-12-08 - Solaris portability patches - Added at_least option Version 0.0.26 2000-11-11 - Added basic Cisco support - Various small fixes Version 0.0.25 2000-11-06 - Added basic netfilter support - Several internal optimizations - Various small fixes Version 0.0.24 2000-11-01 - Extended the man page and added some options to the command line that were available only in the configuration file - Various fixes and code cleanups - Improved web interface Version 0.0.23 2000-10-27 - Colors of the HTML output can be changed in the configuration file - Multiple actions can be combined in realtime response mode - Added mail notification option to realtime response mode - Added sort order options - Added daemon status display through own web server Version 0.0.22 2000-10-23 - Better sample configuration - Improved CGI demos - Various small fixes Version 0.0.21 2000-10-22 - Initial public release fwlogwatch-1.2/netfilter.h0000644000076400001440000000032011453062534014217 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: netfilter.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _NETFILTER_H #define _NETFILTER_H unsigned char flex_netfilter(char *input, int linenum); #endif fwlogwatch-1.2/output.c0000644000076400001440000002741111453062534013570 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: output.c 706 2010-10-06 12:02:36Z bw $ */ #include #include #include #include #include #include #include #include #include #include "output.h" #include "resolve.h" #include "utils.h" #include "whois.h" extern struct options opt; extern struct conn_data *first; void output_timediff(time_t start, time_t end, char *td) { time_t diff; int part; char tmp[4]; diff = end - start; if (diff <= 0) { snprintf(td, 2, "-"); return; } part = diff / 86400; /* days */ snprintf(td, TIMESIZE, "%02d:", part); diff = diff % 86400; part = diff / 3600; /* hours */ snprintf(tmp, 4, "%02d:", part); strncat(td, tmp, 4); diff = diff % 3600; part = diff / 60; /* minutes */ snprintf(tmp, 4, "%02d:", part); strncat(td, tmp, 4); part = diff % 60; /* seconds */ snprintf(tmp, 3, "%02d", part); strncat(td, tmp, 3); } void output_tcp_opts(struct conn_data *input, char *buf) { if ((input->flags & (TCP_ACK | TCP_FIN | TCP_RST | TCP_PSH | TCP_URG)) != 0) { if (input->flags & TCP_SYN) { strcpy(buf, "s"); } else { strcpy(buf, "-"); } if (input->flags & TCP_ACK) { strcat(buf, "a"); } else { strcat(buf, "-"); } if (input->flags & TCP_FIN) { strcat(buf, "f"); } else { strcat(buf, "-"); } if (input->flags & TCP_RST) { strcat(buf, "r"); } else { strcat(buf, "-"); } if (input->flags & TCP_PSH) { strcat(buf, "p"); } else { strcat(buf, "-"); } if (input->flags & TCP_URG) { strcat(buf, "u"); } else { strcat(buf, "-"); } } else { if (input->flags & TCP_SYN) { strcpy(buf, "SYN"); } else { strcpy(buf, "-"); } } } void output_html_entry(struct conn_data *input, FILE * fd) { char *proto = NULL, time[TIMESIZE], buf[HOSTLEN]; if (opt.html == 2) { fprintf(fd, "", opt.html); } else { fprintf(fd, "", opt.html); } fprintf(fd, "%d", input->count); if (opt.stimes) { strftime(time, TIMESIZE, _("%b %d %H:%M:%S"), localtime(&input->start_time)); fprintf(fd, "%s", time); } if (opt.etimes) { fprintf(fd, ""); if (input->end_time != 0) { strftime(time, TIMESIZE, _("%b %d %H:%M:%S"), localtime(&input->end_time)); fprintf(fd, "%s", time); } else { fprintf(fd, "-"); } } if (opt.duration) { output_timediff(input->start_time, input->end_time, time); fprintf(fd, "%s", time); } if (opt.loghost) fprintf(fd, "%s", input->hostname); if (opt.chains) fprintf(fd, "%s", input->chainlabel); if (opt.branches) fprintf(fd, "%s", input->branchname); if (opt.ifs) fprintf(fd, "%s", input->interface); if (opt.proto) { proto = resolve_protocol(input->protocol); fprintf(fd, "%s", proto); } if (opt.datalen) fprintf(fd, "%lu", input->datalen); if (opt.src_ip) { fprintf(fd, "%s", inet_ntoa(input->shost)); if (opt.resolve) fprintf(fd, "%s", resolve_hostname(input->shost)); if (opt.whois_lookup) { struct whois_entry *we; we = whois(input->shost); if (we != NULL) { snprintf(buf, HOSTLEN, "%s %s AS%d %s", we->ip_route, we->ip_descr, we->as_number, we->as_descr); } else { snprintf(buf, HOSTLEN, "-"); } fprintf(fd, "%s", buf); } } if (opt.src_port) { fprintf(fd, "%d", input->sport); if (opt.sresolve) fprintf(fd, "%s", resolve_service(input->sport, proto)); } if (opt.dst_ip) { fprintf(fd, "%s", inet_ntoa(input->dhost)); if (opt.resolve) fprintf(fd, "%s", resolve_hostname(input->dhost)); } if (opt.dst_port) { fprintf(fd, "%d", input->dport); if (opt.sresolve) fprintf(fd, "%s", resolve_service(input->dport, proto)); } if (opt.opts) { output_tcp_opts(input, buf); fprintf(fd, "%s", buf); } fprintf(fd, "\n"); } void output_text_entry(struct conn_data *input, FILE * fd) { char *proto, time[TIMESIZE], buf[HOSTLEN]; unsigned char first = 1; if (opt.stimes) { strftime(time, TIMESIZE, _("%b %d %H:%M:%S"), localtime(&input->start_time)); fprintf(fd, "%s", time); first = 0; } if (opt.etimes) { if (!first) fprintf(fd, _(" to ")); if (input->end_time != 0) { strftime(time, TIMESIZE, _("%b %d %H:%M:%S"), localtime(&input->end_time)); fprintf(fd, "%s", time); } else { fprintf(fd, "-"); } first = 0; } if (opt.duration) { if (!first) fprintf(fd, " "); output_timediff(input->start_time, input->end_time, time); fprintf(fd, "%s", time); first = 0; } if (opt.loghost) { if (!first) fprintf(fd, " "); fprintf(fd, "%s", input->hostname); first = 0; } if (opt.chains) { if (!first) fprintf(fd, " "); fprintf(fd, "%s", input->chainlabel); first = 0; } if (opt.branches) { if (!first) fprintf(fd, " "); fprintf(fd, "%s", input->branchname); first = 0; } if (opt.ifs) { if (!first) fprintf(fd, " "); fprintf(fd, "%s", input->interface); first = 0; } if (!first) fprintf(fd, " "); fprintf(fd, "%d", input->count); proto = resolve_protocol(input->protocol); if (opt.proto) fprintf(fd, " %s", proto); if (input->count == 1) { fprintf(fd, _(" packet")); } else { fprintf(fd, _(" packets")); } if (opt.datalen) fprintf(fd, _(" (%lu bytes)"), input->datalen); if (opt.src_ip) { fprintf(fd, _(" from %s"), inet_ntoa(input->shost)); if (opt.resolve) fprintf(fd, " (%s)", resolve_hostname(input->shost)); if (opt.whois_lookup) { struct whois_entry *we; we = whois(input->shost); if (we != NULL) { snprintf(buf, HOSTLEN, "%s %s AS%d %s", we->ip_route, we->ip_descr, we->as_number, we->as_descr); } else { snprintf(buf, HOSTLEN, "-"); } fprintf(fd, " [%s]", buf); } } if (opt.src_port) { fprintf(fd, _(" port %d"), input->sport); if (opt.sresolve) fprintf(fd, " (%s)", resolve_service(input->sport, proto)); } if (opt.dst_ip) { fprintf(fd, _(" to %s"), inet_ntoa(input->dhost)); if (opt.resolve) { fprintf(fd, " (%s)", resolve_hostname(input->dhost)); } } if (opt.dst_port) { fprintf(fd, _(" port %d"), input->dport); if (opt.sresolve) fprintf(fd, " (%s)", resolve_service(input->dport, proto)); } if (opt.opts) { output_tcp_opts(input, buf); fprintf(fd, " %s", buf); } fprintf(fd, "\n"); } void output_html_table(FILE * fd) { fprintf(fd, "

\n"); fprintf(fd, "\n"); fprintf(fd, ""); if (opt.stimes) fprintf(fd, _("")); if (opt.etimes) fprintf(fd, _("")); if (opt.duration) fprintf(fd, _("")); if (opt.loghost) fprintf(fd, _("")); if (opt.chains) fprintf(fd, _("")); if (opt.branches) fprintf(fd, _("")); if (opt.ifs) fprintf(fd, _("")); if (opt.proto) fprintf(fd, _("")); if (opt.datalen) fprintf(fd, _("")); if (opt.src_ip) { fprintf(fd, _("")); if (opt.resolve) fprintf(fd, _("")); if (opt.whois_lookup) fprintf(fd, _("")); } if (opt.src_port) { fprintf(fd, _("")); if (opt.sresolve) fprintf(fd, _("")); } if (opt.dst_ip) { fprintf(fd, _("")); if (opt.resolve) fprintf(fd, _("")); } if (opt.dst_port) { fprintf(fd, _("")); if (opt.sresolve) fprintf(fd, _("")); } if (opt.opts) fprintf(fd, _("")); fprintf(fd, "\n"); } void output_html_header(int fd) { char nows[TIMESIZE]; time_t now; fdprintf(fd, "\n"); fdprintf(fd, "\n"); fdprintf(fd, "\n"); now = time(NULL); strftime(nows, TIMESIZE, _("%b %d %H:%M:%S"), localtime(&now)); fdprintf(fd, "\n%s - %s\n", opt.title, nows); fdprintf(fd, "\n"); fdprintf(fd, "\n"); if ((opt.mode == REALTIME_RESPONSE) && (opt.refresh > 0)) { fdprintf(fd, "\n", opt.refresh); } if (opt.stylesheet[0] != '\0') { if ((opt.mode != REALTIME_RESPONSE) || (strncmp(opt.stylesheet, "http", 4) == 0)) { fdprintf(fd, "\n", opt.stylesheet); } else { char buf[BUFSIZE]; FILE *cssfd; int retval; cssfd = fopen(opt.stylesheet, "r"); if (cssfd == NULL) { syslog(LOG_NOTICE, "fopen %s: %s", opt.stylesheet, strerror(errno)); } else { fdprintf(fd, "\n"); retval = fclose(cssfd); if (retval == EOF) syslog(LOG_NOTICE, "fclose %s: %s", opt.stylesheet, strerror(errno)); } } } else { fdprintf(fd, "\n"); } fdprintf(fd, "\n\n"); fdprintf(fd, "

%s

\n", opt.title); } void output_html_footer(int fd) { fdprintf(fd, "

%s %s © %s

\n", PACKAGE, VERSION, COPYRIGHT); fdprintf(fd, "\n\n"); } void output_raw_data(struct conn_data *input) { struct conn_data *this; this = first; while (this != NULL) { #ifndef __OpenBSD__ #ifndef __FreeBSD__ printf("%d;%ld;%ld;" "%s;%s;%s;" "%s;%d;" "%u;%d;" "%u;%d;" "%d\n", input->count, input->start_time, input->end_time, input->hostname, input->chainlabel, input->branchname, input->interface, input->protocol, ntohl(input->shost.s_addr), input->sport, ntohl(input->dhost.s_addr), input->dport, input->flags); #else printf("%d;%ld;%ld;" "%s;%s;%s;" "%s;%d;" "%ld;%d;" "%ld;%d;" "%d\n", input->count, input->start_time, input->end_time, input->hostname, input->chainlabel, input->branchname, input->interface, input->protocol, ntohl(input->shost.s_addr), input->sport, ntohl(input->dhost.s_addr), input->dport, input->flags); #endif #else printf("%d;%d;%d;" "%s;%s;%s;" "%s;%d;" "%u;%d;" "%u;%d;" "%d\n", input->count, input->start_time, input->end_time, input->hostname, input->chainlabel, input->branchname, input->interface, input->protocol, ntohl(input->shost.s_addr), input->sport, ntohl(input->dhost.s_addr), input->dport, input->flags); #endif this = this->next; } } fwlogwatch-1.2/netscreen.h0000644000076400001440000000032011453062534014211 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: netscreen.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _NETSCREEN_H #define _NETSCREEN_H unsigned char flex_netscreen(char *input, int linenum); #endif fwlogwatch-1.2/fwlogwatch.spec0000644000076400001440000000517711454321551015110 0ustar bwusers# Copyright (C) 2000-2010 Boris Wesslowski # $Id: fwlogwatch.spec 710 2010-10-10 11:28:41Z bw $ Name: fwlogwatch Version: 1.2 Release: 1 Group: Productivity/Networking/Security Vendor: Boris Wesslowski URL: http://fwlogwatch.inside-security.de/ License: GPL Summary: Firewall log analyzer, report generator and realtime response agent Source: %{name}-%{version}.tar.gz BuildRequires(build): flex BuildRoot: %_tmppath/%{name}-%{version}-buildroot %description fwlogwatch produces Linux ipchains, Linux netfilter/iptables, Solaris/BSD/Irix/HP-UX ipfilter, Cisco IOS, Cisco PIX/ASA, NetScreen, Elsa Lancom router and Snort IDS log summary reports in plain text and HTML form and has a lot of options to analyze and display relevant patterns. It also can run as daemon (with web interface) doing realtime log monitoring and reporting anomalies or starting attack countermeasures. %prep %setup %build %__make %install %__install -d "${RPM_BUILD_ROOT}%{_sbindir}" %__install -d "${RPM_BUILD_ROOT}%{_sysconfdir}/rc.d/init.d" %__install -d "${RPM_BUILD_ROOT}%{_mandir}/man8" %__install -d "${RPM_BUILD_ROOT}%{_datadir}/locale/de/LC_MESSAGES" %__install -d "${RPM_BUILD_ROOT}%{_datadir}/locale/ja/LC_MESSAGES" %__install -d "${RPM_BUILD_ROOT}%{_datadir}/locale/pt/LC_MESSAGES" %__install -d "${RPM_BUILD_ROOT}%{_datadir}/locale/sv/LC_MESSAGES" %__install -d "${RPM_BUILD_ROOT}%{_datadir}/locale/zh_CN/LC_MESSAGES" %__install -d "${RPM_BUILD_ROOT}%{_datadir}/locale/zh_TW/LC_MESSAGES" %__make install INSTALL_DIR="${RPM_BUILD_ROOT}%{_prefix}" %__make install-config CONF_DIR="${RPM_BUILD_ROOT}%{_sysconfdir}" %__make install-i18n LOCALE_DIR="${RPM_BUILD_ROOT}%{_prefix}" %__make install-rhinit CONF_DIR="${RPM_BUILD_ROOT}%{_sysconfdir}" %clean [ -n "${RPM_BUILD_ROOT}" ] && %__rm -rf "${RPM_BUILD_ROOT}" ( cd "${RPM_BUILD_DIR}" && %__rm -rf "%{name}-%{version}" ) %preun %stop_on_removal %postun %insserv_cleanup %files %defattr(-,root,root) %doc AUTHORS COPYING CREDITS ChangeLog README %doc contrib/fwlogsummary.cgi contrib/fwlogsummary_small.cgi %doc contrib/fwlogwatch.php %config(noreplace) %{_sysconfdir}/fwlogwatch.config %config(noreplace) %{_sysconfdir}/rc.d/init.d/fwlogwatch %config(noreplace) %{_sbindir}/fwlw_notify %config(noreplace) %{_sbindir}/fwlw_respond %{_sbindir}/fwlogwatch %{_mandir}/man8/fwlogwatch.8.gz %lang(de) %{_datadir}/locale/de/LC_MESSAGES/fwlogwatch.mo %lang(ja) %{_datadir}/locale/ja/LC_MESSAGES/fwlogwatch.mo %lang(pt) %{_datadir}/locale/pt/LC_MESSAGES/fwlogwatch.mo %lang(sv) %{_datadir}/locale/sv/LC_MESSAGES/fwlogwatch.mo %lang(zh_CN) %{_datadir}/locale/zh_CN/LC_MESSAGES/fwlogwatch.mo %lang(zh_TW) %{_datadir}/locale/zh_TW/LC_MESSAGES/fwlogwatch.mo fwlogwatch-1.2/lancom.h0000644000076400001440000000027711453062534013507 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: lancom.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _LANCOM_H #define _LANCOM_H unsigned char lancom(char *input, int linenum); #endif fwlogwatch-1.2/parser.c0000644000076400001440000001615011453062534013522 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: parser.c 706 2010-10-06 12:02:36Z bw $ */ #include #include #include #include #include #include #include #include "compare.h" #include "cisco_ios.h" #include "cisco_pix.h" #include "ipchains.h" #include "ipfilter.h" #include "ipfw.h" #include "netfilter.h" #include "snort.h" #include "netscreen.h" #include "lancom.h" struct parser_options *excluded_first; extern struct options opt; unsigned char parse_line(char *input, int linenum) { unsigned char retval; char *pnt; pnt = strstr(input, " last message repeated "); if (pnt != NULL) { if (opt.repeated == 1) { char month[4], time[9], name[SHOSTLEN], rest[BUFSIZE]; unsigned int day; if (sscanf(input, "%3s %u %8s %" SHOSTLEN_S "s %" BUFSIZE_S "s", month, &day, time, name, rest) == 5) { if (strncmp(opt.line->hostname, name, SHOSTLEN) == 0) { opt.line->count = opt.orig_count * atoi(pnt + 23); build_list(); if (opt.verbose == 2) fprintf(stderr, "r"); return PARSE_OK; } } if (opt.verbose == 2) fprintf(stderr, "_"); return PARSE_NO_HIT; } } if ((opt.format & PARSER_IPCHAINS) && (strstr(input, " kernel: Packet log: "))) { /* For ipchains log format see (in kernel 2.2 source) */ /* /usr/src/linux/net/ipv4/ip_fw.c */ retval = flex_ipchains(input, linenum); } else if ((opt.format & PARSER_NETFILTER) && (strstr(input, " OUT="))) { /* For netfilter log format see (in kernel 2.4 source) */ /* /usr/src/linux/net/ipv4/netfilter/ipt_LOG.c */ retval = flex_netfilter(input, linenum); } else if ((opt.format & PARSER_CISCO_IOS) && (strstr(input, "%SEC-6-IPACCESSLOG"))) { /* For cisco log format see CCO */ retval = flex_cisco_ios(input, linenum); } else if ((opt.format & PARSER_IPFILTER) && (strstr(input, " ipmon"))) { /* For ipfilter log format see the source */ /* http://coombs.anu.edu.au/~avalon/ */ retval = flex_ipfilter(input, linenum); } else if ((opt.format & PARSER_IPFW) && (strstr(input, " ipfw: "))) { retval = flex_ipfw(input, linenum); } else if ((opt.format & PARSER_CISCO_PIX) && (strstr(input, "%PIX-") || strstr(input, "%FWSM-") || strstr(input, "%ASA-"))) { /* For cisco log format see CCO */ retval = flex_cisco_pix(input, linenum); } else if ((opt.format & PARSER_NETSCREEN) && (strstr(input, " NetScreen "))) { retval = flex_netscreen(input, linenum); } else if ((opt.format & PARSER_LANCOM) && (strstr(input, " PACKET_ALERT: "))) { retval = lancom(input, linenum); } else if ((opt.format & PARSER_SNORT) && (strstr(input, " snort"))) { retval = flex_snort(input, linenum); } else { retval = PARSE_NO_HIT; } if (retval == PARSE_NO_HIT) { if (opt.verbose == 2) fprintf(stderr, "_"); return PARSE_NO_HIT; } if (opt.recent != 0) { if ((opt.now - opt.line->time) > opt.recent) { if (opt.verbose == 2) { fprintf(stderr, "o"); } return PARSE_TOO_OLD; } } if (retval == PARSE_OK) { { struct parser_options *excluded_this; unsigned char match = P_MATCH_NONE, include_rules_exist = 0; excluded_this = excluded_first; while (excluded_this != NULL) { if ((match != P_MATCH_EXC) && (excluded_this->mode & PARSER_MODE_HOST) != 0) { if ((excluded_this->mode & PARSER_MODE_SRC) != 0) { if ((opt.line->shost.s_addr & excluded_this->netmask.s_addr) == excluded_this->value) { if ((excluded_this->mode & PARSER_MODE_NOT) != 0) { match = P_MATCH_EXC; } else { match = P_MATCH_INC; } } } else { if ((opt.line->dhost.s_addr & excluded_this->netmask.s_addr) == excluded_this->value) { if ((excluded_this->mode & PARSER_MODE_NOT) != 0) { match = P_MATCH_EXC; } else { match = P_MATCH_INC; } } } } if ((match != P_MATCH_EXC) && (excluded_this->mode & PARSER_MODE_PORT) != 0) { if ((excluded_this->mode & PARSER_MODE_SRC) != 0) { if ((unsigned long int) opt.line->sport == excluded_this->value) { if ((excluded_this->mode & PARSER_MODE_NOT) != 0) { match = P_MATCH_EXC; } else { match = P_MATCH_INC; } } } else { if ((unsigned long int) opt.line->dport == excluded_this->value) { if ((excluded_this->mode & PARSER_MODE_NOT) != 0) { match = P_MATCH_EXC; } else { match = P_MATCH_INC; } } } } if ((match != P_MATCH_EXC) && (excluded_this->mode & PARSER_MODE_CHAIN) != 0) { if (strcmp(opt.line->chainlabel, excluded_this->svalue) == 0) { if ((excluded_this->mode & PARSER_MODE_NOT) != 0) { match = P_MATCH_EXC; } else { match = P_MATCH_INC; } } } if ((match != P_MATCH_EXC) && (excluded_this->mode & PARSER_MODE_BRANCH) != 0) { if (strcmp(opt.line->branchname, excluded_this->svalue) == 0) { if ((excluded_this->mode & PARSER_MODE_NOT) != 0) { match = P_MATCH_EXC; } else { match = P_MATCH_INC; } } } if ((include_rules_exist == 0) && (excluded_this->mode & PARSER_MODE_NOT) == 0) include_rules_exist++; excluded_this = excluded_this->next; } if ((match == P_MATCH_NONE) && (include_rules_exist)) match = P_MATCH_EXC; if (match == P_MATCH_EXC) { if (opt.verbose == 2) fprintf(stderr, "e"); return PARSE_EXCLUDED; } } opt.orig_count = opt.line->count; build_list(); if (opt.verbose == 2) fprintf(stderr, "."); } return retval; } int parse_time(char *input) { char *string, *pnt, c; int seconds; string = strdup(input); pnt = string; while (isdigit((int) *pnt)) { pnt++; } c = *pnt; if (c != '\0') { *pnt = '\0'; seconds = atoi(string); switch (c) { case 'm': seconds = seconds * 60; break; case 'h': seconds = seconds * 60 * 60; break; case 'd': seconds = seconds * 60 * 60 * 24; break; case 'w': seconds = seconds * 60 * 60 * 24 * 7; break; case 'M': seconds = seconds * 60 * 60 * 24 * 30; break; case 'y': seconds = seconds * 60 * 60 * 24 * 365; break; } } else { seconds = atoi(string); } free(string); return seconds; } void select_parsers() { unsigned char i = 0; if (opt.format_sel[0] == '\0') { return; } else { opt.format = 0; while ((i < SHORTLEN) && (opt.format_sel[i] != '\0')) { switch (opt.format_sel[i]) { case 'i': opt.format = opt.format | PARSER_IPCHAINS; break; case 'n': opt.format = opt.format | PARSER_NETFILTER; break; case 'f': opt.format = opt.format | PARSER_IPFILTER; break; case 'c': opt.format = opt.format | PARSER_CISCO_IOS; break; case 'p': opt.format = opt.format | PARSER_CISCO_PIX; break; case 'e': opt.format = opt.format | PARSER_NETSCREEN; break; case 'l': opt.format = opt.format | PARSER_LANCOM; break; case 's': opt.format = opt.format | PARSER_SNORT; break; case 'b': opt.format = opt.format | PARSER_IPFW; break; default: fprintf(stderr, _("Unknown parser: '%c'.\n"), opt.format_sel[i]); exit(EXIT_FAILURE); } i++; } } } fwlogwatch-1.2/whois.h0000644000076400001440000000040011453062534013353 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: whois.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _WHOIS_H #define _WHOIS_H struct whois_entry *whois(struct in_addr ip); void whois_connect(const char *whois_server); void whois_close(void); #endif fwlogwatch-1.2/main.c0000644000076400001440000003034111453113361013143 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: main.c 709 2010-10-06 15:34:09Z bw $ */ #include #include #include #include #ifdef HAVE_GETTEXT #include #endif #include "main.h" #include "rcfile.h" #include "parser.h" #include "modes.h" #include "utils.h" struct options opt; extern char *optarg; void usage(char *me, unsigned char exitcode) { printf("%s %s (C) %s\n", PACKAGE, VERSION, COPYRIGHT); printf(_("Usage: %s [options] [input_files]\n"), me); printf(_("General options:\n")); printf(_(" -h this help\n")); printf(_(" -L show time of first and last log entry\n")); printf(_(" -V show version and copyright info\n")); printf("\n"); printf(_("Global options:\n")); printf(_(" -b show amount of data (sum of total packet lengths)\n")); printf(_(" -c specify config file (defaults to %s)\n"), RCFILE); printf(_(" -D do not differentiate destination IP addresses\n")); printf(_(" -d differentiate destination ports\n")); printf(_(" -E select or exclude hosts, ports, chains and targets\n")); printf(_(" quick reference: -E[ie][hp][sd]\n")); printf(_(" -E[ie][cb]\n")); printf(_(" -m only show entries with at least so many incidents\n")); printf(_(" -M only show this amount of entries\n")); printf(_(" -N resolve service names\n")); printf(_(" -n resolve host names\n")); printf(_(" -O define the sort order (see the man page for details)\n")); printf(_(" -P use parsers for specific formats (defaults to netfilter)\n")); printf(_(" i: ipchains, n: netfilter, f: ipfilter, c: cisco ios\n")); printf(_(" p: cisco pix, e: netscreen, l: lancom, s: snort, b: ipfw\n")); printf(_(" -p differentiate protocols\n")); printf(_(" -s differentiate source ports\n")); printf(_(" -U set report and status page title and email subject\n")); printf(_(" -v verbose, specify twice for more info\n")); printf(_(" -y differentiate TCP options\n")); printf("\n"); printf(_("Log summary mode (default):\n")); printf(_(" -C <email> carbon copy recipients\n")); printf(_(" -e show end times\n")); printf(_(" -F <email> report sender address (defaults to '%s')\n"), opt.sender); printf(_(" -l <time> process recent events only (defaults to off)\n")); printf(_(" -o <file> specify output file\n")); printf(_(" -S do not differentiate source IP addresses\n")); printf(_(" -T <email> send report by email to this address\n")); printf(_(" -t show start times\n")); printf(_(" -W activate whois lookups for source addresses\n")); printf(_(" -w HTML output\n")); printf(_(" -z show time interval\n")); printf("\n"); printf(_("Realtime response mode:\n")); printf(_(" -R realtime response as daemon (default action: log only)\n")); printf(_(" -a <count> alert threshold (defaults to %d entries)\n"), ALERT); printf(_(" -l <time> forget events this old (defaults to %d hours)\n"), FORGET / 3600); printf(_(" -k <IP/net> add this IP address or net to the list of known hosts\n")); printf(_(" -A invoke notification script if threshold is reached\n")); printf(_(" -B invoke response action script (e.g. block host)\n")); printf(_(" -X <port> activate internal status information web server\n")); printf("\n"); exit(exitcode); } void info() { /* GNU standards compatible program info */ printf("%s %s\n", PACKAGE, VERSION); puts("Copyright (C) 2000-2010 Boris Wesslowski"); puts(""); puts("This program is free software; you can redistribute it and/or modify"); puts("it under the terms of the GNU General Public License as published by"); puts("the Free Software Foundation; either version 2 of the License, or"); puts("(at your option) any later version."); puts(""); puts("This program is distributed in the hope that it will be useful,"); puts("but WITHOUT ANY WARRANTY; without even the implied warranty of"); puts("MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the"); puts("GNU General Public License for more details."); puts(""); puts("You should have received a copy of the GNU General Public License"); puts("along with this program; if not, write to the Free Software"); puts("Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA"); puts("\n"); puts(_("You can contact the author at <bw@inside-security.de>.")); puts("\n"); puts(_("Compile-time options of this version:")); printf(_("Short name limit ")); #ifdef SHORT_NAMES puts(_("enabled")); #else puts(_("disabled")); #endif printf(_("Zlib support ")); #ifdef HAVE_ZLIB puts(_("enabled")); #else puts(_("disabled")); #endif printf(_("Gettext (i18n) support ")); #ifdef HAVE_GETTEXT puts(_("enabled")); #else puts(_("disabled")); #endif printf(_("IPv6 support ")); #ifdef HAVE_IPV6 puts(_("enabled")); #else puts(_("disabled")); #endif printf(_("GNU adns support ")); #ifdef HAVE_ADNS puts(_("enabled")); #else puts(_("disabled")); #endif exit(EXIT_SUCCESS); } void init_options() { char *user, host[SHOSTLEN]; opt.mode = LOG_SUMMARY; opt.inputfd = NULL; opt.std_in = 0; opt.verbose = 0; opt.resolve = 0; opt.sresolve = 0; opt.whois_lookup = 0; opt.whois_sock = -1; xstrncpy(opt.rcfile, RCFILE, FILESIZE); opt.line = NULL; opt.format_sel[0] = '\0'; opt.format = PARSER_NETFILTER; opt.parser = 0; opt.repeated = 0; opt.orig_count = 0; opt.src_ip = 1; opt.dst_ip = 1; opt.proto = 0; opt.src_port = 0; opt.dst_port = 0; opt.opts = 0; opt.datalen = 0; opt.stimes = 0; opt.etimes = 0; opt.duration = 0; xstrncpy(opt.sort_order, SORTORDER, MAXSORTSIZE); opt.sortfield = 0; opt.sortmode = 0; opt.html = 0; opt.use_out = 0; opt.outputfile[0] = '\0'; opt.title[0] = '\0'; opt.stylesheet[0] = '\0'; xstrncpy(opt.textcol, TEXTCOLOR, COLORSIZE); xstrncpy(opt.bgcol, BGCOLOR, COLORSIZE); xstrncpy(opt.rowcol1, ROWCOLOR1, COLORSIZE); xstrncpy(opt.rowcol2, ROWCOLOR2, COLORSIZE); opt.loghost = 0; opt.hostname[0] = '\0'; opt.chains = 0; opt.chainlabel[0] = '\0'; opt.branches = 0; opt.branchname[0] = '\0'; opt.ifs = 0; opt.interface[0] = '\0'; opt.now = time(NULL); opt.recent = 0; opt.threshold = 0; opt.least = 1; opt.max = 0; opt.sender[0] = '\0'; opt.recipient[0] = '\0'; opt.cc[0] = '\0'; opt.response = OPT_LOG; opt.ipchains_check = 0; opt.pidfile[0] = '\0'; xstrncpy(opt.notify_script, FWLW_NOTIFY, FILESIZE); xstrncpy(opt.respond_script, FWLW_RESPOND, FILESIZE); opt.run_as[0] = '\0'; opt.status = STATUS_OFF; opt.stateful_start = 1; opt.sock = 0; xstrncpy(opt.listenif, LISTENIF, IP6LEN); opt.listenport = LISTENPORT; opt.listento[0] = '\0'; xstrncpy(opt.user, DEFAULT_USER, USERSIZE); xstrncpy(opt.password, DEFAULT_PASSWORD, PASSWORDSIZE); opt.refresh = 0; opt.webpage = 'i'; opt.global_id = 0; user = getenv("USER"); if (user == NULL) return; if (gethostname(host, SHOSTLEN) == -1) { perror("gethostname"); return; } snprintf(opt.sender, EMAILSIZE, "%s@%s", user, host); } int main(int argc, char **argv) { unsigned char alt_rcfile = 0, parser_mode; int iopt; init_options(); #ifdef HAVE_GETTEXT setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); #endif while ((iopt = getopt(argc, argv, "a:AbBc:C:dDeE:F:hi:I:k:l:Lm:M:nNo:O:pP:RsStT:U:vVwWX:yz")) != EOF) { switch (iopt) { case 'a': opt.threshold = atoi(optarg); break; case 'A': opt.response = opt.response | OPT_NOTIFY; break; case 'b': opt.datalen = 1; break; case 'B': opt.response = opt.response | OPT_RESPOND; break; case 'c': xstrncpy(opt.rcfile, optarg, FILESIZE); alt_rcfile = 1; break; case 'C': xstrncpy(opt.cc, optarg, EMAILSIZE); break; case 'd': opt.dst_port = 1; break; case 'D': opt.dst_ip = 0; break; case 'e': opt.etimes = 1; break; case 'E': if (optarg[0] == 'i') { parser_mode = PARSER_MODE_DEFAULT; } else if (optarg[0] == 'e') { parser_mode = PARSER_MODE_NOT; } else { fprintf(stderr, _("Illegal inclusion/exclusion pos. 1 (expected [ie]): %s\n"), optarg); fprintf(stderr, _("Exiting\n")); return EXIT_FAILURE; } if (optarg[1] == 'h') { parser_mode = parser_mode | PARSER_MODE_HOST; } else if (optarg[1] == 'p') { parser_mode = parser_mode | PARSER_MODE_PORT; } else if (optarg[1] == 'c') { parser_mode = parser_mode | PARSER_MODE_CHAIN; add_exclude_hpb(optarg + 2, parser_mode); break; } else if (optarg[1] == 'b') { parser_mode = parser_mode | PARSER_MODE_BRANCH; add_exclude_hpb(optarg + 2, parser_mode); break; } else { fprintf(stderr, _("Illegal inclusion/exclusion pos. 2 (expected [hpcb]): %s\n"), optarg); fprintf(stderr, _("Exiting\n")); return EXIT_FAILURE; } if (optarg[2] == 'd') { parser_mode = parser_mode | PARSER_MODE_DEFAULT; } else if (optarg[2] == 's') { parser_mode = parser_mode | PARSER_MODE_SRC; } else { fprintf(stderr, _("Illegal inclusion/exclusion pos. 3 (expected [sd]): %s\n"), optarg); fprintf(stderr, _("Exiting\n")); return EXIT_FAILURE; } add_exclude_hpb(optarg + 3, parser_mode); break; case 'F': xstrncpy(opt.sender, optarg, EMAILSIZE); break; case 'h': usage(argv[0], EXIT_SUCCESS); break; case 'k': add_known_host(optarg); break; case 'l': opt.recent = parse_time(optarg); break; case 'L': opt.mode = SHOW_LOG_TIMES; break; case 'm': opt.least = atoi(optarg); break; case 'M': opt.max = atoi(optarg); break; case 'n': opt.resolve = 1; break; case 'N': opt.sresolve = 1; break; case 'o': xstrncpy(opt.outputfile, optarg, FILESIZE); opt.use_out = 1; break; case 'O': xstrncpy(opt.sort_order, optarg, MAXSORTSIZE); break; case 'p': opt.proto = 1; break; case 'P': xstrncpy(opt.format_sel, optarg, SHORTLEN); break; case 'R': opt.mode = REALTIME_RESPONSE; break; case 's': opt.src_port = 1; break; case 'S': opt.src_ip = 0; break; case 't': opt.stimes = 1; break; case 'T': xstrncpy(opt.recipient, optarg, EMAILSIZE); break; case 'U': xstrncpy(opt.title, optarg, TITLESIZE); break; case 'v': opt.verbose++; break; case 'V': info(); break; case 'w': opt.html = 1; break; case 'W': opt.whois_lookup = 1; break; case 'X': opt.status = STATUS_OK; opt.listenport = atoi(optarg); if ((opt.listenport < 1) || (opt.listenport > 65535)) opt.listenport = LISTENPORT; break; case 'y': opt.opts = 1; break; case 'z': opt.duration = 1; break; default: usage(argv[0], EXIT_FAILURE); } } if (!alt_rcfile) { read_rcfile(opt.rcfile, MAY_NOT_EXIST); } else { read_rcfile(opt.rcfile, MUST_EXIST); } while (optind < argc) add_input_file(argv[optind++]); if (opt.filecount == 0) add_input_file(INFILE); select_parsers(); /* Consistency checks */ if ((opt.src_port == 1) || (opt.dst_port == 1)) opt.proto = 1; if (opt.mode != LOG_SUMMARY) { opt.html = 0; opt.use_out = 0; } switch (opt.mode) { case LOG_SUMMARY: if (opt.title[0] == '\0') xstrncpy(opt.title, SUMMARY_TITLE, TITLESIZE); mode_summary(); break; case REALTIME_RESPONSE: if (opt.src_ip == 0) opt.src_ip = 1; if (opt.threshold == 0) opt.threshold = ALERT; if (opt.recent == 0) opt.recent = FORGET; if (opt.title[0] == '\0') xstrncpy(opt.title, STATUS_TITLE, TITLESIZE); mode_rt_response(); break; case SHOW_LOG_TIMES: mode_show_log_times(); break; } if (opt.verbose) fprintf(stderr, _("Exiting\n")); return EXIT_SUCCESS; } �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������fwlogwatch-1.2/netfilter.l��������������������������������������������������������������������������0000644�0000764�0000144�00000020076�11453062534�014235� 0����������������������������������������������������������������������������������������������������ustar �bw������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: netfilter.l 706 2010-10-06 12:02:36Z bw $ */ %option prefix="nf" %option outfile="netfilter.c" %option noyywrap %{ #define YY_NO_INPUT #include <unistd.h> #include <string.h> #include <ctype.h> #include "main.h" #include "utils.h" extern struct options opt; void nf_parse_start_hn(char *input); void nf_parse_start(char *input); void nf_parse_isostart_hn(char *input); void nf_parse_prefix(char *input, unsigned char mode); void nf_parse_ip(char *input, unsigned char mode); void nf_parse_proto(char *input); %} MONTH "Jan"|"Feb"|"Mar"|"Apr"|"May"|"Jun"|"Jul"|"Aug"|"Sep"|"Oct"|"Nov"|"Dec" STRING [a-zA-Z][a-zA-Z0-9.-]* PREFIX [ -~¡-ÿ]*([ -RT-~¡-ÿ]|[ -XZ-~¡-ÿ]"S")"IN=" LOGHOST [0-9.a-zA-Z()_:-]+ DIGIT [0-9] NUMBER {DIGIT}+ OCTET {DIGIT}{1,3} PORT {DIGIT}{1,5} HEXDIGIT [0-9a-fA-F] HEXNUM "0x"{HEXDIGIT}+ PROTO "TCP"|"UDP"|"ICMP"|"ESP"|"AH"|"ICMPv6"|{NUMBER} %% {MONTH}[ ]{1,2}{DIGIT}{1,2}[ ]{DIGIT}{2}:{DIGIT}{2}:{DIGIT}{2}[ ]{LOGHOST} nf_parse_start_hn(nftext); {MONTH}[ ]{1,2}{DIGIT}{1,2}[ ]{DIGIT}{2}:{DIGIT}{2}:{DIGIT}{2} nf_parse_start(nftext); {DIGIT}{4}[ ]{MONTH}[ ]{1,2}{DIGIT}{1,2}[ ]{DIGIT}{2}:{DIGIT}{2}:{DIGIT}{2}[ ]{LOGHOST} nf_parse_start_hn(nftext+5); {DIGIT}{4}[ ]{MONTH}[ ]{1,2}{DIGIT}{1,2}[ ]{DIGIT}{2}:{DIGIT}{2}:{DIGIT}{2} nf_parse_start(nftext+5); {DIGIT}{4}:{DIGIT}{2}:{DIGIT}{2}-{DIGIT}{2}:{DIGIT}{2}:{DIGIT}{2}[ ]{LOGHOST} nf_parse_isostart_hn(nftext); " kernel: ["{NUMBER}"."{DIGIT}{6}"]"{PREFIX}{STRING}? nf_parse_prefix(nftext+18, NF_OPT_PREFIX_KTIME); " kernel: IN="{STRING}? nf_parse_prefix(nftext+12, NF_OPT_NOPREFIX); " kernel: "{PREFIX}{STRING}? nf_parse_prefix(nftext+9, NF_OPT_PREFIX); " [kernel] IN="{STRING}? nf_parse_prefix(nftext+13, NF_OPT_NOPREFIX); " [kernel] "{PREFIX}{STRING}? nf_parse_prefix(nftext+10, NF_OPT_PREFIX); " klogd: IN="{STRING}? nf_parse_prefix(nftext+11, NF_OPT_NOPREFIX); " klogd: "{PREFIX}{STRING}? nf_parse_prefix(nftext+8, NF_OPT_PREFIX); " "{PREFIX}{STRING}? nf_parse_prefix(nftext+1, NF_OPT_PREFIX); "IN="{STRING}? nf_parse_prefix(nftext+3, NF_OPT_NOPREFIX); "OUT="{STRING}? /* ignore */ "PHYSIN="{STRING}? /* ignore */ "PHYSOUT="{STRING}? /* ignore */ "MAC="(({HEXDIGIT}{HEXDIGIT}:){21}{HEXDIGIT}{HEXDIGIT})? /* ignore */ "MAC="(({HEXDIGIT}{HEXDIGIT}:){13}{HEXDIGIT}{HEXDIGIT})? /* ignore */ "SRC="{OCTET}"."{OCTET}"."{OCTET}"."{OCTET} nf_parse_ip(nftext+4, NF_OPT_SRC); "DST="{OCTET}"."{OCTET}"."{OCTET}"."{OCTET} nf_parse_ip(nftext+4, NF_OPT_DST); "LEN="{NUMBER} opt.line->datalen = atoi(nftext+4); "TOS="({HEXNUM}|"00") /* ignore */ "PREC="{HEXNUM} /* ignore */ "TTL="{NUMBER} /* ignore */ "ID="{NUMBER} /* ignore */ "CE" /* ignore */ "DF" /* ignore */ "MF" /* ignore */ "FRAG:"{NUMBER} /* ignore */ "PROTO="{PROTO} nf_parse_proto(nftext+6); "INCOMPLETE ["{NUMBER}" bytes]" /* ignore */ "TYPE="{NUMBER} { opt.line->sport = atoi(nftext+5); opt.parser=opt.parser|NF_TYPE; } "CODE="{NUMBER} { opt.line->dport = atoi(nftext+5); opt.parser=opt.parser|NF_CODE; } "SEQ="{NUMBER} /* ignore */ "MARK="{HEXNUM} /* ignore */ "ACK="{NUMBER} /* ignore */ "SPT="{PORT} { opt.line->sport = atoi(nftext+4); opt.parser=opt.parser|NF_SPT; } "DPT="{PORT} { opt.line->dport = atoi(nftext+4); opt.parser=opt.parser|NF_DPT; } "WINDOW="{NUMBER} /* ignore */ "RES="{HEXNUM} /* ignore */ "URG" opt.line->flags = opt.line->flags | TCP_URG; "ACK" opt.line->flags = opt.line->flags | TCP_ACK; "PSH" opt.line->flags = opt.line->flags | TCP_PSH; "RST" opt.line->flags = opt.line->flags | TCP_RST; "SYN" opt.line->flags = opt.line->flags | TCP_SYN; "FIN" opt.line->flags = opt.line->flags | TCP_FIN; "ECE" /* ignore */ "CWR" /* ignore */ "URGP="{NUMBER} /* ignore */ "OPT ("[0-9A-F]*")" /* ignore */ "SPI="{HEXNUM} /* ignore */ "GATEWAY="{OCTET}"."{OCTET}"."{OCTET}"."{OCTET} /* ignore */ "TC="{NUMBER} /* ignore */ "HOPLIMIT="{NUMBER} /* ignore */ "FLOWLBL="{NUMBER} /* ignore */ "[".+"]" /* ignore */ "MTU="{NUMBER} /* ignore */ [ ]+ /* ignore whitespace */ [\n] return 0; {STRING} if(opt.verbose) fprintf(stderr, "Unrecognized token: %s\n", nftext); . if(opt.verbose) fprintf(stderr, "Unrecognized character: %s\n", nftext); %% void nf_parse_start_hn(char *input) { int retval, day, hour, minute, second; char smonth[4]; retval = sscanf(input, "%3s %2d %2d:%2d:%2d %32s", smonth, &day, &hour, &minute, &second, opt.line->hostname); if (retval != 6) { return; } build_time(smonth, day, hour, minute, second); opt.parser = opt.parser | NF_DATE; } void nf_parse_start(char *input) { int retval, day, hour, minute, second; char smonth[4]; retval = sscanf(input, "%3s %2d %2d:%2d:%2d", smonth, &day, &hour, &minute, &second); if (retval != 5) { return; } build_time(smonth, day, hour, minute, second); xstrncpy(opt.line->hostname, "-", SHORTLEN); opt.parser = opt.parser | NF_DATE; } void nf_parse_isostart_hn(char *input) { int retval, year, month, day, hour, minute, second; struct tm *t; retval = sscanf(input, "%4d:%2d:%2d-%2d:%2d:%2d %32s", &year, &month, &day, &hour, &minute, &second, opt.line->hostname); if (retval != 7) { return; } t = xmalloc(sizeof(struct tm)); t->tm_year = year - 1900; t->tm_mon = month - 1; t->tm_mday = day; t->tm_hour = hour; t->tm_min = minute; t->tm_sec = second; t->tm_isdst = -1; opt.line->time = mktime(t); free(t); opt.parser = opt.parser | NF_DATE; } void nf_parse_prefix(char *input, unsigned char mode) { size_t i = 0; char *pnt; if (mode == NF_OPT_PREFIX_KTIME) { pnt = strchr(input, ']'); pnt += 2; } else { pnt = input; } if (mode == NF_OPT_PREFIX || mode == NF_OPT_PREFIX_KTIME) { i = strlen(pnt); while (i > 0) { if (pnt[i] == '=') { if (pnt[i - 1] == 'N') { if (pnt[i - 2] == 'I') { pnt[i - 2] = '\0'; xstrncpy(opt.line->chainlabel, pnt, SHORTLEN); xstrncpy(opt.line->interface, pnt + i + 1, SHORTLEN); break; } } } i--; } } else { xstrncpy(opt.line->chainlabel, "-", SHORTLEN); xstrncpy(opt.line->interface, pnt, SHORTLEN); } opt.parser = opt.parser | NF_IN; } void nf_parse_ip(char *input, unsigned char mode) { if (mode == NF_OPT_SRC) { if (convert_ip(input, &opt.line->shost) == IN_ADDR_ERROR) return; opt.parser = opt.parser | NF_SRC; } else { if (convert_ip(input, &opt.line->dhost) == IN_ADDR_ERROR) return; opt.parser = opt.parser | NF_DST; } } void nf_parse_proto(char *input) { if (isdigit((int) input[0])) { opt.line->protocol = atoi(input); } else { if (strncmp(input, "TCP", 3) == 0) opt.line->protocol = 6; else if (strncmp(input, "UDP", 3) == 0) opt.line->protocol = 17; else if (strncmp(input, "ICMP", 4) == 0) opt.line->protocol = 1; else if (strncmp(input, "ESP", 3) == 0) opt.line->protocol = 50; else if (strncmp(input, "AH", 2) == 0) opt.line->protocol = 51; else if (strncmp(input, "ICMPv6", 6) == 0) opt.line->protocol = 58; } if (opt.line->protocol != 0) opt.parser = opt.parser | NF_PROTO; } unsigned char flex_netfilter(char *input, int linenum) { opt.parser = 0; init_line(); nf_scan_string(input); nflex(); nf_delete_buffer(YY_CURRENT_BUFFER); xstrncpy(opt.line->branchname, "-", SHORTLEN); opt.line->count = 1; if (((opt.line->protocol == 6) || (opt.line->protocol == 17)) && (opt.parser == (NF_DATE | NF_PROTO | NF_IN | NF_SRC | NF_DST | NF_SPT | NF_DPT))) { return PARSE_OK; } if ((opt.line->protocol == 1) && (opt.parser == (NF_DATE | NF_PROTO | NF_IN | NF_SRC | NF_DST | NF_TYPE | NF_CODE))) { return PARSE_OK; } if (((opt.line->protocol == 2) || (opt.line->protocol == 9) || (opt.line->protocol == 41) || (opt.line->protocol == 46) || (opt.line->protocol == 47) || (opt.line->protocol == 50) || (opt.line->protocol == 54) || (opt.line->protocol == 103)) && (opt.parser == (NF_DATE | NF_PROTO | NF_IN | NF_SRC | NF_DST))) { return PARSE_OK; } if (opt.verbose) fprintf(stderr, "netfilter parse error in line %d, ignoring.\n", linenum); if (opt.verbose == 2) fprintf(stderr, "input was: \"%s\"\n", input); return PARSE_WRONG_FORMAT; } ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������fwlogwatch-1.2/po/����������������������������������������������������������������������������������0000755�0000764�0000144�00000000000�11454326206�012475� 5����������������������������������������������������������������������������������������������������ustar �bw������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������fwlogwatch-1.2/po/Makefile��������������������������������������������������������������������������0000644�0000764�0000144�00000001200�11453062534�014126� 0����������������������������������������������������������������������������������������������������ustar �bw������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright (C) 2000-2010 Boris Wesslowski # $Id: Makefile 706 2010-10-06 12:02:36Z bw $ all: msgfmt -v -o de.mo de.po msgfmt -v -o ja.mo ja.po msgfmt -v -o pt.mo pt.po msgfmt -v -o sv.mo sv.po msgfmt -v -o zh_CN.mo zh_CN.po msgfmt -v -o zh_TW.mo zh_TW.po strings: xgettext -d fwlogwatch -k_ ../*.c ../*.h merge: msgmerge -v -o de.po.new de.po fwlogwatch.pot msgmerge -v -o ja.po.new ja.po fwlogwatch.pot msgmerge -v -o pt.po.new pt.po fwlogwatch.pot msgmerge -v -o sv.po.new sv.po fwlogwatch.pot msgmerge -v -o zh_CN.po.new zh_CN.po fwlogwatch.pot msgmerge -v -o zh_TW.po.new zh_TW.po fwlogwatch.pot clean: rm -f *~ *.mo ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������fwlogwatch-1.2/po/ja.po�����������������������������������������������������������������������������0000644�0000764�0000144�00000074432�11453065602�013440� 0����������������������������������������������������������������������������������������������������ustar �bw������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������msgid "" msgstr "" "Project-Id-Version: fwlogwatch 0.5\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-10-06 13:58+0200\n" "PO-Revision-Date: 2002-03-06 00:00+0900\n" "Last-Translator: Takashi Kobayashi <kobayasi@res.kutc.kansai-u.ac.jp>\n" "Language-Team: -\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=euc-jp\n" "Content-Transfer-Encoding: 8bit\n" #: ../compare.c:158 #, c-format msgid "conn_sort_up: wrong mode\n" msgstr "conn_sort_up: ´Ö°ã¤Ã¤¿¥â¡¼¥É¤Ç¤¹\n" #: ../compare.c:264 #, c-format msgid "Error in sort string: '%c', order expected, ignoring.\n" msgstr "" "¥½¡¼¥Èʸ»úÎó '%c' ¤Ç´Ö°ã¤¤¤¬¤¢¤ê¤Þ¤¹¡£½ç½ø¤¬´üÂÔ¤µ¤ì¤Æ¤¤¤Þ¤¹¡£Ìµ»ë¤·¤Þ¤¹¡£\n" #: ../compare.c:278 #, c-format msgid "Error in sort string: '%c', direction expected, ignoring.\n" msgstr "" "¥½¡¼¥Èʸ»úÎó '%c' ¤Ç´Ö°ã¤¤¤¬¤¢¤ê¤Þ¤¹¡£Êý¸þ¤¬´üÂÔ¤µ¤ì¤Æ¤¤¤Þ¤¹¡£Ìµ»ë¤·¤Þ¤¹¡£\n" #: ../compare.c:282 #, fuzzy, c-format msgid "Error in sort string, direction expected, ignoring.\n" msgstr "" "¥½¡¼¥Èʸ»úÎó '%c' ¤Ç´Ö°ã¤¤¤¬¤¢¤ê¤Þ¤¹¡£Êý¸þ¤¬´üÂÔ¤µ¤ì¤Æ¤¤¤Þ¤¹¡£Ìµ»ë¤·¤Þ¤¹¡£\n" #: ../compare.c:382 ../compare.c:384 ../modes.c:196 ../modes.c:203 #: ../modes.c:813 ../modes.c:815 ../output.c:106 ../output.c:113 #: ../output.c:193 ../output.c:202 ../output.c:380 msgid "%b %d %H:%M:%S" msgstr "" #: ../compare.c:383 #, c-format msgid "Timewarp in log file (%s" msgstr "¥¿¥¤¥à¥ï¡¼¥×ȯÀ¸: ¥í¥°¥Õ¥¡¥¤¥ë(%s" #: ../main.c:25 #, fuzzy, c-format msgid "Usage: %s [options] [input_files]\n" msgstr "»ÈÍÑË¡: %s [¥ª¥×¥·¥ç¥ó]\n" #: ../main.c:26 #, fuzzy, c-format msgid "General options:\n" msgstr "Á´ÈÌŪ¤Ê¥ª¥×¥·¥ç¥ó:\n" #: ../main.c:27 #, fuzzy, c-format msgid " -h this help\n" msgstr " -h ¤³¤Î¥Ø¥ë¥×¤òɽ¼¨¤¹¤ë\n" #: ../main.c:28 #, fuzzy, c-format msgid " -L show time of first and last log entry\n" msgstr "" " -L <¥Õ¥¡¥¤¥ë>\n" " ¥Õ¥¡¥¤¥ëÆâ¤ÎºÇ½é¤ÈºÇ¸å¤Î¥¨¥ó¥È¥ê¤Î»þ¹ï¤òɽ¼¨¤¹¤ë\n" #: ../main.c:29 #, fuzzy, c-format msgid " -V show version and copyright info\n" msgstr " -V ¥Ð¡¼¥¸¥ç¥ó¤ÈÃøºî¸¢¾ðÊó¤òɽ¼¨¤¹¤ë\n" #: ../main.c:32 #, c-format msgid "Global options:\n" msgstr "Á´ÈÌŪ¤Ê¥ª¥×¥·¥ç¥ó:\n" #: ../main.c:33 #, fuzzy, c-format msgid " -b show amount of data (sum of total packet lengths)\n" msgstr " -b ¥Ç¡¼¥¿¤Î¹ç·×(Á´ÂΤΥѥ±¥Ã¥ÈĹ¤Î¹ç·×)¤òɽ¼¨¤¹¤ë\n" #: ../main.c:34 #, fuzzy, c-format msgid " -c <file> specify config file (defaults to %s)\n" msgstr "" " -c <¥Õ¥¡¥¤¥ë>\n" " ÀßÄê¥Õ¥¡¥¤¥ë¤ò»ØÄꤹ¤ë(¥Ç¥Õ¥©¥ë¥È %s)\n" #: ../main.c:35 #, fuzzy, c-format msgid " -D do not differentiate destination IP addresses\n" msgstr " -D °¸Àè IP ¥¢¥É¥ì¥¹¤ò¶èÊ̤·¤Ê¤¤\n" #: ../main.c:36 #, fuzzy, c-format msgid " -d differentiate destination ports\n" msgstr " -d °¸Àè¥Ý¡¼¥È¤ò¶èÊ̤¹¤ë\n" #: ../main.c:37 #, c-format msgid " -E <format> select or exclude hosts, ports, chains and targets\n" msgstr "" #: ../main.c:38 #, c-format msgid " quick reference: -E[ie][hp][sd]<ip/number>\n" msgstr "" #: ../main.c:39 #, c-format msgid " -E[ie][cb]<name>\n" msgstr "" #: ../main.c:40 #, fuzzy, c-format msgid " -m <count> only show entries with at least so many incidents\n" msgstr "" " -m <¥«¥¦¥ó¥È>\n" " ¾¯¤Ê¤¯¤È¤â¿¤¤»ö·ï¤Ë¸Â¤Ã¤¿¥¨¥ó¥È¥ê¤òɽ¼¨¤¹¤ë¤À¤±\n" #: ../main.c:41 #, c-format msgid " -M <number> only show this amount of entries\n" msgstr "" #: ../main.c:42 #, fuzzy, c-format msgid " -N resolve service names\n" msgstr " -N ¥µ¡¼¥Ó¥¹Ì¾¤ò²ò·è¤¹¤ë\n" #: ../main.c:43 #, fuzzy, c-format msgid " -n resolve host names\n" msgstr " -n ¥Û¥¹¥È̾¤ò²ò·è¤¹¤ë\n" #: ../main.c:44 #, fuzzy, c-format msgid " -O <order> define the sort order (see the man page for details)\n" msgstr "" " -O <½ç½ø> ʤÙÊѤ¨¤Î½ç½ø¤òÄêµÁ¤¹¤ë\n" " (¾ÜºÙ¤Ë¤Ä¤¤¤Æ¤Ï¥Þ¥Ë¥å¥¢¥ë¥Ú¡¼¥¸¤ò»²¾È)\n" #: ../main.c:45 #, fuzzy, c-format msgid "" " -P <format> use parsers for specific formats (defaults to netfilter)\n" msgstr "" " -P <¥Õ¥©¡¼¥Þ¥Ã¥È>\n" " »ØÄê¥Õ¥©¡¼¥Þ¥Ã¥È¤ÎÁöºº¤Î¤ß¤ò»È¤¦\n" #: ../main.c:46 #, c-format msgid " i: ipchains, n: netfilter, f: ipfilter, c: cisco ios\n" msgstr "" #: ../main.c:47 #, c-format msgid "" " p: cisco pix, e: netscreen, l: lancom, s: snort, b: ipfw\n" msgstr "" #: ../main.c:48 #, fuzzy, c-format msgid " -p differentiate protocols\n" msgstr " -p ¥×¥í¥È¥³¥ë¤ò¶èÊ̤¹¤ë\n" #: ../main.c:49 #, fuzzy, c-format msgid " -s differentiate source ports\n" msgstr " -s Á÷¿®¸µ IP ¥Ý¡¼¥È¤ò¶èÊ̤¹¤ë\n" #: ../main.c:50 #, c-format msgid " -U <title> set report and status page title and email subject\n" msgstr "" #: ../main.c:51 #, fuzzy, c-format msgid " -v verbose, specify twice for more info\n" msgstr " -v ¾éŤˤ¹¤ë¡¤£²ÅÙ»ØÄꤹ¤ë¤È¤µ¤é¤Ë¾éĹ¤Ë¤Ê¤ë\n" #: ../main.c:52 #, fuzzy, c-format msgid " -y differentiate TCP options\n" msgstr " -y TCP ¥ª¥×¥·¥ç¥ó¤ò¶èÊ̤¹¤ë\n" #: ../main.c:55 #, c-format msgid "Log summary mode (default):\n" msgstr "¥í¥°½¸·×¥â¡¼¥É (¥Ç¥Õ¥©¥ë¥È):\n" #: ../main.c:56 #, fuzzy, c-format msgid " -C <email> carbon copy recipients\n" msgstr " -C <email> ¥«¡¼¥Ü¥ó¥³¥Ô¡¼¼õ¿®¼Ô\n" #: ../main.c:57 #, fuzzy, c-format msgid " -e show end times\n" msgstr " -e ½ªÎ»»þ¹ï¤òɽ¼¨¤¹¤ë\n" #: ../main.c:58 #, fuzzy, c-format msgid " -F <email> report sender address (defaults to '%s')\n" msgstr "" " -F <email>\n" " ¥ì¥Ý¡¼¥È¤ÎÁ÷¿®¼Ô¥¢¥É¥ì¥¹\n" #: ../main.c:59 #, fuzzy, c-format msgid " -l <time> process recent events only (defaults to off)\n" msgstr "" " -l <»þ¹ï>\n" " ºÇ¶á¤Î¥¤¥Ù¥ó¥È¤Î¤ß¤ò½èÍý¤¹¤ë(¥Ç¥Õ¥©¥ë¥È off)\n" #: ../main.c:60 #, fuzzy, c-format msgid " -o <file> specify output file\n" msgstr "" " -o <¥Õ¥¡¥¤¥ë>\n" " ½ÐÎÏ¥Õ¥¡¥¤¥ë¤ò»ØÄꤹ¤ë\n" #: ../main.c:61 #, fuzzy, c-format msgid " -S do not differentiate source IP addresses\n" msgstr " -S Á÷¿®¸µ IP ¥¢¥É¥ì¥¹¤ò¶èÊ̤·¤Ê¤¤\n" #: ../main.c:62 #, fuzzy, c-format msgid " -T <email> send report by email to this address\n" msgstr "" " -F <email>\n" " ¥ì¥Ý¡¼¥È¤ÎÁ÷¿®¼Ô¥¢¥É¥ì¥¹\n" #: ../main.c:63 #, fuzzy, c-format msgid " -t show start times\n" msgstr " -t ³«»Ï»þ¹ï¤òɽ¼¨¤¹¤ë\n" #: ../main.c:64 #, fuzzy, c-format msgid " -W activate whois lookups for source addresses\n" msgstr " -W Á÷¿®¸µ¥¢¥É¥ì¥¹¤Î whois ¸¡º÷¤òÍ­¸ú¤Ë¤¹¤ë\n" #: ../main.c:65 #, fuzzy, c-format msgid " -w HTML output\n" msgstr " -w HTML ½ÐÎÏ\n" #: ../main.c:66 #, fuzzy, c-format msgid " -z show time interval\n" msgstr " -z »þ¹ï´Ö³Ö¤òɽ¼¨¤¹¤ë\n" #: ../main.c:69 #, c-format msgid "Realtime response mode:\n" msgstr "¼Â»þ´Ö±þÅú¥â¡¼¥É:\n" #: ../main.c:70 #, fuzzy, c-format msgid " -R realtime response as daemon (default action: log only)\n" msgstr "" " -R daemon¤È¤·¤Æ¼Â»þ´ÖÂбþ (¥Ç¥Õ¥©¥ë¥ÈÆ°ºî: ¥í¥°¤Î¤ß)\n" #: ../main.c:71 #, fuzzy, c-format msgid " -a <count> alert threshold (defaults to %d entries)\n" msgstr "" " -a <¥«¥¦¥ó¥È>\n" " ·Ù¹ð¤ÎïçÃÍ (¥Ç¥Õ¥©¥ë¥È %d ¥¨¥ó¥È¥ê)\n" #: ../main.c:72 #, fuzzy, c-format msgid " -l <time> forget events this old (defaults to %d hours)\n" msgstr "" " -l <time> ¤³¤ì¤è¤ê¸Å¤¤¥¤¥Ù¥ó¥È¤ò˺¤ì¤ë (¥Ç¥Õ¥©¥ë¥È %d »þ´Ö)\n" #: ../main.c:73 #, fuzzy, c-format msgid " -k <IP/net> add this IP address or net to the list of known hosts\n" msgstr "" " -k <IP/net> ´ûÃΤΥۥ¹¥È¤Î¥ê¥¹¥È¤Ë¤³¤Î IP ¥¢¥É¥ì¥¹¤Þ¤¿¤Ï net ¤òÄɲÃ" "¤¹¤ë\n" #: ../main.c:74 #, fuzzy, c-format msgid " -A invoke notification script if threshold is reached\n" msgstr " -A ïçÃͤË㤷¤¿»þ¤ËÄÌÃÎ¥¹¥¯¥ê¥×¥È¤òµ¯Æ°¤¹¤ë\n" #: ../main.c:75 #, fuzzy, c-format msgid " -B invoke response action script (e.g. block host)\n" msgstr "" " -B ±þÅú¥¹¥¯¥ê¥×¥È¤òµ¯Æ°¤¹¤ë (Î㤨¤Ð¥Û¥¹¥È¤ò¥Ö¥í¥Ã¥¯¤¹¤ë\n" #: ../main.c:76 #, fuzzy, c-format msgid " -X <port> activate internal status information web server\n" msgstr " -X ÆâÉô¾õÂ֤ξðÊó¤Î¥¦¥§¥Ö¥µ¡¼¥Ð¤òÍ­¸ú¤Ë¤¹¤ë\n" #: ../main.c:102 msgid "You can contact the author at <bw@inside-security.de>." msgstr "" #: ../main.c:104 msgid "Compile-time options of this version:" msgstr "" #: ../main.c:105 #, c-format msgid "Short name limit " msgstr "" #: ../main.c:107 ../main.c:113 ../main.c:119 ../main.c:125 ../main.c:131 msgid "enabled" msgstr "" #: ../main.c:109 ../main.c:115 ../main.c:121 ../main.c:127 ../main.c:133 msgid "disabled" msgstr "" #: ../main.c:111 #, c-format msgid "Zlib support " msgstr "" #: ../main.c:117 #, c-format msgid "Gettext (i18n) support " msgstr "" #: ../main.c:123 #, c-format msgid "IPv6 support " msgstr "" #: ../main.c:129 #, c-format msgid "GNU adns support " msgstr "" #: ../main.c:287 #, c-format msgid "Illegal inclusion/exclusion pos. 1 (expected [ie]): %s\n" msgstr "" #: ../main.c:288 ../main.c:305 ../main.c:314 ../main.c:452 #, c-format msgid "Exiting\n" msgstr "½ªÎ»\n" #: ../main.c:304 #, c-format msgid "Illegal inclusion/exclusion pos. 2 (expected [hpcb]): %s\n" msgstr "" #: ../main.c:313 #, c-format msgid "Illegal inclusion/exclusion pos. 3 (expected [sd]): %s\n" msgstr "" #: ../modes.c:109 #, c-format msgid "Using stdin as input\n" msgstr "ÆþÎϤËɸ½àÆþÎϤò»È¤¤¤Þ¤¹\n" #: ../modes.c:115 #, c-format msgid "Opening input file '%s'\n" msgstr "ÆþÎÏ¥Õ¥¡¥¤¥ë '%s' ¤ò³«¤¤¤Æ¤¤¤Þ¤¹\n" #: ../modes.c:133 #, c-format msgid "Processing\n" msgstr "½èÍýÃæ\n" #: ../modes.c:140 #, c-format msgid "Unrecognized entries or tokens can be submitted at\n" msgstr "" #: ../modes.c:149 ../modes.c:396 ../modes.c:782 ../rcfile.c:321 #, c-format msgid "Closing '%s'\n" msgstr "'%s' ¤òÊĤ¸¤Æ¤¤¤Þ¤¹\n" #: ../modes.c:178 #, c-format msgid "Sorting data\n" msgstr "¥Ç¡¼¥¿¤ÎʤÙÊѤ¨Ãæ\n" #: ../modes.c:215 #, c-format msgid "Opening output file '%s'\n" msgstr "½ÐÎÏ¥Õ¥¡¥¤¥ë '%s' ¤ò³«¤¤¤Æ¤¤¤Þ¤¹\n" #: ../modes.c:226 #, fuzzy, c-format msgid "Sending\n" msgstr "Á÷¿®Ãæ...\n" #: ../modes.c:249 ../net.c:364 ../net.c:367 msgid "%A %B %d %H:%M:%S %Z %Y" msgstr "" #: ../modes.c:250 #, c-format msgid "Generated %s by " msgstr "ºîÀ®Æü: %s, ºîÀ®¼Ô: " #: ../modes.c:260 #, c-format msgid "an unknown user.\n" msgstr "an unknown user.\n" #: ../modes.c:268 #, c-format msgid "(and %d older than %d seconds) " msgstr "(and %d older than %d seconds) " #: ../modes.c:271 #, c-format msgid "(and %d malformed) " msgstr "(and %d malformed) " #: ../modes.c:274 #, fuzzy, c-format msgid "of %d entries in the file \"%s\" are packet logs, " msgstr "of %d entries in the file " #: ../modes.c:276 #, c-format msgid "of %d entries in standard input are packet logs, " msgstr "" #: ../modes.c:278 #, fuzzy, c-format msgid "of %d entries in %d input files are packet logs, " msgstr "of %d entries in the file " #: ../modes.c:282 #, c-format msgid "one has unique characteristics.\n" msgstr "one has unique characteristics.\n" #: ../modes.c:284 #, c-format msgid "%d have unique characteristics.\n" msgstr "%d have unique characteristics.\n" #: ../modes.c:292 #, c-format msgid "One entry was excluded by configuration.\n" msgstr "£±¤Ä¤Î¥¨¥ó¥È¥ê¤¬ÀßÄê¤Ë¤è¤Ã¤Æ½ü³°¤µ¤ì¤Þ¤·¤¿¡£\n" #: ../modes.c:294 #, c-format msgid "%d entries were excluded by configuration.\n" msgstr "%d ¥¨¥ó¥È¥ê¤¬ÀßÄê¤Ë¤è¤Ã¤Æ½ü³°¤µ¤ì¤Þ¤·¤¿¡£\n" #: ../modes.c:302 #, c-format msgid "First packet log entry: %s, last: %s.\n" msgstr "ºÇ½é¤Î¥Ñ¥±¥Ã¥È¥í¥°¥¨¥ó¥È¥ê: %s, ºÇ¸å: %s\n" #: ../modes.c:304 ../modes.c:811 #, c-format msgid "No valid time entries found.\n" msgstr "Í­¸ú¤Ê»þ¹ï¥¨¥ó¥È¥ê¤¬¸«¤Ä¤«¤ê¤Þ¤»¤ó¤Ç¤·¤¿¡£\n" #: ../modes.c:311 #, c-format msgid "All entries were logged by the same host: \"%s\".\n" msgstr "¤¹¤Ù¤Æ¤Î¥¨¥ó¥È¥ê¤¬Æ±¤¸¥Û¥¹¥È \"%s\" ¤Ç¥í¥°¤µ¤ì¤Þ¤·¤¿¡£\n" #: ../modes.c:318 #, c-format msgid "All entries are from the same chain: \"%s\".\n" msgstr "¤¹¤Ù¤Æ¤Î¥¨¥ó¥È¥ê¤¬Æ±¤¸¥Á¥§¥¤¥ó \"%s\" ¤«¤éÍè¤Æ¤¤¤Þ¤¹¡£\n" #: ../modes.c:325 #, c-format msgid "All entries have the same target: \"%s\".\n" msgstr "¤¹¤Ù¤Æ¤Î¥¨¥ó¥È¥ê¤¬Æ±¤¸¥¿¡¼¥²¥Ã¥È \"%s\" ¤ò»ý¤Ã¤Æ¤¤¤Þ¤¹¡£\n" #: ../modes.c:332 #, c-format msgid "All entries are from the same interface: \"%s\".\n" msgstr "¤¹¤Ù¤Æ¤Î¥¨¥ó¥È¥ê¤¬Æ±¤¸¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹ \"%s\" ¤«¤éÍè¤Æ¤¤¤Þ¤¹¡£\n" #: ../modes.c:339 #, fuzzy, c-format msgid "Only entries with a count of at least %d are shown.\n" msgstr "%d °Ê¾å¤Î²ó¿ô¤Î¥¨¥ó¥È¥ê¤À¤±¤òɽ¼¨¤·¤Æ¤¤¤Þ¤¹¡£\n" #: ../modes.c:346 #, fuzzy, c-format msgid "Only the top %d entries are shown.\n" msgstr "%d °Ê¾å¤Î²ó¿ô¤Î¥¨¥ó¥È¥ê¤À¤±¤òɽ¼¨¤·¤Æ¤¤¤Þ¤¹¡£\n" #: ../modes.c:357 #, fuzzy, c-format msgid "Resolving\n" msgstr "%s ¤ò²ò·è¤·¤Æ¤¤¤Þ¤¹\n" #: ../modes.c:416 #, c-format msgid "Warning: pidfile exists, another fwlogwatch might be running.\n" msgstr "" "Warning: pidfile ¤¬Â¸ºß¤·¤Æ¤¤¤Þ¤¹¡£Â¾¤Î fwlogwatch ¤¬Æ°¤¤¤Æ¤¤¤ë¤«¤âÃΤì¤Þ¤»" "¤ó¡£\n" #: ../modes.c:430 #, fuzzy, c-format msgid "SIGHUP caught, reread configuration file %s" msgstr "SIGHUP ¤ò¼õ¤±¼è¤ê¤Þ¤·¤¿¤Î¤Ç¡¤¥í¥°¥Õ¥¡¥¤¥ë¤òºÆ¤Ó³«¤¤¤Æ¤¤¤Þ¤¹" #: ../modes.c:432 #, fuzzy, c-format msgid "SIGHUP caught, unable to reread configuration file %s" msgstr "SIGHUP ¤ò¼õ¤±¼è¤ê¤Þ¤·¤¿¤Î¤Ç¡¤¥í¥°¥Õ¥¡¥¤¥ë¤òºÆ¤Ó³«¤¤¤Æ¤¤¤Þ¤¹" #: ../modes.c:455 msgid "SIGUSR1 caught, reading input from stdin, no need to reopen log file" msgstr "" #: ../modes.c:457 #, fuzzy, c-format msgid "SIGUSR1 caught, reopening log file %s" msgstr "SIGHUP ¤ò¼õ¤±¼è¤ê¤Þ¤·¤¿¤Î¤Ç¡¤¥í¥°¥Õ¥¡¥¤¥ë¤òºÆ¤Ó³«¤¤¤Æ¤¤¤Þ¤¹" #: ../modes.c:529 msgid "SIGTERM caught, cleaning up" msgstr "SIGTERM ¤ò¼õ¤±¼è¤ê¤Þ¤·¤¿¤Î¤Ç¡¤Áݽü¤·¤Æ¤¤¤Þ¤¹" #: ../modes.c:611 #, c-format msgid "Starting (pid %d)" msgstr "³«»Ï¤·¤Æ¤¤¤Þ¤¹ (pid %d)" #: ../modes.c:661 msgid "User to run as was not found" msgstr "" #: ../modes.c:676 #, c-format msgid "Changed uid from %d to %d, gid from %d to %d" msgstr "" #: ../modes.c:678 #, c-format msgid "Running with uid %d, gid %d" msgstr "" #: ../modes.c:682 msgid "Alert threshold is one attempt" msgstr "Alert threshold is one attempt" #: ../modes.c:684 #, c-format msgid "Alert threshold is %d attempts" msgstr "Alert threshold is %d attempts" #: ../modes.c:688 #, c-format msgid "Events older than %d second(s) are discarded" msgstr "%d Éäè¤ê¸Å¤¤¥¤¥Ù¥ó¥È¤¬ÇË´þ¤µ¤ì¤Þ¤¹" #: ../modes.c:690 #, c-format msgid "Events older than %d hour(s) are discarded" msgstr "%d »þ´Ö¤è¤ê¸Å¤¤¥¤¥Ù¥ó¥È¤¬ÇË´þ¤µ¤ì¤Þ¤¹" #: ../modes.c:693 #, fuzzy, c-format msgid "Response mode: Log%s%s" msgstr "±þÅú¥â¡¼¥É: log%s%s" #: ../modes.c:693 ../net.c:373 msgid ", notify" msgstr ", ÄÌÃÎ" #: ../modes.c:693 ../net.c:373 msgid ", respond" msgstr ", ±þÅú" #: ../modes.c:724 #, c-format msgid "Reading standard input\n" msgstr "ɸ½àÆþÎϤòÆɤߤȤäƤ¤¤Þ¤¹\n" #: ../modes.c:742 #, c-format msgid "Reading '%s'\n" msgstr "'%s' ¤òÆɤߤȤäƤ¤¤Þ¤¹\n" #: ../modes.c:808 #, fuzzy, c-format msgid "Number of files: %d\n" msgstr "Number of logged attempts: %s\n" #: ../modes.c:809 #, fuzzy, c-format msgid "Number of lines: %d\n" msgstr "¹Ô¿ô: %d\n" #: ../modes.c:814 #, c-format msgid "First entry: %s\n" msgstr "ºÇ½é¤Î¥¨¥ó¥È¥ê: %s\n" #: ../modes.c:816 #, c-format msgid "Last entry : %s\n" msgstr "ºÇ¸å¤Î¥¨¥ó¥È¥ê: %s\n" #: ../modes.c:818 #, c-format msgid "Difference : %s\n" msgstr "" #: ../net.c:130 ../net.c:132 #, c-format msgid "Listening on %s port %i" msgstr "%s ¾å¤Î¥Ý¡¼¥È %i ¤ÇÂÔ¤Á¼õ¤±Ãæ¤Ç¤¹" #: ../net.c:172 msgid "decode_base64: input string incomplete" msgstr "decode_base64: ÆþÎÏʸ»úÎó¤¬ÉÔ´°Á´¤Ç¤¹" #: ../net.c:179 #, c-format msgid "decode_base64: illegal character '%c' in input string" msgstr "decode_base64: ÉÔÀµ¤Êʸ»ú '%c' ¤¬ÆþÎÏʸ»úÎó¤Ë´Þ¤Þ¤ì¤Æ¤¤¤Þ¤¹" #: ../net.c:214 msgid "count" msgstr "" #: ../net.c:215 msgid "added" msgstr "" #: ../net.c:217 msgid "proto" msgstr "" #: ../net.c:219 #, fuzzy msgid "bytes" msgstr " (%d ¥Ð¥¤¥È)" #: ../net.c:220 msgid "source" msgstr "" #: ../net.c:222 ../net.c:231 #, fuzzy msgid "hostname" msgstr "<td>¥Û¥¹¥È̾</td>" #: ../net.c:224 ../net.c:234 #, fuzzy msgid "port" msgstr " port %d" #: ../net.c:226 ../net.c:236 #, fuzzy msgid "service" msgstr "<td>¥µ¡¼¥Ó¥¹</td>" #: ../net.c:229 #, fuzzy msgid "destination" msgstr "<td>°¸Àè</td>" #: ../net.c:239 msgid "opts" msgstr "" #: ../net.c:240 msgid "time remaining" msgstr "" #: ../net.c:241 msgid "action" msgstr "" #: ../net.c:293 ../net.c:295 ../net.c:360 msgid "Information" msgstr "" #: ../net.c:299 ../net.c:301 ../net.c:398 msgid "Options" msgstr "" #: ../net.c:305 ../net.c:307 ../net.c:426 #, fuzzy msgid "Packet cache" msgstr "<h2>¥Ñ¥±¥Ã¥È¥­¥ã¥Ã¥·¥å</h2>\n" #: ../net.c:311 ../net.c:313 ../net.c:495 #, fuzzy msgid "Host status" msgstr "<h2>¥Û¥¹¥È¾õÂÖ</h2>\n" #: ../net.c:316 msgid "Reload" msgstr "" #: ../net.c:365 msgid "Daemon start time" msgstr "" #: ../net.c:368 msgid "Current time" msgstr "" #: ../net.c:371 msgid "Running time" msgstr "" #: ../net.c:373 msgid "Log" msgstr "" #: ../net.c:374 #, fuzzy msgid "Response mode" msgstr "±þÅú¥â¡¼¥É: log%s%s" #: ../net.c:376 msgid "Lines seen" msgstr "" #: ../net.c:377 msgid "Hits" msgstr "" #: ../net.c:378 msgid "Old/excluded/malformed" msgstr "" #: ../net.c:385 msgid "Entries in packet cache" msgstr "" #: ../net.c:392 msgid "Entries in host status" msgstr "" #: ../net.c:400 msgid "Parameter" msgstr "" #: ../net.c:402 msgid "Decrease" msgstr "" #: ../net.c:404 msgid "Current" msgstr "" #: ../net.c:406 msgid "Increase" msgstr "" #: ../net.c:408 #, fuzzy msgid "Alert threshold" msgstr "Alert threshold is one attempt" #: ../net.c:410 msgid "Discard timeout" msgstr "" #: ../net.c:411 msgid "Minimum count in packet cache" msgstr "" #: ../net.c:413 ../net.c:415 msgid "Top amount of entries in packet cache" msgstr "" #: ../net.c:418 ../net.c:420 msgid "Refresh time" msgstr "" #: ../net.c:442 ../net.c:565 msgid "%Y/%m/%d %H:%M:%S" msgstr "" #: ../net.c:479 ../net.c:595 msgid "drop" msgstr "" #: ../net.c:481 msgid "escalate" msgstr "" #: ../net.c:527 ../net.c:546 ../net.c:552 ../net.c:558 msgid "<td>any</td>" msgstr "<td>²¿¤Ç¤â</td>" #: ../net.c:540 #, fuzzy msgid "<td>(known host)</td>" msgstr "<td>¥í¥°¥Û¥¹¥È</td>" #: ../net.c:542 #, fuzzy msgid "<td>(known net)</td>" msgstr "<td>¥Ý¡¼¥È</td>" #: ../net.c:654 ../net.c:657 #, c-format msgid "Rejected connect from unallowed ip %s port %i" msgstr "µö²Ä¤µ¤ì¤Æ¤¤¤Ê¤¤ ip %s ¥Ý¡¼¥È %i ¤«¤é¤Î Rejected Àܳ" #: ../net.c:668 ../net.c:670 #, c-format msgid "Connect from %s port %i" msgstr "%s ¥Ý¡¼¥È %i ¤«¤é¤ÎÀܳ" #: ../net.c:734 msgid "Authorization failed" msgstr "ǧ¾Ú¼ºÇÔ" #: ../net.c:737 #, fuzzy msgid "Authorization required" msgstr "ǧ¾Ú¼ºÇÔ" #: ../net.c:814 msgid "Bad request" msgstr "" #: ../net.c:819 msgid "Redirect" msgstr "" #: ../net.c:819 msgid "You should be redirected to the <a href=\"/\">root directory</a>" msgstr "" #: ../net.c:831 #, c-format msgid "Requested function: %s" msgstr "" #: ../net.c:834 msgid "Connection closed" msgstr "Àܳ¤¬ÊĤ¸¤Þ¤·¤¿" #: ../output.c:200 #, c-format msgid " to " msgstr " to " #: ../output.c:255 #, c-format msgid " packet" msgstr " ¥Ñ¥±¥Ã¥È " #: ../output.c:257 #, c-format msgid " packets" msgstr " ¥Ñ¥±¥Ã¥È" #: ../output.c:261 #, fuzzy, c-format msgid " (%lu bytes)" msgstr " (%d ¥Ð¥¤¥È)" #: ../output.c:264 #, c-format msgid " from %s" msgstr " from %s" #: ../output.c:280 ../output.c:293 #, c-format msgid " port %d" msgstr " port %d" #: ../output.c:286 #, c-format msgid " to %s" msgstr " to %s" #: ../output.c:313 #, fuzzy, c-format msgid "<th>start</th>" msgstr "<td>³«»Ï</td>" #: ../output.c:316 #, fuzzy, c-format msgid "<th>end</th>" msgstr "<td>½ªÎ»</td>" #: ../output.c:319 #, fuzzy, c-format msgid "<th>interval</th>" msgstr "<td>´Ö³Ö</td>" #: ../output.c:322 #, fuzzy, c-format msgid "<th>loghost</th>" msgstr "<td>¥í¥°¥Û¥¹¥È</td>" #: ../output.c:325 #, fuzzy, c-format msgid "<th>chain</th>" msgstr "<td>¥Á¥§¥¤¥ó</td>" #: ../output.c:328 #, fuzzy, c-format msgid "<th>target</th>" msgstr "<td>ÌÜɸ</td>" #: ../output.c:331 #, fuzzy, c-format msgid "<th>interface</th>" msgstr "<td>¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹</td>" #: ../output.c:334 #, fuzzy, c-format msgid "<th>proto</th>" msgstr "<td>¥×¥í¥È¥³¥ë</td>" #: ../output.c:337 #, fuzzy, c-format msgid "<th>bytes</th>" msgstr "<td>¥Ð¥¤¥È</td>" #: ../output.c:340 #, fuzzy, c-format msgid "<th>source</th>" msgstr "<td>Á÷¿®¸µ</td>" #: ../output.c:342 ../output.c:356 #, fuzzy, c-format msgid "<th>hostname</th>" msgstr "<td>¥Û¥¹¥È̾</td>" #: ../output.c:344 #, fuzzy, c-format msgid "<th>whois information</th>" msgstr "<td>whois ¾ðÊó</td>" #: ../output.c:348 ../output.c:360 #, fuzzy, c-format msgid "<th>port</th>" msgstr "<td>¥Ý¡¼¥È</td>" #: ../output.c:350 ../output.c:362 #, fuzzy, c-format msgid "<th>service</th>" msgstr "<td>¥µ¡¼¥Ó¥¹</td>" #: ../output.c:354 #, fuzzy, c-format msgid "<th>destination</th>" msgstr "<td>°¸Àè</td>" #: ../output.c:366 #, fuzzy, c-format msgid "<th>opts</th>" msgstr "<td>opts</td>" #: ../parser.c:263 #, c-format msgid "Unknown parser: '%c'.\n" msgstr "Unknown parser: '%c'.\n" #: ../rcfile.c:57 #, c-format msgid "Error in configuration file '%s' line %d: not a number\n" msgstr "" #: ../rcfile.c:86 #, c-format msgid "Error in configuration file '%s' line %d, assuming 'true'\n" msgstr "" #: ../rcfile.c:278 #, fuzzy, c-format msgid "Unrecognized option in configuration file '%s' line %d\n" msgstr "Unrecognized option in rcfile: %s" #: ../rcfile.c:299 #, c-format msgid "%s is not a regular file, ignoring.\n" msgstr "%s ¤ÏÄ̾ï¤Î¥Õ¥¡¥¤¥ë¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¡£Ìµ»ë¤·¤Þ¤¹¡£\n" #: ../rcfile.c:307 #, fuzzy, c-format msgid "Opening configuration file '%s'\n" msgstr "ÆþÎÏ¥Õ¥¡¥¤¥ë '%s' ¤ò³«¤¤¤Æ¤¤¤Þ¤¹\n" #: ../resolve.c:62 #, c-format msgid "port mismatch: %d != %d\n" msgstr "¥Ý¡¼¥È¤¬°ìÃפ·¤Þ¤»¤ó: %d != %d\n" #: ../resolve.c:81 ../resolve.c:151 #, c-format msgid "Resolving %s from cache\n" msgstr "¥­¥ã¥Ã¥·¥å¤«¤é %s ¤ò²ò·è¤·¤Æ¤¤¤Þ¤¹\n" #: ../resolve.c:89 ../resolve.c:112 #, c-format msgid "Resolving %s\n" msgstr "%s ¤ò²ò·è¤·¤Æ¤¤¤Þ¤¹\n" #: ../resolve.c:95 #, c-format msgid "Wrong host name size\n" msgstr "´Ö°ã¤Ã¤¿¥Û¥¹¥È̾¤Î¥µ¥¤¥º¤Ç¤¹\n" #: ../resolve.c:119 #, c-format msgid "%s [forward lookup: %s]" msgstr "%s [Á°¸þ¤­¸¡º÷: %s]" #: ../resolve.c:122 #, c-format msgid "%s [forward lookup failed]" msgstr "%s [Á°¸þ¤­¸¡º÷¼ºÇÔ]" #: ../resolve.c:163 #, fuzzy, c-format msgid "Resolving %s from adns\n" msgstr "¥­¥ã¥Ã¥·¥å¤«¤é %s ¤ò²ò·è¤·¤Æ¤¤¤Þ¤¹\n" #: ../resolve.c:167 #, fuzzy msgid "[inconsistent forward lookup]" msgstr "%s [Á°¸þ¤­¸¡º÷: %s]" #: ../resolve.c:171 #, c-format msgid "[adns status %d]" msgstr "" #: ../resolve.c:189 msgid "DNS cache error" msgstr "" #: ../resolve.c:207 #, c-format msgid "Submitted %s to adns\n" msgstr "" #: ../response.c:56 msgid "One logging ipchains firewall rule defined" msgstr "£±¤Ä¤Î¥í¥°¤µ¤ì¤ë ipchains ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¥ë¡¼¥ë¤¬ÄêµÁ¤µ¤ì¤Æ¤¤¤Þ¤¹" #: ../response.c:58 #, c-format msgid "%u logging ipchains firewall rules defined" msgstr "%u ¤Î¥í¥°¤µ¤ì¤ë ipchains ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¥ë¡¼¥ë¤¬ÄêµÁ¤µ¤ì¤Æ¤¤¤Þ¤¹" #: ../response.c:61 msgid "No logging ipchains firewall rules defined, format was requested" msgstr "" "¥í¥°¤µ¤ì¤ë ipchains ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¥ë¡¼¥ë¤¬ÄêµÁ¤µ¤ì¤Æ¤¤¤Þ¤»¤ó\n" "¤Î¤Ç¡¤·Á¼°¤¬Í׵ᤵ¤ì¤Þ¤·¤¿" #: ../response.c:82 #, c-format msgid "%s is group/world writable" msgstr "%s ¤Ë¥°¥ë¡¼¥×/¥ï¡¼¥ë¥É¤Î½ñ¤­¹þ¤ß¸¢¸Â¤¬¤¢¤ê¤Þ¤¹" #: ../response.c:168 #, c-format msgid "Deleting packet cache entry (%s)" msgstr "¥Ñ¥±¥Ã¥È¥­¥ã¥Ã¥·¥å¥¨¥ó¥È¥ê (%s) ¤òºï½ü¤·¤Æ¤¤¤Þ¤¹" #: ../response.c:202 #, c-format msgid "Deleting host status entry (%s)" msgstr "¥Û¥¹¥È¾õÂÖ¥¨¥ó¥È¥ê (%s) ¤òºï½ü¤·¤Æ¤¤¤Þ¤¹" #: ../response.c:276 #, c-format msgid "ALERT: %d attempts from %s" msgstr "ALERT: %d attempts from %s" #: ../utils.c:53 #, c-format msgid "" "\n" "Memory allocation error, exiting.\n" msgstr "" "\n" "¥á¥â¥ê¡¼³ÎÊÝ¥¨¥é¡¼¤Ç¤¹¤Î¤Ç¡¤½ªÎ»¤·¤Þ¤¹¡£\n" #: ../utils.c:68 msgid "Exiting" msgstr "½ªÎ»¤·¤Æ¤¤¤Þ¤¹" #: ../utils.c:77 msgid "Not executing buffer containing format string" msgstr "Not executing buffer containing format string" #: ../utils.c:82 #, c-format msgid "Executing '%s'" msgstr "'%s' ¼Â¹ÔÃæ" #: ../utils.c:194 #, fuzzy, c-format msgid "" "fwlogwatch error: mode collision, please check that you didn't specify\n" " several modes on the command line or a second mode is active in the\n" " configuration file.\n" " Please use a separate configuration file for each mode or comment out " "all\n" " entries in the default configuration and use command line parameters.\n" msgstr "" "fwlogwatch error: ¥â¡¼¥É¤Î¾×Æͤ¬¤¢¤ê¤Þ¤¹¤Î¤Ç¡¤Ê£¿ô¤Î¥â¡¼¥É¤ò»ØÄꤷ¤Æ\n" " ¤¤¤Ê¤¤¤«¡¤¤Þ¤¿¤ÏÂ裲¤Î¥â¡¼¥É¤¬É¸½à¤Ç¤Þ¤¿¤Ï»ØÄꤵ¤ì¤¿ÀßÄê¥Õ¥¡¥¤¥ë¤Ç\n" " Í­¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤¤¤«¥Á¥§¥Ã¥¯¤·¤Æ²¼¤µ¤¤¡£\n" " ¤½¤ì¤¾¤ì¤Î¥â¡¼¥ÉÍѤËʬ³ä¤·¤¿ÀßÄê¥Õ¥¡¥¤¥ë¤ò»È¤¦¤«¡¤¥Ç¥Õ¥©¥ë¥È¤ÎÀßÄê\n" " ¤Î¤¹¤Ù¤Æ¤Î¥¨¥ó¥È¥ê¤ò¥³¥á¥ó¥È¥¢¥¦¥È¤·¤Æ¥³¥Þ¥ó¥É¥é¥¤¥ó¥Ñ¥é¥á¡¼¥¿¤ò»È\n" " ¤Ã¤Æ¤¯¤À¤µ¤¤¡£\n" #: ../utils.c:268 #, c-format msgid "IP address error: %s\n" msgstr "IP ¥¢¥É¥ì¥¹¤Ë¥¨¥é¡¼¤¬¤¢¤ê¤Þ¤¹: %s\n" #: ../utils.c:294 #, c-format msgid "Error in CIDR format: %s\n" msgstr "CIDR¥Õ¥©¡¼¥Þ¥Ã¥È¤Ë¥¨¥é¡¼¤¬¤¢¤ê¤Þ¤¹: %s\n" #: ../utils.c:312 #, c-format msgid "(known host)\n" msgstr "(´ûÃΤΥۥ¹¥È)\n" #: ../utils.c:351 #, c-format msgid "(excluded host)\n" msgstr "(½ü³°¤¹¤ë¥Û¥¹¥È)\n" #: ../whois.c:220 #, c-format msgid "Looking up whois info for %s from cache\n" msgstr "¥­¥ã¥Ã¥·¥å¤«¤é %s ¤Î whois ¾ðÊó¤ò¸¡º÷¤·¤Æ¤¤¤Þ¤¹\n" #: ../whois.c:227 #, c-format msgid "Looking up whois info for %s\n" msgstr "%s ¤Î whois ¾ðÊó¤ò¸¡º÷¤·¤Æ¤¤¤Þ¤¹\n" #: ../whois.c:248 #, c-format msgid "lookup failed: %s\n" msgstr "¸¡º÷¤Ë¼ºÇÔ: %s\n" #: ../main.h:300 msgid "fwlogwatch summary" msgstr "fwlogwatch ¤Î°ìÍ÷" #: ../main.h:310 msgid "fwlogwatch status" msgstr "fwlogwatch ¤Î¾õÂÖ" #, fuzzy #~ msgid "Interactive report mode (summary mode extension):\n" #~ msgstr "ÂÐÏÃ¥ì¥Ý¡¼¥È¥â¡¼¥É:\n" #, fuzzy #~ msgid " -i <count> interactive mode with report threshold\n" #~ msgstr "" #~ " -i <¥«¥¦¥ó¥È>\n" #~ " ¥ì¥Ý¡¼¥È¤¹¤ëïçÃͤòÉղä·¤¿ÂÐÏå⡼¥É\n" #, fuzzy #~ msgid " -T <email> address of CERT or abuse contact to send report to\n" #~ msgstr "" #~ " -T <email> ¥ì¥Ý¡¼¥È¤òÁ÷ÉÕ¤¹¤ë CERT ¤Þ¤¿¤ÏÉÔÀµÍøÍÑÂбþ´Ø·¸¼Ô¤Î¥¢" #~ "¥É¥ì¥¹\n" #, fuzzy #~ msgid " -I <file> template file for report (defaults to %s)\n" #~ msgstr "" #~ " -I <¥Õ¥¡¥¤¥ë>\n" #~ " ¥ì¥Ý¡¼¥È¤Î¥Æ¥ó¥×¥ì¡¼¥È¥Õ¥¡¥¤¥ë\n" #~ msgid "" #~ "Reporting threshold: %d\n" #~ "\n" #~ msgstr "" #~ "¥ì¥Ý¡¼¥È¤ÎïçÃÍ: %d\n" #~ "\n" #~ msgid "Offending IP address: %s\n" #~ msgstr "Offending IP address: %s\n" #~ msgid "Offending IP name: %s\n" #~ msgstr "Offending IP name: %s\n" #~ msgid "Target IP address: %s\n" #~ msgstr "Target IP address: %s\n" #~ msgid "Target IP name: %s\n" #~ msgstr "Target IP name: %s\n" #~ msgid "Number of logged attempts: %s\n" #~ msgstr "Number of logged attempts: %s\n" #~ msgid "Start time: %s\n" #~ msgstr "Start time: %s\n" #~ msgid "End time: %s\n" #~ msgstr "End time: %s\n" #~ msgid "Timezone: %s\n" #~ msgstr "Timezone: %s\n" #~ msgid "Duration: %s\n" #~ msgstr "Duration: %s\n" #~ msgid "Protocol: %s\n" #~ msgstr "Protocol: %s\n" #~ msgid "Source port: %s\n" #~ msgstr "Source port: %s\n" #~ msgid "Destination port: %s\n" #~ msgstr "Destination port: %s\n" #~ msgid "TCP options: %s\n" #~ msgstr "TCP options: %s\n" #~ msgid "Tracking number: %s\n" #~ msgstr "Tracking number: %s\n" #~ msgid "Incident report %s-%s" #~ msgstr "¥¤¥ó¥·¥Ç¥ó¥È¥ì¥Ý¡¼¥È %s-%s" #~ msgid "%d (unknown)" #~ msgstr "%d (ÉÔÌÀ)" #~ msgid "no SYNs" #~ msgstr "SYN ¤Ê¤·" #~ msgid "SYNs only" #~ msgstr "SYN ¤Î¤ß" #~ msgid "" #~ "\n" #~ "What do you want to change? [1-18/(o)k] " #~ msgstr "" #~ "\n" #~ "²¿¤òÊѹ¹¤·¤¿¤¤¤Ç¤¹¤«¡© [1-18/(o)k] " #~ msgid "New value: " #~ msgstr "¿·¤·¤¤ÃÍ: " #~ msgid "" #~ "\n" #~ "Should this report be sent? [(s)end/(m)odify/(q)uit] " #~ msgstr "" #~ "\n" #~ "¤³¤Î¥ì¥Ý¡¼¥È¤òÁ÷¿®¤·¤Æ¤â¤è¤í¤·¤¤¤Ç¤·¤ç¤¦¤«¡© [(s)end/(m)odify/(q)uit] " #~ msgid " -f <file> specify input file (defaults to %s)\n" #~ msgstr "" #~ " -f <¥Õ¥¡¥¤¥ë>\n" #~ " ÆþÎÏ¥Õ¥¡¥¤¥ë¤ò»ØÄꤹ¤ë(¥Ç¥Õ¥©¥ë¥È %s)\n" #~ msgid " (defaults to '%s')\n" #~ msgstr " (¥Ç¥Õ¥©¥ë¥È '%s')\n" #~ msgid " (defaults to %s)\n" #~ msgstr " (¥Ç¥Õ¥©¥ë¥È %s)\n" #~ msgid "\"%s\" are packet logs, " #~ msgstr "\"%s\" ¤¬¥Ñ¥±¥Ã¥È¥í¥°¤Ç¡¤" #~ msgid "SIGHUP caught, ignoring" #~ msgstr "SIGHUP ¤ò¼õ¤±¼è¤ê¤Þ¤·¤¿¤¬¡¤Ìµ»ë¤·¤Þ¤¹" #~ msgid "" #~ "<tr bgcolor=\"#%s\" align=\"center\"><td>Count</td><td>Added</" #~ "td><td>Source IP address</td>" #~ msgstr "" #~ "<tr bgcolor=\"#%s\" align=\"center\"><td>Count</td><td>Added</td><td>Á÷¿®" #~ "¸µIP ¥¢¥É¥ì¥¹</td>" #~ msgid "<td>Hostname</td>" #~ msgstr "<td>¥Û¥¹¥È̾</td>" #~ msgid "<td>Destination IP address</td>" #~ msgstr "<td>°¸Àè IP ¥¢¥É¥ì¥¹</td>" #~ msgid "<td>Protocol</td>" #~ msgstr "<td>¥×¥í¥È¥³¥ë</td>" #~ msgid "<td>Source port</td>" #~ msgstr "<td>Á÷¿®¸µ¥Ý¡¼¥È</td>" #~ msgid "<td>Service</td>" #~ msgstr "<td>¥µ¡¼¥Ó¥¹</td>" #~ msgid "<td>Destination port</td>" #~ msgstr "<td>°¸Àè¥Ý¡¼¥È</td>" #~ msgid "<td>Remaining time</td></tr>\n" #~ msgstr "<td>»Ä¤ê»þ´Ö</td></tr>\n" #~ msgid "Authorization failed (%s)" #~ msgstr "ǧ¾Ú¼ºÇÔ (%s)" #~ msgid "<a href=\"/\">Reload</a><br>\n" #~ msgstr "<a href=\"/\">¹¹¿·</a><br>\n" #~ msgid "(automatic refresh every %d seconds)<br>\n" #~ msgstr "(%d ÉÃËè¤Ë¼«Æ°¹¹¿·)<br>\n" #~ msgid "" #~ "\n" #~ "</div>\n" #~ "<h2>General information</h2>\n" #~ msgstr "" #~ "\n" #~ "</div>\n" #~ "<h2>Á´ÂÎŪ¤Ê¾ðÊó</h2>\n" #~ msgid "<tr><td>Daemon start time:</td><td>%s</td></tr>\n" #~ msgstr "<tr><td>Daemon ³«»Ï»þ¹ï:</td><td>%s</td></tr>\n" #~ msgid "<tr><td>Current time:</td><td>%s</td></tr>\n" #~ msgstr "<tr><td>¸½ºß»þ¹ï:</td><td>%s</td></tr>\n" #~ msgid "<tr><td>Running time:</td><td>%s</td></tr>\n" #~ msgstr "<tr><td>Æ°ºî»þ´Ö:</td><td>%s</td></tr>\n" #~ msgid "" #~ "<tr><td>Alert threshold:</td><td>%d entries</td></tr>\n" #~ "<tr><td>Discard timeout:</td><td>%d seconds</td></tr>\n" #~ msgstr "" #~ "<tr><td>·Ù¹ð¤ÎïçÃÍ:</td><td>%d ¥¨¥ó¥È¥ê</td></tr>\n" #~ "<tr><td>ÇË´þ¤¹¤ëÂÔ¤Á»þ´Ö:</td><td>%d ÉÃ</td></tr>\n" #~ msgid "<tr><td>Response mode:</td><td>log%s%s</td></tr>\n" #~ msgstr "<tr><td>±þÅú¥â¡¼¥É:</td><td>log%s%s</td></tr>\n" #~ msgid "<td>-</td><td>%s/%d (known host/net)</td>" #~ msgstr "<td>-</td><td>%s/%d (´ûÃΤΥۥ¹¥È/net)</td>" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������fwlogwatch-1.2/po/pt.po�����������������������������������������������������������������������������0000644�0000764�0000144�00000074543�11453065602�013474� 0����������������������������������������������������������������������������������������������������ustar �bw������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������msgid "" msgstr "" "Project-Id-Version: fwlogwatch 0.5\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-10-06 13:58+0200\n" "PO-Revision-Date: 2002-01-27 16:17+0100\n" "Last-Translator: Ivan F. Martinez <ivanfm@ecodigit.com.br>\n" "Language-Team: -\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=ISO-8859-1\n" "Content-Transfer-Encoding: 8bit\n" #: ../compare.c:158 #, c-format msgid "conn_sort_up: wrong mode\n" msgstr "conn_sort_up: modo invalido\n" #: ../compare.c:264 #, c-format msgid "Error in sort string: '%c', order expected, ignoring.\n" msgstr "Erro na string de ordenacao: '%c', experado ordem, ignorando.\n" #: ../compare.c:278 #, c-format msgid "Error in sort string: '%c', direction expected, ignoring.\n" msgstr "Erro na string de ordenacao: '%c', experado direcao, ignorando.\n" #: ../compare.c:282 #, fuzzy, c-format msgid "Error in sort string, direction expected, ignoring.\n" msgstr "Erro na string de ordenacao: '%c', experado direcao, ignorando.\n" #: ../compare.c:382 ../compare.c:384 ../modes.c:196 ../modes.c:203 #: ../modes.c:813 ../modes.c:815 ../output.c:106 ../output.c:113 #: ../output.c:193 ../output.c:202 ../output.c:380 msgid "%b %d %H:%M:%S" msgstr "" #: ../compare.c:383 #, c-format msgid "Timewarp in log file (%s" msgstr "Avanco de tempo no arquivo de log (%s" #: ../main.c:25 #, fuzzy, c-format msgid "Usage: %s [options] [input_files]\n" msgstr "Uso: %s [opções]\n" #: ../main.c:26 #, fuzzy, c-format msgid "General options:\n" msgstr "Opções globais:\n" #: ../main.c:27 #, fuzzy, c-format msgid " -h this help\n" msgstr " -h mostra texto de ajuda\n" #: ../main.c:28 #, fuzzy, c-format msgid " -L show time of first and last log entry\n" msgstr "" " -L <arq.> mostra horario inicial e final do arquivo de log\n" #: ../main.c:29 #, fuzzy, c-format msgid " -V show version and copyright info\n" msgstr " -V mostra informações sobre versão e copyright\n" #: ../main.c:32 #, c-format msgid "Global options:\n" msgstr "Opções globais:\n" #: ../main.c:33 #, fuzzy, c-format msgid " -b show amount of data (sum of total packet lengths)\n" msgstr "" " -b mostra total de dados (soma dos tamanhos dos pacotes)\n" #: ../main.c:34 #, fuzzy, c-format msgid " -c <file> specify config file (defaults to %s)\n" msgstr "" " -c <arq.> especifica arquivo de configuração (padrão : %s)\n" #: ../main.c:35 #, fuzzy, c-format msgid " -D do not differentiate destination IP addresses\n" msgstr " -D não diferencia endereços IP de destino\n" #: ../main.c:36 #, fuzzy, c-format msgid " -d differentiate destination ports\n" msgstr " -d diferencia portas de destino\n" #: ../main.c:37 #, c-format msgid " -E <format> select or exclude hosts, ports, chains and targets\n" msgstr "" #: ../main.c:38 #, c-format msgid " quick reference: -E[ie][hp][sd]<ip/number>\n" msgstr "" #: ../main.c:39 #, c-format msgid " -E[ie][cb]<name>\n" msgstr "" #: ../main.c:40 #, fuzzy, c-format msgid " -m <count> only show entries with at least so many incidents\n" msgstr "" " -m <num> mostra somente entradas com um minimo de ocorrencias\n" #: ../main.c:41 #, c-format msgid " -M <number> only show this amount of entries\n" msgstr "" #: ../main.c:42 #, fuzzy, c-format msgid " -N resolve service names\n" msgstr " -N resolve nome de servico\n" #: ../main.c:43 #, fuzzy, c-format msgid " -n resolve host names\n" msgstr " -n resolve nome de hosts\n" #: ../main.c:44 #, fuzzy, c-format msgid " -O <order> define the sort order (see the man page for details)\n" msgstr "" " -O <ordem> define a ordem para ordenação (veja pagina man para " "detalhes)\n" #: ../main.c:45 #, fuzzy, c-format msgid "" " -P <format> use parsers for specific formats (defaults to netfilter)\n" msgstr " -P <formato> utiliza somente os formatos especificados\n" #: ../main.c:46 #, c-format msgid " i: ipchains, n: netfilter, f: ipfilter, c: cisco ios\n" msgstr "" #: ../main.c:47 #, c-format msgid "" " p: cisco pix, e: netscreen, l: lancom, s: snort, b: ipfw\n" msgstr "" #: ../main.c:48 #, fuzzy, c-format msgid " -p differentiate protocols\n" msgstr " -p diferenciar protocolos\n" #: ../main.c:49 #, fuzzy, c-format msgid " -s differentiate source ports\n" msgstr " -s diferenciar portas de origem\n" #: ../main.c:50 #, c-format msgid " -U <title> set report and status page title and email subject\n" msgstr "" #: ../main.c:51 #, fuzzy, c-format msgid " -v verbose, specify twice for more info\n" msgstr "" " -v detalhes, especifique duas vezes para mais informações\n" #: ../main.c:52 #, fuzzy, c-format msgid " -y differentiate TCP options\n" msgstr " -y diferenciar opções de TCP\n" #: ../main.c:55 #, c-format msgid "Log summary mode (default):\n" msgstr "Modo sumario de log (padrão):\n" #: ../main.c:56 #, fuzzy, c-format msgid " -C <email> carbon copy recipients\n" msgstr " -C <email> destinatarios para cópia\n" #: ../main.c:57 #, fuzzy, c-format msgid " -e show end times\n" msgstr " -e mostrar horario final\n" #: ../main.c:58 #, fuzzy, c-format msgid " -F <email> report sender address (defaults to '%s')\n" msgstr " -F <email> email origem no envio do relatório\n" #: ../main.c:59 #, fuzzy, c-format msgid " -l <time> process recent events only (defaults to off)\n" msgstr "" " -l <tempo> processa eventos recentes somente (padrão : desligado)\n" #: ../main.c:60 #, fuzzy, c-format msgid " -o <file> specify output file\n" msgstr " -o <arq.> especifica arquivo de saida\n" #: ../main.c:61 #, fuzzy, c-format msgid " -S do not differentiate source IP addresses\n" msgstr " -S não diferencia endereços IP de origem\n" #: ../main.c:62 #, c-format msgid " -T <email> send report by email to this address\n" msgstr "" #: ../main.c:63 #, fuzzy, c-format msgid " -t show start times\n" msgstr " -t mostrar horario inicial\n" #: ../main.c:64 #, fuzzy, c-format msgid " -W activate whois lookups for source addresses\n" msgstr " -W activa verificação whois para endereços origem\n" #: ../main.c:65 #, fuzzy, c-format msgid " -w HTML output\n" msgstr " -w saída em HTML\n" #: ../main.c:66 #, fuzzy, c-format msgid " -z show time interval\n" msgstr " -z mostra intervalo de tempo\n" #: ../main.c:69 #, c-format msgid "Realtime response mode:\n" msgstr "Modo de resposta em tempo real:\n" #: ../main.c:70 #, fuzzy, c-format msgid " -R realtime response as daemon (default action: log only)\n" msgstr "" " -R modo de resposta em tempo real (ação padrão: somente " "registra)\n" #: ../main.c:71 #, fuzzy, c-format msgid " -a <count> alert threshold (defaults to %d entries)\n" msgstr " -a <num> limite de ativação (padrão : %d entradas)\n" #: ../main.c:72 #, fuzzy, c-format msgid " -l <time> forget events this old (defaults to %d hours)\n" msgstr "" " -l <tempo> esquece eventos após periodo (padrão : %d horas)\n" #: ../main.c:73 #, fuzzy, c-format msgid " -k <IP/net> add this IP address or net to the list of known hosts\n" msgstr " -k <IP/rede> adiciona IP ou rede à lista de conhecidos\n" #: ../main.c:74 #, fuzzy, c-format msgid " -A invoke notification script if threshold is reached\n" msgstr " -A executa scripta de avisao ao chegar no limite\n" #: ../main.c:75 #, fuzzy, c-format msgid " -B invoke response action script (e.g. block host)\n" msgstr "" " -B executa script de resposta automatica (ex. bloqueia " "maquina)\n" #: ../main.c:76 #, fuzzy, c-format msgid " -X <port> activate internal status information web server\n" msgstr " -X activa servidor web interno de informações\n" #: ../main.c:102 #, fuzzy msgid "You can contact the author at <bw@inside-security.de>." msgstr "Você pode contactar o autor via <bw@inside-security.de>." #: ../main.c:104 msgid "Compile-time options of this version:" msgstr "" #: ../main.c:105 #, c-format msgid "Short name limit " msgstr "" #: ../main.c:107 ../main.c:113 ../main.c:119 ../main.c:125 ../main.c:131 msgid "enabled" msgstr "" #: ../main.c:109 ../main.c:115 ../main.c:121 ../main.c:127 ../main.c:133 msgid "disabled" msgstr "" #: ../main.c:111 #, c-format msgid "Zlib support " msgstr "" #: ../main.c:117 #, c-format msgid "Gettext (i18n) support " msgstr "" #: ../main.c:123 #, c-format msgid "IPv6 support " msgstr "" #: ../main.c:129 #, c-format msgid "GNU adns support " msgstr "" #: ../main.c:287 #, c-format msgid "Illegal inclusion/exclusion pos. 1 (expected [ie]): %s\n" msgstr "" #: ../main.c:288 ../main.c:305 ../main.c:314 ../main.c:452 #, c-format msgid "Exiting\n" msgstr "Terminando\n" #: ../main.c:304 #, c-format msgid "Illegal inclusion/exclusion pos. 2 (expected [hpcb]): %s\n" msgstr "" #: ../main.c:313 #, c-format msgid "Illegal inclusion/exclusion pos. 3 (expected [sd]): %s\n" msgstr "" #: ../modes.c:109 #, c-format msgid "Using stdin as input\n" msgstr "Usando stdin como entrada\n" #: ../modes.c:115 #, c-format msgid "Opening input file '%s'\n" msgstr "Abrindo arquivo de entrada '%s'\n" #: ../modes.c:133 #, c-format msgid "Processing\n" msgstr "Processando\n" #: ../modes.c:140 #, c-format msgid "Unrecognized entries or tokens can be submitted at\n" msgstr "" #: ../modes.c:149 ../modes.c:396 ../modes.c:782 ../rcfile.c:321 #, c-format msgid "Closing '%s'\n" msgstr "Fechando '%s'\n" #: ../modes.c:178 #, c-format msgid "Sorting data\n" msgstr "Ordenando dados\n" #: ../modes.c:215 #, c-format msgid "Opening output file '%s'\n" msgstr "Abrindo arquivo de saída '%s'\n" #: ../modes.c:226 #, fuzzy, c-format msgid "Sending\n" msgstr "Enviando...\n" #: ../modes.c:249 ../net.c:364 ../net.c:367 msgid "%A %B %d %H:%M:%S %Z %Y" msgstr "" #: ../modes.c:250 #, c-format msgid "Generated %s by " msgstr "Gerado %s por " #: ../modes.c:260 #, c-format msgid "an unknown user.\n" msgstr "um usuario desconhecido.\n" #: ../modes.c:268 #, c-format msgid "(and %d older than %d seconds) " msgstr "(e %d anteriores à %d segundos) " #: ../modes.c:271 #, c-format msgid "(and %d malformed) " msgstr "(e %d mal formadas) " #: ../modes.c:274 #, fuzzy, c-format msgid "of %d entries in the file \"%s\" are packet logs, " msgstr "de %d entradas no arquivo " #: ../modes.c:276 #, c-format msgid "of %d entries in standard input are packet logs, " msgstr "" #: ../modes.c:278 #, fuzzy, c-format msgid "of %d entries in %d input files are packet logs, " msgstr "de %d entradas no arquivo " #: ../modes.c:282 #, c-format msgid "one has unique characteristics.\n" msgstr "um tem caracteristica unica.\n" #: ../modes.c:284 #, c-format msgid "%d have unique characteristics.\n" msgstr "%d tem caracteristicas unicas.\n" #: ../modes.c:292 #, c-format msgid "One entry was excluded by configuration.\n" msgstr "Uma entrada foi excluida pela configuração.\n" #: ../modes.c:294 #, c-format msgid "%d entries were excluded by configuration.\n" msgstr "%d entradas foram excluidas pela configuração.\n" #: ../modes.c:302 #, c-format msgid "First packet log entry: %s, last: %s.\n" msgstr "Primeiro pacote registrado: %s, ultimo: %s.\n" #: ../modes.c:304 ../modes.c:811 #, c-format msgid "No valid time entries found.\n" msgstr "Nenhum registro de horario valido encontrado.\n" #: ../modes.c:311 #, c-format msgid "All entries were logged by the same host: \"%s\".\n" msgstr "Todos registros são da mesma maquina: \"%s\".\n" #: ../modes.c:318 #, c-format msgid "All entries are from the same chain: \"%s\".\n" msgstr "Todos registros são do mesmo chain: \"%s\".\n" #: ../modes.c:325 #, c-format msgid "All entries have the same target: \"%s\".\n" msgstr "Todos registros tem o mesmo destino: \"%s\".\n" #: ../modes.c:332 #, c-format msgid "All entries are from the same interface: \"%s\".\n" msgstr "Todos registros são da mesma interface: \"%s\".\n" #: ../modes.c:339 #, fuzzy, c-format msgid "Only entries with a count of at least %d are shown.\n" msgstr "Somente registros com contagem maior que %d são mostrados.\n" #: ../modes.c:346 #, fuzzy, c-format msgid "Only the top %d entries are shown.\n" msgstr "Somente registros com contagem maior que %d são mostrados.\n" #: ../modes.c:357 #, fuzzy, c-format msgid "Resolving\n" msgstr "Resolvendo %s\n" #: ../modes.c:416 #, c-format msgid "Warning: pidfile exists, another fwlogwatch might be running.\n" msgstr "Aviso: arquivo pid existe,outro fwlogwatch pode estar rodando.\n" #: ../modes.c:430 #, fuzzy, c-format msgid "SIGHUP caught, reread configuration file %s" msgstr "SIGHUP recebido, reabrindo arquivo de log" #: ../modes.c:432 #, fuzzy, c-format msgid "SIGHUP caught, unable to reread configuration file %s" msgstr "SIGHUP recebido, reabrindo arquivo de log" #: ../modes.c:455 msgid "SIGUSR1 caught, reading input from stdin, no need to reopen log file" msgstr "" #: ../modes.c:457 #, fuzzy, c-format msgid "SIGUSR1 caught, reopening log file %s" msgstr "SIGHUP recebido, reabrindo arquivo de log" #: ../modes.c:529 msgid "SIGTERM caught, cleaning up" msgstr "SIGTERM recebido, fechando" #: ../modes.c:611 #, c-format msgid "Starting (pid %d)" msgstr "Iniciando (pid %d)" #: ../modes.c:661 msgid "User to run as was not found" msgstr "" #: ../modes.c:676 #, c-format msgid "Changed uid from %d to %d, gid from %d to %d" msgstr "" #: ../modes.c:678 #, c-format msgid "Running with uid %d, gid %d" msgstr "" #: ../modes.c:682 msgid "Alert threshold is one attempt" msgstr "Limite de alerta em uma tentativa" #: ../modes.c:684 #, c-format msgid "Alert threshold is %d attempts" msgstr "Limite de alerta : %d tentativas" #: ../modes.c:688 #, c-format msgid "Events older than %d second(s) are discarded" msgstr "Eventos anteriores a %d segundo(s) são discartados" #: ../modes.c:690 #, c-format msgid "Events older than %d hour(s) are discarded" msgstr "Eventos anteriores a %d houra(s) são discartados" #: ../modes.c:693 #, fuzzy, c-format msgid "Response mode: Log%s%s" msgstr "Modo de resposta : registra%s%s" #: ../modes.c:693 ../net.c:373 msgid ", notify" msgstr ", avisa" #: ../modes.c:693 ../net.c:373 msgid ", respond" msgstr ", responde" #: ../modes.c:724 #, c-format msgid "Reading standard input\n" msgstr "Lendo entrada padrão(stdin)\n" #: ../modes.c:742 #, c-format msgid "Reading '%s'\n" msgstr "Lendo '%s'\n" #: ../modes.c:808 #, fuzzy, c-format msgid "Number of files: %d\n" msgstr "Numero de tentativas registradas: %s\n" #: ../modes.c:809 #, fuzzy, c-format msgid "Number of lines: %d\n" msgstr "no. de linhas : %d\n" #: ../modes.c:814 #, c-format msgid "First entry: %s\n" msgstr "Primeiro registro: %s\n" #: ../modes.c:816 #, c-format msgid "Last entry : %s\n" msgstr "Ultimo registro : %s\n" #: ../modes.c:818 #, c-format msgid "Difference : %s\n" msgstr "" #: ../net.c:130 ../net.c:132 #, c-format msgid "Listening on %s port %i" msgstr "Esperando conexões em %s porta %i" #: ../net.c:172 msgid "decode_base64: input string incomplete" msgstr "decode_base64: string de entrada incompleta" #: ../net.c:179 #, c-format msgid "decode_base64: illegal character '%c' in input string" msgstr "decode_base64: caracter ilegal '%c' na string de entrada" #: ../net.c:214 msgid "count" msgstr "" #: ../net.c:215 msgid "added" msgstr "" #: ../net.c:217 msgid "proto" msgstr "" #: ../net.c:219 #, fuzzy msgid "bytes" msgstr " (%d bytes)" #: ../net.c:220 msgid "source" msgstr "" #: ../net.c:222 ../net.c:231 #, fuzzy msgid "hostname" msgstr "<td>maquina</td>" #: ../net.c:224 ../net.c:234 #, fuzzy msgid "port" msgstr " porta %d" #: ../net.c:226 ../net.c:236 #, fuzzy msgid "service" msgstr "<td>serviço</td>" #: ../net.c:229 #, fuzzy msgid "destination" msgstr "<td>destino</td>" #: ../net.c:239 msgid "opts" msgstr "" #: ../net.c:240 #, fuzzy msgid "time remaining" msgstr "<td>Tempo restante</td></tr>\n" #: ../net.c:241 msgid "action" msgstr "" #: ../net.c:293 ../net.c:295 ../net.c:360 #, fuzzy msgid "Information" msgstr "" "\n" "</div>\n" "<h2>Informações Gerais</h2>\n" #: ../net.c:299 ../net.c:301 ../net.c:398 msgid "Options" msgstr "" #: ../net.c:305 ../net.c:307 ../net.c:426 #, fuzzy msgid "Packet cache" msgstr "<h2>Cache de pacotes</h2>\n" #: ../net.c:311 ../net.c:313 ../net.c:495 #, fuzzy msgid "Host status" msgstr "<h2>Situação da maquina</h2>\n" #: ../net.c:316 msgid "Reload" msgstr "" #: ../net.c:365 msgid "Daemon start time" msgstr "" #: ../net.c:368 msgid "Current time" msgstr "" #: ../net.c:371 msgid "Running time" msgstr "" #: ../net.c:373 msgid "Log" msgstr "" #: ../net.c:374 #, fuzzy msgid "Response mode" msgstr "Modo de resposta : registra%s%s" #: ../net.c:376 msgid "Lines seen" msgstr "" #: ../net.c:377 msgid "Hits" msgstr "" #: ../net.c:378 msgid "Old/excluded/malformed" msgstr "" #: ../net.c:385 #, fuzzy msgid "Entries in packet cache" msgstr "<h2>Cache de pacotes</h2>\n" #: ../net.c:392 #, fuzzy msgid "Entries in host status" msgstr "<h2>Situação da maquina</h2>\n" #: ../net.c:400 msgid "Parameter" msgstr "" #: ../net.c:402 msgid "Decrease" msgstr "" #: ../net.c:404 msgid "Current" msgstr "" #: ../net.c:406 msgid "Increase" msgstr "" #: ../net.c:408 #, fuzzy msgid "Alert threshold" msgstr "Limite de alerta em uma tentativa" #: ../net.c:410 msgid "Discard timeout" msgstr "" #: ../net.c:411 msgid "Minimum count in packet cache" msgstr "" #: ../net.c:413 ../net.c:415 msgid "Top amount of entries in packet cache" msgstr "" #: ../net.c:418 ../net.c:420 msgid "Refresh time" msgstr "" #: ../net.c:442 ../net.c:565 msgid "%Y/%m/%d %H:%M:%S" msgstr "" #: ../net.c:479 ../net.c:595 msgid "drop" msgstr "" #: ../net.c:481 msgid "escalate" msgstr "" #: ../net.c:527 ../net.c:546 ../net.c:552 ../net.c:558 msgid "<td>any</td>" msgstr "<td>qualquer</td>" #: ../net.c:540 #, fuzzy msgid "<td>(known host)</td>" msgstr "<td>-</td><td>%s/%d (maquina/rede conhecida)</td>" #: ../net.c:542 #, fuzzy msgid "<td>(known net)</td>" msgstr "<td>-</td><td>%s/%d (maquina/rede conhecida)</td>" #: ../net.c:654 ../net.c:657 #, c-format msgid "Rejected connect from unallowed ip %s port %i" msgstr "Conexão recusada de endedeço não permitido : ip %s porta %i" #: ../net.c:668 ../net.c:670 #, c-format msgid "Connect from %s port %i" msgstr "Conexão de %s porta %i" #: ../net.c:734 msgid "Authorization failed" msgstr "Falha na autorização" #: ../net.c:737 #, fuzzy msgid "Authorization required" msgstr "Falha na autorização" #: ../net.c:814 msgid "Bad request" msgstr "" #: ../net.c:819 msgid "Redirect" msgstr "" #: ../net.c:819 msgid "You should be redirected to the <a href=\"/\">root directory</a>" msgstr "" #: ../net.c:831 #, c-format msgid "Requested function: %s" msgstr "" #: ../net.c:834 msgid "Connection closed" msgstr "Coneão fechada" #: ../output.c:200 #, c-format msgid " to " msgstr " para " #: ../output.c:255 #, c-format msgid " packet" msgstr " pacote" #: ../output.c:257 #, c-format msgid " packets" msgstr " pacotes" #: ../output.c:261 #, fuzzy, c-format msgid " (%lu bytes)" msgstr " (%d bytes)" #: ../output.c:264 #, c-format msgid " from %s" msgstr " de %s" #: ../output.c:280 ../output.c:293 #, c-format msgid " port %d" msgstr " porta %d" #: ../output.c:286 #, c-format msgid " to %s" msgstr " para %s" #: ../output.c:313 #, fuzzy, c-format msgid "<th>start</th>" msgstr "<td>inicio</td>" #: ../output.c:316 #, fuzzy, c-format msgid "<th>end</th>" msgstr "<td>termino</td>" #: ../output.c:319 #, fuzzy, c-format msgid "<th>interval</th>" msgstr "<td>intervalo</td>" #: ../output.c:322 #, fuzzy, c-format msgid "<th>loghost</th>" msgstr "<td>servidor</td>" #: ../output.c:325 #, fuzzy, c-format msgid "<th>chain</th>" msgstr "<td>chain</td>" #: ../output.c:328 #, fuzzy, c-format msgid "<th>target</th>" msgstr "<td>destino</td>" #: ../output.c:331 #, fuzzy, c-format msgid "<th>interface</th>" msgstr "<td>interface</td>" #: ../output.c:334 #, fuzzy, c-format msgid "<th>proto</th>" msgstr "<td>protocolo</td>" #: ../output.c:337 #, fuzzy, c-format msgid "<th>bytes</th>" msgstr "<td>bytes</td>" #: ../output.c:340 #, fuzzy, c-format msgid "<th>source</th>" msgstr "<td>origem</td>" #: ../output.c:342 ../output.c:356 #, fuzzy, c-format msgid "<th>hostname</th>" msgstr "<td>maquina</td>" #: ../output.c:344 #, fuzzy, c-format msgid "<th>whois information</th>" msgstr "<td>informação whois</td>" #: ../output.c:348 ../output.c:360 #, fuzzy, c-format msgid "<th>port</th>" msgstr "<td>porta</td>" #: ../output.c:350 ../output.c:362 #, fuzzy, c-format msgid "<th>service</th>" msgstr "<td>serviço</td>" #: ../output.c:354 #, fuzzy, c-format msgid "<th>destination</th>" msgstr "<td>destino</td>" #: ../output.c:366 #, fuzzy, c-format msgid "<th>opts</th>" msgstr "<td>opções</td>" #: ../parser.c:263 #, c-format msgid "Unknown parser: '%c'.\n" msgstr "Tipo desconhecido: '%c'.\n" #: ../rcfile.c:57 #, c-format msgid "Error in configuration file '%s' line %d: not a number\n" msgstr "" #: ../rcfile.c:86 #, c-format msgid "Error in configuration file '%s' line %d, assuming 'true'\n" msgstr "" #: ../rcfile.c:278 #, fuzzy, c-format msgid "Unrecognized option in configuration file '%s' line %d\n" msgstr "Opção desconhecida no arquivo rc: %s" #: ../rcfile.c:299 #, c-format msgid "%s is not a regular file, ignoring.\n" msgstr "%s não é um arquivo padrão, ignorando.\n" #: ../rcfile.c:307 #, fuzzy, c-format msgid "Opening configuration file '%s'\n" msgstr "Abrindo arquivo de entrada '%s'\n" #: ../resolve.c:62 #, c-format msgid "port mismatch: %d != %d\n" msgstr "porta incompativel: %d != %d\n" #: ../resolve.c:81 ../resolve.c:151 #, c-format msgid "Resolving %s from cache\n" msgstr "Resolvendo %s pelo cache\n" #: ../resolve.c:89 ../resolve.c:112 #, c-format msgid "Resolving %s\n" msgstr "Resolvendo %s\n" #: ../resolve.c:95 #, c-format msgid "Wrong host name size\n" msgstr "Tamanho do nome de maquina invalido\n" #: ../resolve.c:119 #, c-format msgid "%s [forward lookup: %s]" msgstr "%s [resolução direta: %s]" #: ../resolve.c:122 #, c-format msgid "%s [forward lookup failed]" msgstr "%s [resolução direta falhou]" #: ../resolve.c:163 #, fuzzy, c-format msgid "Resolving %s from adns\n" msgstr "Resolvendo %s pelo cache\n" #: ../resolve.c:167 #, fuzzy msgid "[inconsistent forward lookup]" msgstr "%s [resolução direta: %s]" #: ../resolve.c:171 #, c-format msgid "[adns status %d]" msgstr "" #: ../resolve.c:189 msgid "DNS cache error" msgstr "" #: ../resolve.c:207 #, c-format msgid "Submitted %s to adns\n" msgstr "" #: ../response.c:56 msgid "One logging ipchains firewall rule defined" msgstr "Uma regra de firewall ipchains com log definida" #: ../response.c:58 #, c-format msgid "%u logging ipchains firewall rules defined" msgstr "%u regras de firewall ipchains com log definidas" #: ../response.c:61 msgid "No logging ipchains firewall rules defined, format was requested" msgstr "Nenhuma regra de firewall com log definida, formato requerido" #: ../response.c:82 #, c-format msgid "%s is group/world writable" msgstr "%s é acessivel para gravação por grupo/outros" #: ../response.c:168 #, c-format msgid "Deleting packet cache entry (%s)" msgstr "Removendo pacote do cache (%s)" #: ../response.c:202 #, c-format msgid "Deleting host status entry (%s)" msgstr "Removendo situação da maquina (%s)" #: ../response.c:276 #, c-format msgid "ALERT: %d attempts from %s" msgstr "ALERTA: %d tentativas de %s" #: ../utils.c:53 #, c-format msgid "" "\n" "Memory allocation error, exiting.\n" msgstr "" "\n" "Erro de alocação de memória, saindo.\n" #: ../utils.c:68 msgid "Exiting" msgstr "Saindo" #: ../utils.c:77 msgid "Not executing buffer containing format string" msgstr "Não executando buffer contendo string de formatação" #: ../utils.c:82 #, c-format msgid "Executing '%s'" msgstr "Executando '%s'" #: ../utils.c:194 #, fuzzy, c-format msgid "" "fwlogwatch error: mode collision, please check that you didn't specify\n" " several modes on the command line or a second mode is active in the\n" " configuration file.\n" " Please use a separate configuration file for each mode or comment out " "all\n" " entries in the default configuration and use command line parameters.\n" msgstr "" "erro fwlogwatch: colisão de modo, verifique se você especificou mais de\n" " um modo na linha de comando, ou um segundo modo esta ativo na confi-\n" " guração especificada ou padrão.\n" " Utilize um arquivo de configuração separado para cada modo ou comente \n" " as linhas na configuração padrão e utilize parametros de linha de \n" " comando.\n" #: ../utils.c:268 #, c-format msgid "IP address error: %s\n" msgstr "Erro no endereço IP: %s\n" #: ../utils.c:294 #, c-format msgid "Error in CIDR format: %s\n" msgstr "Erro no formato CIDR: %s\n" #: ../utils.c:312 #, c-format msgid "(known host)\n" msgstr "(maquina desconhecida)\n" #: ../utils.c:351 #, c-format msgid "(excluded host)\n" msgstr "(maquina escluida)\n" #: ../whois.c:220 #, c-format msgid "Looking up whois info for %s from cache\n" msgstr "Verificando informação whois para %s no cache\n" #: ../whois.c:227 #, c-format msgid "Looking up whois info for %s\n" msgstr "Verificando informação whios para %s\n" #: ../whois.c:248 #, c-format msgid "lookup failed: %s\n" msgstr "resolução falhou: %s\n" #: ../main.h:300 msgid "fwlogwatch summary" msgstr "Resumo do fwlogwatch" #: ../main.h:310 msgid "fwlogwatch status" msgstr "Situação do fwlogwatch" #, fuzzy #~ msgid "Interactive report mode (summary mode extension):\n" #~ msgstr "Modo de relatório interativo:\n" #, fuzzy #~ msgid " -i <count> interactive mode with report threshold\n" #~ msgstr "" #~ " -i <num> modo interativo com limite minimo para ativação\n" #, fuzzy #~ msgid " -T <email> address of CERT or abuse contact to send report to\n" #~ msgstr "" #~ " -T <email> endereço do CERT ou contato de abuso para envio do " #~ "relatório\n" #, fuzzy #~ msgid " -I <file> template file for report (defaults to %s)\n" #~ msgstr " -I <arq.> arquivo modelo para relatório\n" #~ msgid "" #~ "Reporting threshold: %d\n" #~ "\n" #~ msgstr "" #~ "Limite minimo do relatório: %d\n" #~ "\n" #~ msgid "Offending IP address: %s\n" #~ msgstr "Endereço IP ofensor : %s\n" #~ msgid "Offending IP name: %s\n" #~ msgstr "Nome do ofensor : %s\n" #~ msgid "Target IP address: %s\n" #~ msgstr "Endereço IP destino: %s\n" #~ msgid "Target IP name: %s\n" #~ msgstr "Nome do destino: %s\n" #~ msgid "Number of logged attempts: %s\n" #~ msgstr "Numero de tentativas registradas: %s\n" #~ msgid "Start time: %s\n" #~ msgstr "Horario de inicio: %s\n" #~ msgid "End time: %s\n" #~ msgstr "Termino: %s\n" #~ msgid "Timezone: %s\n" #~ msgstr "Zona: %s\n" #~ msgid "Duration: %s\n" #~ msgstr "Duração: %s\n" #~ msgid "Protocol: %s\n" #~ msgstr "Protocolo: %s\n" #~ msgid "Source port: %s\n" #~ msgstr "Porta de origem: %s\n" #~ msgid "Destination port: %s\n" #~ msgstr "Porta de destino: %s\n" #~ msgid "TCP options: %s\n" #~ msgstr "Opções TCP: %s\n" #~ msgid "Tracking number: %s\n" #~ msgstr "Numero de referencia: %s\n" #~ msgid "Incident report %s-%s" #~ msgstr "Relatório de incidente %s-%s" #~ msgid "%d (unknown)" #~ msgstr "%d (desconhecido)" #~ msgid "no SYNs" #~ msgstr "sem SYNs" #~ msgid "SYNs only" #~ msgstr "somente SYNs" #~ msgid "" #~ "\n" #~ "What do you want to change? [1-18/(o)k] " #~ msgstr "" #~ "\n" #~ "O que você deseja alterar? [1-18/(o)k] " #~ msgid "New value: " #~ msgstr "Novo valor: " #~ msgid "" #~ "\n" #~ "Should this report be sent? [(s)end/(m)odify/(q)uit] " #~ msgstr "" #~ "\n" #~ "Esse relatorio deve ser enviado? [(s) envia/(m)odifica/(q) termina] " #, fuzzy #~ msgid "<tr><td align=\"right\">Daemon start time:</td><td>%s</td></tr>\n" #~ msgstr "<tr><td>Horario de inicialização:</td><td>%s</td></tr>\n" #, fuzzy #~ msgid "<tr><td align=\"right\">Current time:</td><td>%s</td></tr>\n" #~ msgstr "<tr><td>Horario atual:</td><td>%s</td></tr>\n" #, fuzzy #~ msgid "<tr><td align=\"right\">Running time:</td><td>%s</td></tr>\n" #~ msgstr "<tr><td>Tempo de execução:</td><td>%s</td></tr>\n" #, fuzzy #~ msgid "<tr><td align=\"right\">Response mode:</td><td>Log%s%s</td></tr>\n" #~ msgstr "<tr><td>Modo de resposta:</td><td>registra%s%s</td></tr>\n" #, fuzzy #~ msgid "Host status: %d</td></tr>\n" #~ msgstr "<h2>Situação da maquina</h2>\n" #, fuzzy #~ msgid "<tr align=\"center\"><th>count</th><th>added</th>" #~ msgstr "" #~ "<tr bgcolor=\"#%s\" align=\"center\"><td>Qtde.</td><td>Adic.</td><td>IP " #~ "origem </td>" #~ msgid "Authorization failed (%s)" #~ msgstr "Falha na autorização (%s)" #~ msgid "" #~ "<body>\n" #~ "<h1>Authorization Required</h1>\n" #~ "</body>\n" #~ "</html>\n" #~ msgstr "" #~ "<body>\n" #~ "<h1>Autorização Requerida</h1>\n" #~ "</body>\n" #~ "</html>\n" #, fuzzy #~ msgid "<p><a href=\"/\">Reload</a>" #~ msgstr "<a href=\"/\">Atualizar</a><br>\n" #, fuzzy #~ msgid "" #~ "<br>\n" #~ "(automatic refresh every %d seconds)</p>\n" #~ msgstr "(atualização automatica a cada %d segundos)<br>\n" #, fuzzy #~ msgid "" #~ "<tr><td>Alert threshold:</td><td>%d entries</td></tr>\n" #~ "<tr><td>Discard timeout:</td><td>%s</td></tr>\n" #~ msgstr "" #~ "<tr><td>Limite de ativação:</td><td>%d entradas</td></tr>\n" #~ "<tr><td>Tempo para descarte:</td><td>%d segundos</td></tr>\n" #, fuzzy #~ msgid " -f <file> specify input file (defaults to %s)\n" #~ msgstr " -f <arq.> especifica arquivo de entrada (padrão : %s)\n" #~ msgid "\"%s\" are packet logs, " #~ msgstr "\"%s\" são registros de pacotes, " #~ msgid " (defaults to '%s')\n" #~ msgstr " (padrão : '%s')\n" #~ msgid " (defaults to %s)\n" #~ msgstr " (padrão : %s)\n" #~ msgid "SIGHUP caught, ignoring" #~ msgstr "SIGHUP recebido, ignorando" #~ msgid "<td>Hostname</td>" #~ msgstr "<td>Maquina</td>" #~ msgid "<td>Destination IP address</td>" #~ msgstr "<td>IP destino</td>" #~ msgid "<td>Protocol</td>" #~ msgstr "<td>Protocolo</td>" #~ msgid "<td>Source port</td>" #~ msgstr "<td>Porta origem</td>" #~ msgid "<td>Service</td>" #~ msgstr "<td>Serviço</td>" #~ msgid "<td>Destination port</td>" #~ msgstr "<td>Porta destino</td>" �������������������������������������������������������������������������������������������������������������������������������������������������������������fwlogwatch-1.2/po/de.po�����������������������������������������������������������������������������0000644�0000764�0000144�00000065720�11454321551�013435� 0����������������������������������������������������������������������������������������������������ustar �bw������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# German translation of fwlogwatch messages # Copyright (C) 2000-2010 Boris Wesslowski # This file is distributed under the same license as the fwlogwatch package. msgid "" msgstr "" "Project-Id-Version: fwlogwatch\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-10-06 13:58+0200\n" "PO-Revision-Date: 2010-10-06 14:25+0200\n" "Last-Translator: Boris Wesslowski <bw@inside-security.de>\n" "Language-Team: -\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #: ../compare.c:158 #, c-format msgid "conn_sort_up: wrong mode\n" msgstr "conn_sort_up: falscher Modus\n" #: ../compare.c:264 #, c-format msgid "Error in sort string: '%c', order expected, ignoring.\n" msgstr "" "Fehler in der Sortierreihenfolge: '%c', Ordnung erwartet, wird ignoriert.\n" #: ../compare.c:278 #, c-format msgid "Error in sort string: '%c', direction expected, ignoring.\n" msgstr "" "Fehler in der Sortierreihenfolge: '%c', Richtung erwartet, wird ignoriert.\n" #: ../compare.c:282 #, c-format msgid "Error in sort string, direction expected, ignoring.\n" msgstr "Fehler in der Sortierreihenfolge, Richtung erwartet, wird ignoriert.\n" #: ../compare.c:382 ../compare.c:384 ../modes.c:196 ../modes.c:203 #: ../modes.c:813 ../modes.c:815 ../output.c:106 ../output.c:113 #: ../output.c:193 ../output.c:202 ../output.c:380 msgid "%b %d %H:%M:%S" msgstr "%b %d %H:%M:%S" #: ../compare.c:383 #, c-format msgid "Timewarp in log file (%s" msgstr "Zeitsprung in Logdatei (%s" #: ../main.c:25 #, c-format msgid "Usage: %s [options] [input_files]\n" msgstr "Gebrauch: %s [Optionen] [Eingabedatei(en)]\n" #: ../main.c:26 #, c-format msgid "General options:\n" msgstr "Allgemeine Optionen:\n" #: ../main.c:27 #, c-format msgid " -h this help\n" msgstr " -h Diese Hilfe\n" #: ../main.c:28 #, c-format msgid " -L show time of first and last log entry\n" msgstr " -L Zeitstempel des ersten und letzten Eintrags anzeigen\n" #: ../main.c:29 #, c-format msgid " -V show version and copyright info\n" msgstr " -V Versions- und Copyrightinformation anzeigen\n" #: ../main.c:32 #, c-format msgid "Global options:\n" msgstr "Globale Optionen:\n" #: ../main.c:33 #, c-format msgid " -b show amount of data (sum of total packet lengths)\n" msgstr " -b Datenmenge anzeigen (Summe der Paketlängen)\n" #: ../main.c:34 #, c-format msgid " -c <file> specify config file (defaults to %s)\n" msgstr " -c <datei> Konfigurationsdatei angeben (Vorgabe: %s)\n" #: ../main.c:35 #, c-format msgid " -D do not differentiate destination IP addresses\n" msgstr " -D Ziel-IP-Adressen nicht unterscheiden\n" #: ../main.c:36 #, c-format msgid " -d differentiate destination ports\n" msgstr " -d Zielports unterscheiden\n" #: ../main.c:37 #, c-format msgid " -E <format> select or exclude hosts, ports, chains and targets\n" msgstr "" " -E <format> Aussuchen oder Ausschliessen von IP-Adressen, Ports, usw.\n" #: ../main.c:38 #, c-format msgid " quick reference: -E[ie][hp][sd]<ip/number>\n" msgstr " Kurzübersicht: -E[ie][hp][sd]<ip/nummer>\n" #: ../main.c:39 #, c-format msgid " -E[ie][cb]<name>\n" msgstr " -E[ie][cb]<name>\n" #: ../main.c:40 #, c-format msgid " -m <count> only show entries with at least so many incidents\n" msgstr " -m <anzahl> Nur Einträge mit mindestens dieser Anzahl anzeigen\n" #: ../main.c:41 #, c-format msgid " -M <number> only show this amount of entries\n" msgstr " -M <anzahl> Nur so viele Einträge anzeigen\n" #: ../main.c:42 #, c-format msgid " -N resolve service names\n" msgstr " -N Dienstenamen auflösen\n" #: ../main.c:43 #, c-format msgid " -n resolve host names\n" msgstr " -n Rechnernamen auflösen\n" #: ../main.c:44 #, c-format msgid " -O <order> define the sort order (see the man page for details)\n" msgstr " -O <ordnung> Sortierung der Ausgabe (siehe Dokumentation)\n" #: ../main.c:45 #, c-format msgid "" " -P <format> use parsers for specific formats (defaults to netfilter)\n" msgstr " -P <format> Parser für bestimmte Formate benutzen (Vorgabe: netfilter)\n" #: ../main.c:46 #, c-format msgid " i: ipchains, n: netfilter, f: ipfilter, c: cisco ios\n" msgstr " i: ipchains, n: netfilter, f: ipfilter, c: cisco ios\n" #: ../main.c:47 #, c-format msgid "" " p: cisco pix, e: netscreen, l: lancom, s: snort, b: ipfw\n" msgstr " p: cisco pix, e: netscreen, l: lancom, s: snort, b: ipfw\n" #: ../main.c:48 #, c-format msgid " -p differentiate protocols\n" msgstr " -p Protokolle unterscheiden\n" #: ../main.c:49 #, c-format msgid " -s differentiate source ports\n" msgstr " -s Quellports unterscheiden\n" #: ../main.c:50 #, c-format msgid " -U <title> set report and status page title and email subject\n" msgstr "" " -U <titel> Titel des Berichts, der Statusseite und E-Mail-Betreff " "setzen\n" #: ../main.c:51 #, c-format msgid " -v verbose, specify twice for more info\n" msgstr "" " -v Information bei der Verarbeitung anzeigen (-vv für mehr)\n" #: ../main.c:52 #, c-format msgid " -y differentiate TCP options\n" msgstr " -y TCP-Optionen unterscheiden\n" #: ../main.c:55 #, c-format msgid "Log summary mode (default):\n" msgstr "Loganalysemodus (Vorgabe):\n" #: ../main.c:56 #, c-format msgid " -C <email> carbon copy recipients\n" msgstr " -C <email> Empfängeradresse für Kopien\n" #: ../main.c:57 #, c-format msgid " -e show end times\n" msgstr " -e Endzeiten anzeigen\n" #: ../main.c:58 #, c-format msgid " -F <email> report sender address (defaults to '%s')\n" msgstr " -F <email> Absenderadresse des Berichts (Vorgabe: %s)\n" #: ../main.c:59 #, c-format msgid " -l <time> process recent events only (defaults to off)\n" msgstr "" " -l <zeit> Nur die jügsten Einträge bearbeiten (Vorgabe: deaktiviert)\n" #: ../main.c:60 #, c-format msgid " -o <file> specify output file\n" msgstr " -o <datei> Ausgabedatei angeben\n" #: ../main.c:61 #, c-format msgid " -S do not differentiate source IP addresses\n" msgstr " -S Quell-IP-Adressen nicht unterscheiden\n" #: ../main.c:62 #, c-format msgid " -T <email> send report by email to this address\n" msgstr " -T <email> Bericht per E-mail an diese Adresse senden\n" #: ../main.c:63 #, c-format msgid " -t show start times\n" msgstr " -t Anfangszeiten anzeigen\n" #: ../main.c:64 #, c-format msgid " -W activate whois lookups for source addresses\n" msgstr " -W whois-Nachfrage für Quell-IP-Adressen\n" #: ../main.c:65 #, c-format msgid " -w HTML output\n" msgstr " -w HTML-Ausgabe\n" #: ../main.c:66 #, c-format msgid " -z show time interval\n" msgstr " -z Zeitintervalle anzeigen\n" #: ../main.c:69 #, c-format msgid "Realtime response mode:\n" msgstr "Echtzeitantwortmodus:\n" #: ../main.c:70 #, c-format msgid " -R realtime response as daemon (default action: log only)\n" msgstr "" " -R Echtzeitantwort als Daemon (Vorgegebene Aktion: Loggen)\n" #: ../main.c:71 #, c-format msgid " -a <count> alert threshold (defaults to %d entries)\n" msgstr " -a <anzahl> Alarmschwelle (Vorgabe: %d Einträge)\n" #: ../main.c:72 #, c-format msgid " -l <time> forget events this old (defaults to %d hours)\n" msgstr "" " -l <zeit> Alte Ereignisse werden verworfen (Vorgabe: %d Stunden)\n" #: ../main.c:73 #, c-format msgid " -k <IP/net> add this IP address or net to the list of known hosts\n" msgstr " -k <ip/netz> Diese IP-Adresse(n) in der Liste der Bekannten aufnehmen\n" #: ../main.c:74 #, c-format msgid " -A invoke notification script if threshold is reached\n" msgstr "" " -A Aufruf des Benachrichtigungsskripts bei Err. der Schwelle\n" #: ../main.c:75 #, c-format msgid " -B invoke response action script (e.g. block host)\n" msgstr " -B Aufruf des Antwortskipts (z.B. um Rechner zu sperren)\n" #: ../main.c:76 #, c-format msgid " -X <port> activate internal status information web server\n" msgstr " -X <port> Internen Webserver für Zustandsinformation aktivieren\n" #: ../main.c:102 msgid "You can contact the author at <bw@inside-security.de>." msgstr "Der Autor ist unter <bw@inside-security.de> zu erreichen." #: ../main.c:104 msgid "Compile-time options of this version:" msgstr "Beim kompilieren dieser Version benutzte Optionen:" #: ../main.c:105 #, c-format msgid "Short name limit " msgstr "Längenbegrenzung der Namen " #: ../main.c:107 ../main.c:113 ../main.c:119 ../main.c:125 ../main.c:131 msgid "enabled" msgstr "aktiviert" #: ../main.c:109 ../main.c:115 ../main.c:121 ../main.c:127 ../main.c:133 msgid "disabled" msgstr "deaktiviert" #: ../main.c:111 #, c-format msgid "Zlib support " msgstr "Zlib-Unterstützung " #: ../main.c:117 #, c-format msgid "Gettext (i18n) support " msgstr "Gettext-Unterstützung (i18n) " #: ../main.c:123 #, c-format msgid "IPv6 support " msgstr "IPv6-Unterstützung " #: ../main.c:129 #, c-format msgid "GNU adns support " msgstr "GNU adns-Unterstützung " #: ../main.c:287 #, c-format msgid "Illegal inclusion/exclusion pos. 1 (expected [ie]): %s\n" msgstr "Ungültiger Parameter an Position 1 (erwartet: [ie]): %s\n" #: ../main.c:288 ../main.c:305 ../main.c:314 ../main.c:452 #, c-format msgid "Exiting\n" msgstr "Das Programm wird beendet\n" #: ../main.c:304 #, c-format msgid "Illegal inclusion/exclusion pos. 2 (expected [hpcb]): %s\n" msgstr "Ungültiger Parameter an Position 2 (erwartet: [hpcb]): %s\n" #: ../main.c:313 #, c-format msgid "Illegal inclusion/exclusion pos. 3 (expected [sd]): %s\n" msgstr "Ungültiger Parameter an Position 3 (erwartet: [sd]): %s\n" #: ../modes.c:109 #, c-format msgid "Using stdin as input\n" msgstr "Die Daten werden von der Standardeingabe gelesen\n" #: ../modes.c:115 #, c-format msgid "Opening input file '%s'\n" msgstr "Die Eingabedatei '%s' wird geöffnet\n" #: ../modes.c:133 #, c-format msgid "Processing\n" msgstr "Verarbeitung\n" #: ../modes.c:140 #, c-format msgid "Unrecognized entries or tokens can be submitted at\n" msgstr "Unerkannte Einträge können unter folgender URL eingereicht werden:\n" #: ../modes.c:149 ../modes.c:396 ../modes.c:782 ../rcfile.c:321 #, c-format msgid "Closing '%s'\n" msgstr "'%s' wird geschlossen\n" #: ../modes.c:178 #, c-format msgid "Sorting data\n" msgstr "Daten werden sortiert\n" #: ../modes.c:215 #, c-format msgid "Opening output file '%s'\n" msgstr "Die Ausgabedatei '%s' wird geöffnet\n" #: ../modes.c:226 #, c-format msgid "Sending\n" msgstr "Wird versandt\n" #: ../modes.c:249 ../net.c:364 ../net.c:367 msgid "%A %B %d %H:%M:%S %Z %Y" msgstr "%A, %d. %B %H:%M:%S %Z %Y" #: ../modes.c:250 #, c-format msgid "Generated %s by " msgstr "Erzeugt am %s von " #: ../modes.c:260 #, c-format msgid "an unknown user.\n" msgstr "einem unbekannten Benutzer.\n" #: ../modes.c:268 #, c-format msgid "(and %d older than %d seconds) " msgstr "(und %d älter als %d Sekunden) " #: ../modes.c:271 #, c-format msgid "(and %d malformed) " msgstr "(und %d fehlerhaft) " #: ../modes.c:274 #, c-format msgid "of %d entries in the file \"%s\" are packet logs, " msgstr "von %d Einträgen in der Datei \"%s\" sind Paketfiltereinträge, " #: ../modes.c:276 #, c-format msgid "of %d entries in standard input are packet logs, " msgstr "von %d Einträgen aus der Standardeingabe sind Paketfiltereinträge, " #: ../modes.c:278 #, c-format msgid "of %d entries in %d input files are packet logs, " msgstr "von %d Einträgen in %d Dateien sind Paketfiltereinträge, " #: ../modes.c:282 #, c-format msgid "one has unique characteristics.\n" msgstr "einer ist eindeutig.\n" #: ../modes.c:284 #, c-format msgid "%d have unique characteristics.\n" msgstr "%d sind eindeutig.\n" #: ../modes.c:292 #, c-format msgid "One entry was excluded by configuration.\n" msgstr "Ein Eintrag wurde von der Konfiguration ausgeschlossen.\n" #: ../modes.c:294 #, c-format msgid "%d entries were excluded by configuration.\n" msgstr "%d Einträge wurden von der Konfiguration ausgeschlossen.\n" #: ../modes.c:302 #, c-format msgid "First packet log entry: %s, last: %s.\n" msgstr "Erster Paketfiltereintrag: %s, letzter: %s.\n" #: ../modes.c:304 ../modes.c:811 #, c-format msgid "No valid time entries found.\n" msgstr "Keine gültigen Zeiteinträge gefunden.\n" #: ../modes.c:311 #, c-format msgid "All entries were logged by the same host: \"%s\".\n" msgstr "Alle Einträge wurden vom diesem Rechner geloggt: \"%s\".\n" #: ../modes.c:318 #, c-format msgid "All entries are from the same chain: \"%s\".\n" msgstr "Alle Einträge kommen von der selben Kette: \"%s\".\n" #: ../modes.c:325 #, c-format msgid "All entries have the same target: \"%s\".\n" msgstr "Alle Einträge haben das selbe Ziel: \"%s\".\n" #: ../modes.c:332 #, c-format msgid "All entries are from the same interface: \"%s\".\n" msgstr "Alle Einträge kommen von der selben Schnittstelle: \"%s\".\n" #: ../modes.c:339 #, c-format msgid "Only entries with a count of at least %d are shown.\n" msgstr "Nur Einträge mit mindestens %d Treffern werden gezeigt.\n" #: ../modes.c:346 #, c-format msgid "Only the top %d entries are shown.\n" msgstr "Nur die ersten %d Einträge werden gezeigt.\n" #: ../modes.c:357 #, c-format msgid "Resolving\n" msgstr "Auflösung\n" #: ../modes.c:416 #, c-format msgid "Warning: pidfile exists, another fwlogwatch might be running.\n" msgstr "" "Warnung: pid-Datei existiert, fwlogwatch wird evtl. schon ausgeführt.\n" #: ../modes.c:430 #, c-format msgid "SIGHUP caught, reread configuration file %s" msgstr "SIGHUP abgefangen, Konfigurationsdatei %s wird neu eingelesen" #: ../modes.c:432 #, c-format msgid "SIGHUP caught, unable to reread configuration file %s" msgstr "" "SIGHUP abgefangen, Konfigurationsdatei %s konnte nicht neu eingelesen werden" #: ../modes.c:455 msgid "SIGUSR1 caught, reading input from stdin, no need to reopen log file" msgstr "" "SIGUSR1 abgefangen, die Standardeingabe wird benutzt, neu öffnen nicht nötig" #: ../modes.c:457 #, c-format msgid "SIGUSR1 caught, reopening log file %s" msgstr "SIGUSR1 abgefangen, Logdatei %s wird neu geöffnet" #: ../modes.c:529 msgid "SIGTERM caught, cleaning up" msgstr "SIGTERM abgefangen, Speicher wird aufgeräumt" #: ../modes.c:611 #, c-format msgid "Starting (pid %d)" msgstr "Programmstart (pid %d)" #: ../modes.c:661 msgid "User to run as was not found" msgstr "Der Benutzer dessen ID benutzt werden soll wurde nicht gefunden" #: ../modes.c:676 #, c-format msgid "Changed uid from %d to %d, gid from %d to %d" msgstr "Benutzer-ID gewechselt von %d zu %d, Gruppen-ID von %d zu %d" #: ../modes.c:678 #, c-format msgid "Running with uid %d, gid %d" msgstr "Prozess läuft mit uid %d, gid %d" #: ../modes.c:682 msgid "Alert threshold is one attempt" msgstr "Alarmschwelle ist ein Versuch" #: ../modes.c:684 #, c-format msgid "Alert threshold is %d attempts" msgstr "Alarmschwelle ist %d Versuche" #: ../modes.c:688 #, c-format msgid "Events older than %d second(s) are discarded" msgstr "Ereignisse die älter als %d Sekunde(n) sind werden verworfen" #: ../modes.c:690 #, c-format msgid "Events older than %d hour(s) are discarded" msgstr "Ereignisse die älter als %d Stunde(n) sind werden verworfen" #: ../modes.c:693 #, c-format msgid "Response mode: Log%s%s" msgstr "Antwortmodus: loggen%s%s" #: ../modes.c:693 ../net.c:373 msgid ", notify" msgstr ", benachrichtigen" #: ../modes.c:693 ../net.c:373 msgid ", respond" msgstr ", antworten" #: ../modes.c:724 #, c-format msgid "Reading standard input\n" msgstr "Die Standardeingabe wird gelesen\n" #: ../modes.c:742 #, c-format msgid "Reading '%s'\n" msgstr "Die Datei '%s' wird gelesen\n" #: ../modes.c:808 #, c-format msgid "Number of files: %d\n" msgstr "Anzahl der Dateien: %d\n" #: ../modes.c:809 #, c-format msgid "Number of lines: %d\n" msgstr "Anzahl der Zeilen: %d\n" #: ../modes.c:814 #, c-format msgid "First entry: %s\n" msgstr "Erster Eintrag: %s\n" #: ../modes.c:816 #, c-format msgid "Last entry : %s\n" msgstr "Letzter Eintrag: %s\n" #: ../modes.c:818 #, c-format msgid "Difference : %s\n" msgstr "Differenz : %s\n" #: ../net.c:130 ../net.c:132 #, c-format msgid "Listening on %s port %i" msgstr "Lauschen auf %s port %i" #: ../net.c:172 msgid "decode_base64: input string incomplete" msgstr "decode_base64: Eingabezeichenkette unvollständig" #: ../net.c:179 #, c-format msgid "decode_base64: illegal character '%c' in input string" msgstr "decode_base64: ungültiges Zeichen '%c' in der Eingabe" #: ../net.c:214 msgid "count" msgstr "Anzahl" #: ../net.c:215 msgid "added" msgstr "Hinzugefügt" #: ../net.c:217 msgid "proto" msgstr "Protokoll" #: ../net.c:219 msgid "bytes" msgstr "Bytes" #: ../net.c:220 msgid "source" msgstr "Quelle" #: ../net.c:222 ../net.c:231 msgid "hostname" msgstr "Rechnername" #: ../net.c:224 ../net.c:234 msgid "port" msgstr "Port" #: ../net.c:226 ../net.c:236 msgid "service" msgstr "Dienst" #: ../net.c:229 msgid "destination" msgstr "Ziel" #: ../net.c:239 msgid "opts" msgstr "Optionen" #: ../net.c:240 msgid "time remaining" msgstr "Verbleibende Zeit" #: ../net.c:241 msgid "action" msgstr "Aktion" #: ../net.c:293 ../net.c:295 ../net.c:360 msgid "Information" msgstr "Information" #: ../net.c:299 ../net.c:301 ../net.c:398 msgid "Options" msgstr "Optionen" #: ../net.c:305 ../net.c:307 ../net.c:426 msgid "Packet cache" msgstr "Paketcache" #: ../net.c:311 ../net.c:313 ../net.c:495 msgid "Host status" msgstr "Rechnerzustand" #: ../net.c:316 msgid "Reload" msgstr "Neu laden" #: ../net.c:365 msgid "Daemon start time" msgstr "Startzeit des Daemons" #: ../net.c:368 msgid "Current time" msgstr "Aktuelle Zeit" #: ../net.c:371 msgid "Running time" msgstr "Ausführungszeit" #: ../net.c:373 msgid "Log" msgstr "Loggen" #: ../net.c:374 msgid "Response mode" msgstr "Antwortmodus" #: ../net.c:376 msgid "Lines seen" msgstr "Gesehene Zeilen" #: ../net.c:377 msgid "Hits" msgstr "Treffer" #: ../net.c:378 msgid "Old/excluded/malformed" msgstr "Alt/ausgeschlossen/fehlerhaft" #: ../net.c:385 msgid "Entries in packet cache" msgstr "Einträge im Paketcache" #: ../net.c:392 msgid "Entries in host status" msgstr "Einträge im Rechnerzustand" #: ../net.c:400 msgid "Parameter" msgstr "Parameter" #: ../net.c:402 msgid "Decrease" msgstr "Reduzieren" #: ../net.c:404 msgid "Current" msgstr "Aktuell" #: ../net.c:406 msgid "Increase" msgstr "Erhöhen" #: ../net.c:408 msgid "Alert threshold" msgstr "Alarmschwelle" #: ../net.c:410 msgid "Discard timeout" msgstr "Zeitgrenze zum Verwerfen:" #: ../net.c:411 msgid "Minimum count in packet cache" msgstr "Minimale Anzahl von Vorfällen bei Einträgen im Paketcache" #: ../net.c:413 ../net.c:415 msgid "Top amount of entries in packet cache" msgstr "Maximale Anzahl von Einträgen im Paketcache" #: ../net.c:418 ../net.c:420 msgid "Refresh time" msgstr "Aktualisierungszeit" #: ../net.c:442 ../net.c:565 msgid "%Y/%m/%d %H:%M:%S" msgstr "%Y/%m/%d %H:%M:%S" #: ../net.c:479 ../net.c:595 msgid "drop" msgstr "Verwerfen" #: ../net.c:481 msgid "escalate" msgstr "Eskalieren" #: ../net.c:527 ../net.c:546 ../net.c:552 ../net.c:558 msgid "<td>any</td>" msgstr "<td>beliebig</td>" #: ../net.c:540 msgid "<td>(known host)</td>" msgstr "<td>(bekannte Adresse)</td>" #: ../net.c:542 msgid "<td>(known net)</td>" msgstr "<td>(bekanntes Netz)</td>" #: ../net.c:654 ../net.c:657 #, c-format msgid "Rejected connect from unallowed ip %s port %i" msgstr "Verbindung von unerlaubter IP %s port %i wurde abgewiesen" #: ../net.c:668 ../net.c:670 #, c-format msgid "Connect from %s port %i" msgstr "Verbindung von %s port %i" #: ../net.c:734 msgid "Authorization failed" msgstr "Autorisierung fehlgeschlagen" #: ../net.c:737 msgid "Authorization required" msgstr "Autorisierung ist notwendig" #: ../net.c:814 msgid "Bad request" msgstr "Ungültige Anfrage" #: ../net.c:819 msgid "Redirect" msgstr "Umleitung" #: ../net.c:819 msgid "You should be redirected to the <a href=\"/\">root directory</a>" msgstr "" "Sie sollten in das <a href=\"/\">Hauptverzeichnis</a> umgeleitet werden" #: ../net.c:831 #, c-format msgid "Requested function: %s" msgstr "Angeforderte Funktion: %s" #: ../net.c:834 msgid "Connection closed" msgstr "Verbindung geschlossen" #: ../output.c:200 #, c-format msgid " to " msgstr " bis " #: ../output.c:255 #, c-format msgid " packet" msgstr " Paket" #: ../output.c:257 #, c-format msgid " packets" msgstr " Pakete" #: ../output.c:261 #, c-format msgid " (%lu bytes)" msgstr " (%lu Bytes)" #: ../output.c:264 #, c-format msgid " from %s" msgstr " von %s" #: ../output.c:280 ../output.c:293 #, c-format msgid " port %d" msgstr " Port %d" #: ../output.c:286 #, c-format msgid " to %s" msgstr " bis %s" #: ../output.c:313 #, c-format msgid "<th>start</th>" msgstr "<th>Anfang</th>" #: ../output.c:316 #, c-format msgid "<th>end</th>" msgstr "<th>Ende</th>" #: ../output.c:319 #, c-format msgid "<th>interval</th>" msgstr "<th>Intervall</th>" #: ../output.c:322 #, c-format msgid "<th>loghost</th>" msgstr "<th>Logrechner</th>" #: ../output.c:325 #, c-format msgid "<th>chain</th>" msgstr "<th>Kette</th>" #: ../output.c:328 #, c-format msgid "<th>target</th>" msgstr "<th>Ziel</th>" #: ../output.c:331 #, c-format msgid "<th>interface</th>" msgstr "<th>Schnittstelle</th>" #: ../output.c:334 #, c-format msgid "<th>proto</th>" msgstr "<th>Protokoll</th>" #: ../output.c:337 #, c-format msgid "<th>bytes</th>" msgstr "<th>Bytes</th>" #: ../output.c:340 #, c-format msgid "<th>source</th>" msgstr "<th>Quelle</th>" #: ../output.c:342 ../output.c:356 #, c-format msgid "<th>hostname</th>" msgstr "<th>Rechnername</th>" #: ../output.c:344 #, c-format msgid "<th>whois information</th>" msgstr "<th>whois-Information</th>" #: ../output.c:348 ../output.c:360 #, c-format msgid "<th>port</th>" msgstr "<th>Port</th>" #: ../output.c:350 ../output.c:362 #, c-format msgid "<th>service</th>" msgstr "<th>Dienst</th>" #: ../output.c:354 #, c-format msgid "<th>destination</th>" msgstr "<th>Ziel</th>" #: ../output.c:366 #, c-format msgid "<th>opts</th>" msgstr "<th>Optionen</th>" #: ../parser.c:263 #, c-format msgid "Unknown parser: '%c'.\n" msgstr "Unbekannter Parser: '%c'.\n" #: ../rcfile.c:57 #, c-format msgid "Error in configuration file '%s' line %d: not a number\n" msgstr "" "Fehler in der Konfigurationsdatei '%s' in Zeile %d: Nicht eine Nummer\n" #: ../rcfile.c:86 #, c-format msgid "Error in configuration file '%s' line %d, assuming 'true'\n" msgstr "Fehler in der Konfigurationsdatei '%s' in Zeile %d: Annahme 'true'\n" #: ../rcfile.c:278 #, c-format msgid "Unrecognized option in configuration file '%s' line %d\n" msgstr "Unbekannte Option in der Konfigurationsdatei '%s' in Zeile %d\n" #: ../rcfile.c:299 #, c-format msgid "%s is not a regular file, ignoring.\n" msgstr "%s ist keine normale Datei, wird ignoriert.\n" #: ../rcfile.c:307 #, c-format msgid "Opening configuration file '%s'\n" msgstr "Die Konfigurationsdatei '%s' wird geöffnet\n" #: ../resolve.c:62 #, c-format msgid "port mismatch: %d != %d\n" msgstr "Port-Versatz: %d != %d\n" #: ../resolve.c:81 ../resolve.c:151 #, c-format msgid "Resolving %s from cache\n" msgstr "Auflösung von %s aus dem Cache\n" #: ../resolve.c:89 ../resolve.c:112 #, c-format msgid "Resolving %s\n" msgstr "Auflösung von %s\n" #: ../resolve.c:95 #, c-format msgid "Wrong host name size\n" msgstr "Länge des Rechnernamens falsch\n" #: ../resolve.c:119 #, c-format msgid "%s [forward lookup: %s]" msgstr "%s [Vorwärts-Suche: %s]" #: ../resolve.c:122 #, c-format msgid "%s [forward lookup failed]" msgstr "%s [Vorwärts-Suche fehlgeschlagen]" #: ../resolve.c:163 #, c-format msgid "Resolving %s from adns\n" msgstr "Auflösung von %s aus adns\n" #: ../resolve.c:167 msgid "[inconsistent forward lookup]" msgstr "[inkonsistente Vorwärts-Suche]" #: ../resolve.c:171 #, c-format msgid "[adns status %d]" msgstr "[adns-Status %d]" #: ../resolve.c:189 msgid "DNS cache error" msgstr "DNS-Cache-Fehler" #: ../resolve.c:207 #, c-format msgid "Submitted %s to adns\n" msgstr "%s an adns übergeben\n" #: ../response.c:56 msgid "One logging ipchains firewall rule defined" msgstr "Eine loggende ipchains Firewall-Regel definiert" #: ../response.c:58 #, c-format msgid "%u logging ipchains firewall rules defined" msgstr "%u loggende ipchains Firewall-Regeln definiert" #: ../response.c:61 msgid "No logging ipchains firewall rules defined, format was requested" msgstr "" "Keine loggende ipchains Firewall-Regeln definiert, Format wurde verlangt" #: ../response.c:82 #, c-format msgid "%s is group/world writable" msgstr "%s ist schreibbar für die Gruppe/Welt" #: ../response.c:168 #, c-format msgid "Deleting packet cache entry (%s)" msgstr "Eintrag aus dem Paketcache wird gelöscht (%s)" #: ../response.c:202 #, c-format msgid "Deleting host status entry (%s)" msgstr "Eintrag aus dem Rechnercache wird gelöscht (%s)" #: ../response.c:276 #, c-format msgid "ALERT: %d attempts from %s" msgstr "ALARM: %d Versuche von %s" #: ../utils.c:53 #, c-format msgid "" "\n" "Memory allocation error, exiting.\n" msgstr "" "\n" "Speicherallokationsfehler, das Porgramm wird beendet.\n" #: ../utils.c:68 msgid "Exiting" msgstr "Das Programm wird beendet" #: ../utils.c:77 msgid "Not executing buffer containing format string" msgstr "Puffer mit Formatzeichen wird nicht ausgeführt" #: ../utils.c:82 #, c-format msgid "Executing '%s'" msgstr "'%s' wird ausgeführt" #: ../utils.c:194 #, c-format msgid "" "fwlogwatch error: mode collision, please check that you didn't specify\n" " several modes on the command line or a second mode is active in the\n" " configuration file.\n" " Please use a separate configuration file for each mode or comment out " "all\n" " entries in the default configuration and use command line parameters.\n" msgstr "" "fwlogwatch-Fehler: Moduskollision, bitte überprüfen Sie, dass Sie nicht\n" " mehrere Modi auf der Kommandozeile angegeben haben oder ein zweiter " "Modus\n" " in der Konfigurationsdatei aktiviert ist.\n" " Bitte benutzen Sie getrennte Konfigurationsdateien für jeden Modus\n" " oder kommentieren Sie alle Einträge in der vorgegebenen\n" " Konfigurationsdatei und benutzen Sie Kommandozeilenparameter.\n" #: ../utils.c:268 #, c-format msgid "IP address error: %s\n" msgstr "IP-Adressfehler: %s\n" #: ../utils.c:294 #, c-format msgid "Error in CIDR format: %s\n" msgstr "Fehler im CIDR-Format: %s\n" #: ../utils.c:312 #, c-format msgid "(known host)\n" msgstr "(bekannter Rechner)\n" #: ../utils.c:351 #, c-format msgid "(excluded host)\n" msgstr "(ausgeschlossener Rechner)\n" #: ../whois.c:220 #, c-format msgid "Looking up whois info for %s from cache\n" msgstr "Suche der whois-Information für %s vom Cache\n" #: ../whois.c:227 #, c-format msgid "Looking up whois info for %s\n" msgstr "Suche der whois-Information für %s\n" #: ../whois.c:248 #, c-format msgid "lookup failed: %s\n" msgstr "Suche fehlgeschlagen: %s\n" #: ../main.h:300 msgid "fwlogwatch summary" msgstr "fwlogwatch-Zusammenfassung" #: ../main.h:310 msgid "fwlogwatch status" msgstr "Zustand von fwlogwatch" ������������������������������������������������fwlogwatch-1.2/po/zh_CN.po��������������������������������������������������������������������������0000644�0000764�0000144�00000067333�11453065602�014051� 0����������������������������������������������������������������������������������������������������ustar �bw������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������msgid "" msgstr "" "Project-Id-Version: fwlogwatch 0.5.2\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-10-06 13:58+0200\n" "PO-Revision-Date: 2002-02-05 14:20+0100\n" "Last-Translator: Xiaojun Yang\n" "Language-Team: -\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=GB2312\n" "Content-Transfer-Encoding: 8bit\n" #: ../compare.c:158 #, c-format msgid "conn_sort_up: wrong mode\n" msgstr "conn_sort_up: ģʽ´íÎó\n" #: ../compare.c:264 #, c-format msgid "Error in sort string: '%c', order expected, ignoring.\n" msgstr "ÅÅÐò´íÎó: '%c', ÐèҪ˳Ðò,ºöÂÔ\n" #: ../compare.c:278 #, c-format msgid "Error in sort string: '%c', direction expected, ignoring.\n" msgstr "ÅÅÐò´íÎó: '%c', ÐèÒª·¶Î§,ºöÂÔ\n" #: ../compare.c:282 #, fuzzy, c-format msgid "Error in sort string, direction expected, ignoring.\n" msgstr "ÅÅÐò´íÎó: '%c', ÐèÒª·¶Î§,ºöÂÔ\n" #: ../compare.c:382 ../compare.c:384 ../modes.c:196 ../modes.c:203 #: ../modes.c:813 ../modes.c:815 ../output.c:106 ../output.c:113 #: ../output.c:193 ../output.c:202 ../output.c:380 msgid "%b %d %H:%M:%S" msgstr "" #: ../compare.c:383 #, c-format msgid "Timewarp in log file (%s" msgstr "logÎļþÖеÄʱ¼ä(%s" #: ../main.c:25 #, fuzzy, c-format msgid "Usage: %s [options] [input_files]\n" msgstr "ʹÓ÷½·¨: %s [Ñ¡Ïî] \n" #: ../main.c:26 #, fuzzy, c-format msgid "General options:\n" msgstr "È«¾ÖÑ¡Ïî: \n" #: ../main.c:27 #, fuzzy, c-format msgid " -h this help\n" msgstr " -h \t°ïÖúÎļþ\n" #: ../main.c:28 #, fuzzy, c-format msgid " -L show time of first and last log entry\n" msgstr " -L <Îļþ> \tÏÔʾÎļþÖеÚÒ»´ÎÓë×îºóÒ»´ÎµÇ½¼Í¼µÄʱ¼ä\n" #: ../main.c:29 #, fuzzy, c-format msgid " -V show version and copyright info\n" msgstr " -V \tÏÔʾ°æ±¾Óë°æȨÐÅÏ¢\n" #: ../main.c:32 #, c-format msgid "Global options:\n" msgstr "È«¾ÖÑ¡Ïî: \n" #: ../main.c:33 #, fuzzy, c-format msgid " -b show amount of data (sum of total packet lengths)\n" msgstr " -b \tÏÔʾÊý¾ÝÁ¿ (ËùÓÐÊý¾Ý°ü³¤¶ÈµÄ×ܺÍ)\n" #: ../main.c:34 #, fuzzy, c-format msgid " -c <file> specify config file (defaults to %s)\n" msgstr " -c <Îļþ> \tÖ¸¶¨ÅäÖÃÎļþ (ȱʡ %s) \n" #: ../main.c:35 #, fuzzy, c-format msgid " -D do not differentiate destination IP addresses\n" msgstr " -D \t²»Çø·ÖÄ¿±êIPµØÖ·\n" #: ../main.c:36 #, fuzzy, c-format msgid " -d differentiate destination ports\n" msgstr " -d \tÇø·ÖÄ¿±ê¶Ë¿Ú\n" #: ../main.c:37 #, c-format msgid " -E <format> select or exclude hosts, ports, chains and targets\n" msgstr "" #: ../main.c:38 #, c-format msgid " quick reference: -E[ie][hp][sd]<ip/number>\n" msgstr "" #: ../main.c:39 #, c-format msgid " -E[ie][cb]<name>\n" msgstr "" #: ../main.c:40 #, fuzzy, c-format msgid " -m <count> only show entries with at least so many incidents\n" msgstr " -m <ÊýÁ¿> \tÖ»ÏÔʾÖÁÉÙÓÐÕâô¶àÊýÁ¿µÄ¼Ç¼\n" #: ../main.c:41 #, c-format msgid " -M <number> only show this amount of entries\n" msgstr "" #: ../main.c:42 #, fuzzy, c-format msgid " -N resolve service names\n" msgstr " -N \t½âÎöÓòÃû\n" #: ../main.c:43 #, fuzzy, c-format msgid " -n resolve host names\n" msgstr " -n \t½âÎöÓòÃû\n" #: ../main.c:44 #, fuzzy, c-format msgid " -O <order> define the sort order (see the man page for details)\n" msgstr " -O <ÅÅÐò·½·¨> \t¶ÔÊä³ö½øÐÐÅÅÐò (¾ßÌå²Î¼ûÏàÓ¦Îĵµ\n" #: ../main.c:45 #, fuzzy, c-format msgid "" " -P <format> use parsers for specific formats (defaults to netfilter)\n" msgstr " -P <¸ñʽ> \tֻʹÓöÔÓÚÌØÊâ¸ñʽµÄ·ÖÎöÆ÷\n" #: ../main.c:46 #, c-format msgid " i: ipchains, n: netfilter, f: ipfilter, c: cisco ios\n" msgstr "" #: ../main.c:47 #, c-format msgid "" " p: cisco pix, e: netscreen, l: lancom, s: snort, b: ipfw\n" msgstr "" #: ../main.c:48 #, fuzzy, c-format msgid " -p differentiate protocols\n" msgstr " -p \tÇø·Ö´«ÊäЭÒé\n" #: ../main.c:49 #, fuzzy, c-format msgid " -s differentiate source ports\n" msgstr " -s \tÇø·ÖÔ´¶Ë¿Ú\n" #: ../main.c:50 #, c-format msgid " -U <title> set report and status page title and email subject\n" msgstr "" #: ../main.c:51 #, fuzzy, c-format msgid " -v verbose, specify twice for more info\n" msgstr " -v \t´¦ÀíʱÏÔʾÐÅÏ¢,ʹÓà -vv µÃµ½¸ü¶àÐÅÏ¢\n" #: ../main.c:52 #, fuzzy, c-format msgid " -y differentiate TCP options\n" msgstr " -y \tÇø·ÖTCPÑ¡Ïî\n" #: ../main.c:55 #, c-format msgid "Log summary mode (default):\n" msgstr "µÇ½ժҪģʽ (ȱʡ):\n" #: ../main.c:56 #, fuzzy, c-format msgid " -C <email> carbon copy recipients\n" msgstr " -C <email> \tת·¢µØÖ·\n" #: ../main.c:57 #, fuzzy, c-format msgid " -e show end times\n" msgstr " -e \tÏÔʾ½áÊøʱ¼ä\n" #: ../main.c:58 #, fuzzy, c-format msgid " -F <email> report sender address (defaults to '%s')\n" msgstr " -F <email> \t·¢ÐÅÈ˵ØÖ·\n" #: ../main.c:59 #, fuzzy, c-format msgid " -l <time> process recent events only (defaults to off)\n" msgstr " -l <ʱ¼ä> \tÖ»´¦Àíµ±Ç°Ê¼þ (ȱʡΪ¹Ø±Õ)\n" #: ../main.c:60 #, fuzzy, c-format msgid " -o <file> specify output file\n" msgstr " -o <Îļþ> \tÖ¸¶¨Êä³öÎļþ\n" #: ../main.c:61 #, fuzzy, c-format msgid " -S do not differentiate source IP addresses\n" msgstr " -S \t²»Çø·ÖÔ´IPµØÖ·\n" #: ../main.c:62 #, c-format msgid " -T <email> send report by email to this address\n" msgstr "" #: ../main.c:63 #, fuzzy, c-format msgid " -t show start times\n" msgstr " -t \tÏÔʾ¿ªÊ¼Ê±¼ä\n" #: ../main.c:64 #, fuzzy, c-format msgid " -W activate whois lookups for source addresses\n" msgstr " -W \tÆô¶¯¶ÔÔ´IPµØÖ·µÄwhois²éѯ\n" #: ../main.c:65 #, fuzzy, c-format msgid " -w HTML output\n" msgstr " -w \tÒÔHTML¸ñʽÊä³ö\n" #: ../main.c:66 #, fuzzy, c-format msgid " -z show time interval\n" msgstr " -z \tÏÔʾʱ¼ä¼ä¸ô\n" #: ../main.c:69 #, c-format msgid "Realtime response mode:\n" msgstr "ʵʱ»ØӦģʽ:\n" #: ../main.c:70 #, fuzzy, c-format msgid " -R realtime response as daemon (default action: log only)\n" msgstr "\t-R \tʵʱ»ØÓ¦×÷Ϊ´«Êä´úÀí³ÌÐò (ȱʡ: Ö»ÓÐÔËÐмǼ)\n" #: ../main.c:71 #, fuzzy, c-format msgid " -a <count> alert threshold (defaults to %d entries)\n" msgstr " -a <ÊýÁ¿> \t¾¯¸æÁ÷ (ȱʡ %d ¼Ç¼)\n" #: ../main.c:72 #, fuzzy, c-format msgid " -l <time> forget events this old (defaults to %d hours)\n" msgstr " -l <ʱ¼ä> \tºöÂÔ´Ëʱ¼äÇ°¾Éʼþ (ȱʡ: %dСʱ)\n" #: ../main.c:73 #, fuzzy, c-format msgid " -k <IP/net> add this IP address or net to the list of known hosts\n" msgstr " -k <IP/ÍøÂç> \t½«´ËIPµØÖ·¼ÓÈëµ½ÒÑÖªÖ÷»úÁбíÖÐ\n" #: ../main.c:74 #, fuzzy, c-format msgid " -A invoke notification script if threshold is reached\n" msgstr " -A \tÈç¹ûÓÐÁ÷½øÈëÆô¶¯Í¨ÖªÎı¾\n" #: ../main.c:75 #, fuzzy, c-format msgid " -B invoke response action script (e.g. block host)\n" msgstr " -B \tÆô¶¯»ØÓ¦Îı¾ (±ÈÈç ÇжÏÖ÷»úÓëÍⲿÁªÏµ)\n" #: ../main.c:76 #, fuzzy, c-format msgid " -X <port> activate internal status information web server\n" msgstr " -X \tÆô¶¯ÄÚ²¿×´Ì¬ÐÅÏ¢web·þÎñÆ÷\n" #: ../main.c:102 #, fuzzy msgid "You can contact the author at <bw@inside-security.de>." msgstr "ÇëʹÓÃÒÔϵØÖ·Óë×÷ÕßÁªÏµÊµ¼Ê<bw@inside-security.de>." #: ../main.c:104 msgid "Compile-time options of this version:" msgstr "" #: ../main.c:105 #, c-format msgid "Short name limit " msgstr "" #: ../main.c:107 ../main.c:113 ../main.c:119 ../main.c:125 ../main.c:131 msgid "enabled" msgstr "" #: ../main.c:109 ../main.c:115 ../main.c:121 ../main.c:127 ../main.c:133 msgid "disabled" msgstr "" #: ../main.c:111 #, c-format msgid "Zlib support " msgstr "" #: ../main.c:117 #, c-format msgid "Gettext (i18n) support " msgstr "" #: ../main.c:123 #, c-format msgid "IPv6 support " msgstr "" #: ../main.c:129 #, c-format msgid "GNU adns support " msgstr "" #: ../main.c:287 #, c-format msgid "Illegal inclusion/exclusion pos. 1 (expected [ie]): %s\n" msgstr "" #: ../main.c:288 ../main.c:305 ../main.c:314 ../main.c:452 #, c-format msgid "Exiting\n" msgstr "Í˳ö\n" #: ../main.c:304 #, c-format msgid "Illegal inclusion/exclusion pos. 2 (expected [hpcb]): %s\n" msgstr "" #: ../main.c:313 #, c-format msgid "Illegal inclusion/exclusion pos. 3 (expected [sd]): %s\n" msgstr "" #: ../modes.c:109 #, c-format msgid "Using stdin as input\n" msgstr "ʹÓñê×¼ÊäÈë\n" #: ../modes.c:115 #, c-format msgid "Opening input file '%s'\n" msgstr "´ò¿ªÊäÈëÎļþ '%s'\n" #: ../modes.c:133 #, c-format msgid "Processing\n" msgstr "´¦Àí\n" #: ../modes.c:140 #, c-format msgid "Unrecognized entries or tokens can be submitted at\n" msgstr "" #: ../modes.c:149 ../modes.c:396 ../modes.c:782 ../rcfile.c:321 #, c-format msgid "Closing '%s'\n" msgstr "¹Ø±Õ '&s'\n" #: ../modes.c:178 #, c-format msgid "Sorting data\n" msgstr "Êý¾ÝÅÅÐò\n" #: ../modes.c:215 #, c-format msgid "Opening output file '%s'\n" msgstr "´ò¿ªÊä³öÎļþ '%s'\n" #: ../modes.c:226 #, fuzzy, c-format msgid "Sending\n" msgstr "·¢ËÍ...\n" #: ../modes.c:249 ../net.c:364 ../net.c:367 msgid "%A %B %d %H:%M:%S %Z %Y" msgstr "" #: ../modes.c:250 #, c-format msgid "Generated %s by " msgstr "Éú³É %s ÓÉ" #: ../modes.c:260 #, c-format msgid "an unknown user.\n" msgstr "²»Ã÷ʹÓÃÕß\n" #: ../modes.c:268 #, c-format msgid "(and %d older than %d seconds) " msgstr "(²¢ÇÒ &d ±È %d ÀÏ) " #: ../modes.c:271 #, c-format msgid "(and %d malformed) " msgstr "(²¢ÇÒ %d ÓдíÎó)" #: ../modes.c:274 #, fuzzy, c-format msgid "of %d entries in the file \"%s\" are packet logs, " msgstr "ÎļþÖÐ%dµÄ¼Ç¼" #: ../modes.c:276 #, c-format msgid "of %d entries in standard input are packet logs, " msgstr "" #: ../modes.c:278 #, fuzzy, c-format msgid "of %d entries in %d input files are packet logs, " msgstr "ÎļþÖÐ%dµÄ¼Ç¼" #: ../modes.c:282 #, c-format msgid "one has unique characteristics.\n" msgstr "Ò»¸öÓÐÌØÊâÐÎʽ\n" #: ../modes.c:284 #, c-format msgid "%d have unique characteristics.\n" msgstr "%dÓÐÌØÊâÐÎʽ\n" #: ../modes.c:292 #, c-format msgid "One entry was excluded by configuration.\n" msgstr "Ò»Ìõ¼Ç¼ÔÚÅäÖÃʱ±»É¾³ý\n" #: ../modes.c:294 #, c-format msgid "%d entries were excluded by configuration.\n" msgstr "%d¼Ç¼ÔÚÅäÖÃʱ±»É¾³ý\n" #: ../modes.c:302 #, c-format msgid "First packet log entry: %s, last: %s.\n" msgstr "µÚÒ»ÌõÊý¾Ý°üµÇ½¼Ç¼: %s, ×îºóÒ»Ìõ: %s.\n" #: ../modes.c:304 ../modes.c:811 #, c-format msgid "No valid time entries found.\n" msgstr "ûÕÒµ½ÓÐЧʱ¼ä¼Ç¼\n" #: ../modes.c:311 #, c-format msgid "All entries were logged by the same host: \"%s\".\n" msgstr "ËùÓеļǼ¶¼ÊÇ´Óͬһ¸öÖ÷»úµÇ½µÄ: \"%s\".\n" #: ../modes.c:318 #, c-format msgid "All entries are from the same chain: \"%s\".\n" msgstr "ËùÓеļǼ¶¼À´×Ôͬһ¸öÁ´: \"%s\".\n" #: ../modes.c:325 #, c-format msgid "All entries have the same target: \"%s\".\n" msgstr "ËùÓеļǼ¶¼ÓÐͬÑùµÄÄ¿±ê: \"%s\".\n" #: ../modes.c:332 #, c-format msgid "All entries are from the same interface: \"%s\".\n" msgstr "ËùÓеļǼ¶¼À´×Ôͬһ¸ö½çÃæ: \"%s\".\n" #: ../modes.c:339 #, fuzzy, c-format msgid "Only entries with a count of at least %d are shown.\n" msgstr "Ö»ÏÔʾ´óÓÚ%dµÄ¼Ç¼.\n" #: ../modes.c:346 #, fuzzy, c-format msgid "Only the top %d entries are shown.\n" msgstr "Ö»ÏÔʾ´óÓÚ%dµÄ¼Ç¼.\n" #: ../modes.c:357 #, fuzzy, c-format msgid "Resolving\n" msgstr "½âÎö %s\n" #: ../modes.c:416 #, c-format msgid "Warning: pidfile exists, another fwlogwatch might be running.\n" msgstr "¾¯¸æ: ´æÔÚpidÎļþ,¿ÉÄÜÁíÒ»¸öfwlogwatchÔÚÔËÐÐ.\n" #: ../modes.c:430 #, fuzzy, c-format msgid "SIGHUP caught, reread configuration file %s" msgstr "²¶×½µ½SIGHUP, ÖØдò¿ªlogÎļþ" #: ../modes.c:432 #, fuzzy, c-format msgid "SIGHUP caught, unable to reread configuration file %s" msgstr "²¶×½µ½SIGHUP, ÖØдò¿ªlogÎļþ" #: ../modes.c:455 msgid "SIGUSR1 caught, reading input from stdin, no need to reopen log file" msgstr "" #: ../modes.c:457 #, fuzzy, c-format msgid "SIGUSR1 caught, reopening log file %s" msgstr "²¶×½µ½SIGHUP, ÖØдò¿ªlogÎļþ" #: ../modes.c:529 msgid "SIGTERM caught, cleaning up" msgstr "²¶×½µ½SIGTERM, Çå³ýÄÚ´æ" #: ../modes.c:611 #, c-format msgid "Starting (pid %d)" msgstr "¿ªÊ¼ (pid %d)" #: ../modes.c:661 msgid "User to run as was not found" msgstr "" #: ../modes.c:676 #, c-format msgid "Changed uid from %d to %d, gid from %d to %d" msgstr "" #: ../modes.c:678 #, c-format msgid "Running with uid %d, gid %d" msgstr "" #: ../modes.c:682 msgid "Alert threshold is one attempt" msgstr "¾¯¸æthresholdÊÇÒ»´Î³¢ÊÔ" #: ../modes.c:684 #, c-format msgid "Alert threshold is %d attempts" msgstr "¾¯¸æthresholdÊÇ%d´Î³¢ÊÔ" #: ../modes.c:688 #, c-format msgid "Events older than %d second(s) are discarded" msgstr "ÔÚ%dÃë֮ǰµÄʼþ½«²»ÊÜÀí" #: ../modes.c:690 #, c-format msgid "Events older than %d hour(s) are discarded" msgstr "ÔÚ%dСʱ֮ǰµÄʼþ½«²»ÊÜÀí" #: ../modes.c:693 #, fuzzy, c-format msgid "Response mode: Log%s%s" msgstr "»ØӦģʽ: log%s%s" #: ../modes.c:693 ../net.c:373 msgid ", notify" msgstr "֪ͨ" #: ../modes.c:693 ../net.c:373 msgid ", respond" msgstr ". »Ø´ð" #: ../modes.c:724 #, c-format msgid "Reading standard input\n" msgstr "¶ÁÈ¡±ê×¼ÊäÈë\n" #: ../modes.c:742 #, c-format msgid "Reading '%s'\n" msgstr "¶Á '%s'\n" #: ../modes.c:808 #, fuzzy, c-format msgid "Number of files: %d\n" msgstr "³¢ÊԵǽµÄ´ÎÊý: %s\n" #: ../modes.c:809 #, fuzzy, c-format msgid "Number of lines: %d\n" msgstr "ÐÐÊý : %d\n" #: ../modes.c:814 #, c-format msgid "First entry: %s\n" msgstr "µÚÒ»Ìõ¼Ç¼: %s\n" #: ../modes.c:816 #, c-format msgid "Last entry : %s\n" msgstr "×îºóÒ»Ìõ¼Ç¼ : %s\n" #: ../modes.c:818 #, c-format msgid "Difference : %s\n" msgstr "" #: ../net.c:130 ../net.c:132 #, c-format msgid "Listening on %s port %i" msgstr "ÁгöÔÚ &s ÉÏµÄ¶Ë¿Ú %i" #: ../net.c:172 msgid "decode_base64: input string incomplete" msgstr "decode_base64: ÊäÈë×Ö·û´®²»ÍêÕû" #: ../net.c:179 #, c-format msgid "decode_base64: illegal character '%c' in input string" msgstr "decode_base64: ÔÚÊäÈë×Ö·û´®ÓзǷ¨×Ö·û '%c'" #: ../net.c:214 msgid "count" msgstr "" #: ../net.c:215 msgid "added" msgstr "" #: ../net.c:217 msgid "proto" msgstr "" #: ../net.c:219 #, fuzzy msgid "bytes" msgstr " (%d ×Ö½Ú)" #: ../net.c:220 msgid "source" msgstr "" #: ../net.c:222 ../net.c:231 #, fuzzy msgid "hostname" msgstr "<td>Ö÷»úÃû</td>" #: ../net.c:224 ../net.c:234 #, fuzzy msgid "port" msgstr " ¶Ë¿Ú %d" #: ../net.c:226 ../net.c:236 #, fuzzy msgid "service" msgstr "<td>·þÎñ</td>" #: ../net.c:229 #, fuzzy msgid "destination" msgstr "<td>Ä¿±ê</td>" #: ../net.c:239 msgid "opts" msgstr "" #: ../net.c:240 #, fuzzy msgid "time remaining" msgstr "<td>Ê£Óàʱ¼ä</td></tr>\n" #: ../net.c:241 msgid "action" msgstr "" #: ../net.c:293 ../net.c:295 ../net.c:360 #, fuzzy msgid "Information" msgstr "" "\n" "</div>\n" "<h2>»ù±¾ÐÅÏ¢</h2>\n" #: ../net.c:299 ../net.c:301 ../net.c:398 msgid "Options" msgstr "" #: ../net.c:305 ../net.c:307 ../net.c:426 #, fuzzy msgid "Packet cache" msgstr "<h2> Êý¾Ý»º´æ</h2>\n" #: ../net.c:311 ../net.c:313 ../net.c:495 #, fuzzy msgid "Host status" msgstr "<h2>Ö÷»ú״̬</h2>\n" #: ../net.c:316 msgid "Reload" msgstr "" #: ../net.c:365 msgid "Daemon start time" msgstr "" #: ../net.c:368 msgid "Current time" msgstr "" #: ../net.c:371 msgid "Running time" msgstr "" #: ../net.c:373 msgid "Log" msgstr "" #: ../net.c:374 #, fuzzy msgid "Response mode" msgstr "»ØӦģʽ: log%s%s" #: ../net.c:376 msgid "Lines seen" msgstr "" #: ../net.c:377 msgid "Hits" msgstr "" #: ../net.c:378 msgid "Old/excluded/malformed" msgstr "" #: ../net.c:385 #, fuzzy msgid "Entries in packet cache" msgstr "<h2> Êý¾Ý»º´æ</h2>\n" #: ../net.c:392 #, fuzzy msgid "Entries in host status" msgstr "<h2>Ö÷»ú״̬</h2>\n" #: ../net.c:400 msgid "Parameter" msgstr "" #: ../net.c:402 msgid "Decrease" msgstr "" #: ../net.c:404 msgid "Current" msgstr "" #: ../net.c:406 msgid "Increase" msgstr "" #: ../net.c:408 #, fuzzy msgid "Alert threshold" msgstr "¾¯¸æthresholdÊÇÒ»´Î³¢ÊÔ" #: ../net.c:410 msgid "Discard timeout" msgstr "" #: ../net.c:411 msgid "Minimum count in packet cache" msgstr "" #: ../net.c:413 ../net.c:415 msgid "Top amount of entries in packet cache" msgstr "" #: ../net.c:418 ../net.c:420 msgid "Refresh time" msgstr "" #: ../net.c:442 ../net.c:565 msgid "%Y/%m/%d %H:%M:%S" msgstr "" #: ../net.c:479 ../net.c:595 msgid "drop" msgstr "" #: ../net.c:481 msgid "escalate" msgstr "" #: ../net.c:527 ../net.c:546 ../net.c:552 ../net.c:558 msgid "<td>any</td>" msgstr "<td>ÈκÎ</td>" #: ../net.c:540 #, fuzzy msgid "<td>(known host)</td>" msgstr "<td>-</td><td>%s/%d (ÒÑÖªÖ÷»ú/ÍøÂç)</td>" #: ../net.c:542 #, fuzzy msgid "<td>(known net)</td>" msgstr "<td>-</td><td>%s/%d (ÒÑÖªÖ÷»ú/ÍøÂç)</td>" #: ../net.c:654 ../net.c:657 #, c-format msgid "Rejected connect from unallowed ip %s port %i" msgstr "¾Ü¾øÀ´×Ô %s ¶Ë¿Ú %i µÄ·ÃÎÊ" #: ../net.c:668 ../net.c:670 #, c-format msgid "Connect from %s port %i" msgstr "À´×Ô %s ¶Ë¿Ú %i µÄ·ÃÎÊ" #: ../net.c:734 msgid "Authorization failed" msgstr "¼ìÑé´íÎó" #: ../net.c:737 #, fuzzy msgid "Authorization required" msgstr "¼ìÑé´íÎó" #: ../net.c:814 msgid "Bad request" msgstr "" #: ../net.c:819 msgid "Redirect" msgstr "" #: ../net.c:819 msgid "You should be redirected to the <a href=\"/\">root directory</a>" msgstr "" #: ../net.c:831 #, c-format msgid "Requested function: %s" msgstr "" #: ../net.c:834 msgid "Connection closed" msgstr "¹Ø±ÕÁª½Ó" #: ../output.c:200 #, c-format msgid " to " msgstr " ÖÁ " #: ../output.c:255 #, c-format msgid " packet" msgstr "Êý¾Ý°ü" #: ../output.c:257 #, c-format msgid " packets" msgstr "Êý¾Ý°ü" #: ../output.c:261 #, fuzzy, c-format msgid " (%lu bytes)" msgstr " (%d ×Ö½Ú)" #: ../output.c:264 #, c-format msgid " from %s" msgstr "´Ó %s" #: ../output.c:280 ../output.c:293 #, c-format msgid " port %d" msgstr " ¶Ë¿Ú %d" #: ../output.c:286 #, c-format msgid " to %s" msgstr " ÖÁ %s" #: ../output.c:313 #, fuzzy, c-format msgid "<th>start</th>" msgstr "<td>¿ªÊ¼</td>" #: ../output.c:316 #, fuzzy, c-format msgid "<th>end</th>" msgstr "<td>½áÊø</td>" #: ../output.c:319 #, fuzzy, c-format msgid "<th>interval</th>" msgstr "<td>¼ä¾à</td>" #: ../output.c:322 #, fuzzy, c-format msgid "<th>loghost</th>" msgstr "<td>logÖ÷»ú</td>" #: ../output.c:325 #, fuzzy, c-format msgid "<th>chain</th>" msgstr "<td>chain</td>" #: ../output.c:328 #, fuzzy, c-format msgid "<th>target</th>" msgstr "<td>Ä¿±ê</td>" #: ../output.c:331 #, fuzzy, c-format msgid "<th>interface</th>" msgstr "<td>½çÃæ</td>" #: ../output.c:334 #, fuzzy, c-format msgid "<th>proto</th>" msgstr "<td>´«ÊäЭÒé</td>" #: ../output.c:337 #, fuzzy, c-format msgid "<th>bytes</th>" msgstr "<td>×Ö½Ú</td>" #: ../output.c:340 #, fuzzy, c-format msgid "<th>source</th>" msgstr "<td>Ô´</td>" #: ../output.c:342 ../output.c:356 #, fuzzy, c-format msgid "<th>hostname</th>" msgstr "<td>Ö÷»úÃû</td>" #: ../output.c:344 #, fuzzy, c-format msgid "<th>whois information</th>" msgstr "<td>whoisÐÅÏ¢</td>" #: ../output.c:348 ../output.c:360 #, fuzzy, c-format msgid "<th>port</th>" msgstr "<td>¶Ë¿Ú</td>" #: ../output.c:350 ../output.c:362 #, fuzzy, c-format msgid "<th>service</th>" msgstr "<td>·þÎñ</td>" #: ../output.c:354 #, fuzzy, c-format msgid "<th>destination</th>" msgstr "<td>Ä¿±ê</td>" #: ../output.c:366 #, fuzzy, c-format msgid "<th>opts</th>" msgstr "<td>Ñ¡Ïî</td>" #: ../parser.c:263 #, c-format msgid "Unknown parser: '%c'.\n" msgstr "²»Öªparser: '%c'.\n" #: ../rcfile.c:57 #, c-format msgid "Error in configuration file '%s' line %d: not a number\n" msgstr "" #: ../rcfile.c:86 #, c-format msgid "Error in configuration file '%s' line %d, assuming 'true'\n" msgstr "" #: ../rcfile.c:278 #, fuzzy, c-format msgid "Unrecognized option in configuration file '%s' line %d\n" msgstr "ÅäÖÃÎļþÖв»Ã÷Ñ¡Ïî: %s" #: ../rcfile.c:299 #, c-format msgid "%s is not a regular file, ignoring.\n" msgstr "%s ²»ÊDZê×¼Îļþ, ºöÂÔ.\n" #: ../rcfile.c:307 #, fuzzy, c-format msgid "Opening configuration file '%s'\n" msgstr "´ò¿ªÊäÈëÎļþ '%s'\n" #: ../resolve.c:62 #, c-format msgid "port mismatch: %d != %d\n" msgstr "¶Ë¿Ú²»Æ¥Åä: %d != %d\n" #: ../resolve.c:81 ../resolve.c:151 #, c-format msgid "Resolving %s from cache\n" msgstr "»º´æÖнâÎö%s\n" #: ../resolve.c:89 ../resolve.c:112 #, c-format msgid "Resolving %s\n" msgstr "½âÎö %s\n" #: ../resolve.c:95 #, c-format msgid "Wrong host name size\n" msgstr "Ö÷»úÃû³¤¶È´íÎó\n" #: ../resolve.c:119 #, c-format msgid "%s [forward lookup: %s]" msgstr "%s [ÏòÇ°ËÑË÷: %s]" #: ../resolve.c:122 #, c-format msgid "%s [forward lookup failed]" msgstr "%s [ÏòÇ°ËÑË÷ʧ°Ü]" #: ../resolve.c:163 #, fuzzy, c-format msgid "Resolving %s from adns\n" msgstr "»º´æÖнâÎö%s\n" #: ../resolve.c:167 #, fuzzy msgid "[inconsistent forward lookup]" msgstr "%s [ÏòÇ°ËÑË÷: %s]" #: ../resolve.c:171 #, c-format msgid "[adns status %d]" msgstr "" #: ../resolve.c:189 msgid "DNS cache error" msgstr "" #: ../resolve.c:207 #, c-format msgid "Submitted %s to adns\n" msgstr "" #: ../response.c:56 msgid "One logging ipchains firewall rule defined" msgstr "Ò»ÌõµÇ½ipchains·À»ðǽ¹æ¶¨ÒѶ¨Òå" #: ../response.c:58 #, c-format msgid "%u logging ipchains firewall rules defined" msgstr "ÌõµÇ½ipchains·À»ðǽ¹æ¶¨ÒѶ¨Òå" #: ../response.c:61 msgid "No logging ipchains firewall rules defined, format was requested" msgstr "ûÓж¨ÒåµÇ½ipchains·À»ðǽ¹æ¶¨, ÐèÒª¸ñʽ" #: ../response.c:82 #, c-format msgid "%s is group/world writable" msgstr "%s ¿É±»group/worldÐÞ¸Ä" #: ../response.c:168 #, c-format msgid "Deleting packet cache entry (%s)" msgstr "ɾ³ýÊý¾Ý°ü»º´æÖеÄÄÚÈÝ" #: ../response.c:202 #, c-format msgid "Deleting host status entry (%s)" msgstr "ɾ³ýÖ÷»ú״̬ÖеÄÄÚÈÝ" #: ../response.c:276 #, c-format msgid "ALERT: %d attempts from %s" msgstr "¾¯¸æ: À´×Ô %s µÄ %d ³¢ÊÔ" #: ../utils.c:53 #, c-format msgid "" "\n" "Memory allocation error, exiting.\n" msgstr "" "\n" "Ñ°ÕÒÄÚ´æµØÖ·´íÎó, Í˳ö.\n" #: ../utils.c:68 msgid "Exiting" msgstr "Í˳ö" #: ../utils.c:77 msgid "Not executing buffer containing format string" msgstr "´øÓиñʽ×Ö·û»º´æ½«²»±»Ö´ÐÐ" #: ../utils.c:82 #, c-format msgid "Executing '%s'" msgstr "Ö´ÐÐ '%s" #: ../utils.c:194 #, fuzzy, c-format msgid "" "fwlogwatch error: mode collision, please check that you didn't specify\n" " several modes on the command line or a second mode is active in the\n" " configuration file.\n" " Please use a separate configuration file for each mode or comment out " "all\n" " entries in the default configuration and use command line parameters.\n" msgstr "" "fwlogwatch´íÎó: ģʽ³åÍ», Çë¼ì²éÄúûÓÐÔÚÃüÁîÐÐÖÐÖ¸¶¨¶àÖÖģʽ\n" " »òÕßÓеڶþÖÖģʽ±»Ä¬ÈÏÆô¶¯,»òÔÚÅäÖÃÎļþÖÐÓзñÖ¸¶¨\n" " ¶ÔÓÚ²»Í¬µÄģʽÇëʹÓò»Í¬µÄÅäÖÃÎļþ, »òʹÓÃÃüÁîÐвÎÊý\n" #: ../utils.c:268 #, c-format msgid "IP address error: %s\n" msgstr "IPµØÖ·´íÎó: %s\n" #: ../utils.c:294 #, c-format msgid "Error in CIDR format: %s\n" msgstr "CIDR¸ñʽÓдíÎó: %s\n" #: ../utils.c:312 #, c-format msgid "(known host)\n" msgstr "(²»Ã÷Ö÷»ú)\n" #: ../utils.c:351 #, c-format msgid "(excluded host)\n" msgstr "(±»ÅųýµÄÖ÷»ú)\n" #: ../whois.c:220 #, c-format msgid "Looking up whois info for %s from cache\n" msgstr "ÔÚ»º´æÖÐΪ %s Ñ°ÕÒwhoisÐÅÏ¢\n" #: ../whois.c:227 #, c-format msgid "Looking up whois info for %s\n" msgstr "Ϊ %s Ñ°ÕÒwhoisÐÅÏ¢\n" #: ../whois.c:248 #, c-format msgid "lookup failed: %s\n" msgstr "ËÑË÷ʧ°Ü: %s\n" #: ../main.h:300 msgid "fwlogwatch summary" msgstr "fwlogwatch ͳ¼ÆÕªÒª" #: ../main.h:310 msgid "fwlogwatch status" msgstr "fwlogwatch ״̬" #, fuzzy #~ msgid "Interactive report mode (summary mode extension):\n" #~ msgstr "½»»¥Ê½±¨¸æģʽ:\n" #, fuzzy #~ msgid " -i <count> interactive mode with report threshold\n" #~ msgstr " -i <ÊýÁ¿> \t±¨¸æÁ÷½»»¥Ä£Ê½\n" #, fuzzy #~ msgid " -T <email> address of CERT or abuse contact to send report to\n" #~ msgstr "\t-T <email> \tÊÕÐÅÈ˵ØÖ· (CERT»òÁªÏµÈË)\n" #, fuzzy #~ msgid " -I <file> template file for report (defaults to %s)\n" #~ msgstr " -I <Îļþ> \t±¨¸æÄ£°åÎļþ\n" #~ msgid "" #~ "Reporting threshold: %d\n" #~ "\n" #~ msgstr "" #~ "±¨¸æÁ÷: %d\n" #~ "\n" #~ msgid "Offending IP address: %s\n" #~ msgstr "½ø¹¥IPµØÖ·:\t%s\n" #~ msgid "Offending IP name: %s\n" #~ msgstr "½ø¹¥IPµØÖ·Ãû:\t%s\n" #~ msgid "Target IP address: %s\n" #~ msgstr "Ä¿±êIPµØÖ·:\t%s\n" #~ msgid "Target IP name: %s\n" #~ msgstr "Ä¿±êIPµØÖ·Ãû:\t%s\n" #~ msgid "Number of logged attempts: %s\n" #~ msgstr "³¢ÊԵǽµÄ´ÎÊý: %s\n" #~ msgid "Start time: %s\n" #~ msgstr "¿ªÊ¼Ê±¼ä:\t\t%s\n" #~ msgid "End time: %s\n" #~ msgstr "½áÊøʱ¼ä: %s\n" #~ msgid "Timezone: %s\n" #~ msgstr "ʱ¼äÇø:\t\t\t %s\n" #~ msgid "Duration: %s\n" #~ msgstr "³ÖÐø:\t\t\t%s\n" #~ msgid "Protocol: %s\n" #~ msgstr "´«ÊäЭÒé:\t\t %s\n" #~ msgid "Source port: %s\n" #~ msgstr "Ô´¶Ë¿Ú:\t\t\t%s\n" #~ msgid "Destination port: %s\n" #~ msgstr "Ä¿±ê¶Ë¿Ú: %s\n" #~ msgid "TCP options: %s\n" #~ msgstr "TCPÑ¡Ïî: %s\n" #~ msgid "Tracking number: %s\n" #~ msgstr "TrackingÊý: %s\n" #~ msgid "Incident report %s-%s" #~ msgstr "ʼþ±¨¸æ %s-%s" #~ msgid "%d (unknown)" #~ msgstr "%d (²»Ïê)" #~ msgid "no SYNs" #~ msgstr "ûÓÐSYNs" #~ msgid "SYNs only" #~ msgstr "Ö»ÓÐSYNs" #~ msgid "" #~ "\n" #~ "What do you want to change? [1-18/(o)k] " #~ msgstr "" #~ "\n" #~ "ÄúÏëÐÞ¸Äʲô? [1-18/(o)k] " #~ msgid "New value: " #~ msgstr "ÐÂÖµ:" #~ msgid "" #~ "\n" #~ "Should this report be sent? [(s)end/(m)odify/(q)uit] " #~ msgstr "" #~ "\n" #~ "ÊÇ·ñ´«ËÍÕâ·Ý±¨¸æ? [(s)end/(m)odify/(q)uit] " #, fuzzy #~ msgid "<tr><td align=\"right\">Daemon start time:</td><td>%s</td></tr>\n" #~ msgstr "<tr><td>DaemonÆô¶¯Ê±¼ä:</td><td>%s</td></tr>\n" #, fuzzy #~ msgid "<tr><td align=\"right\">Current time:</td><td>%s</td></tr>\n" #~ msgstr "<tr><td>µ±Ç°Ê±¼ä:</td><td>%s</td></tr>\n" #, fuzzy #~ msgid "<tr><td align=\"right\">Running time:</td><td>%s</td></tr>\n" #~ msgstr "<tr><td>ÔËÐÐʱ¼ä:</td><td>%s</td></tr>\n" #, fuzzy #~ msgid "<tr><td align=\"right\">Response mode:</td><td>Log%s%s</td></tr>\n" #~ msgstr "<tr><td>»ØӦģʽ:</td><td>log%s%s</td></tr>\n" #, fuzzy #~ msgid "Host status: %d</td></tr>\n" #~ msgstr "<h2>Ö÷»ú״̬</h2>\n" #, fuzzy #~ msgid "<tr align=\"center\"><th>count</th><th>added</th>" #~ msgstr "" #~ "<tr bgcolor=\"#%s\" align=\"center\"><td>ÊýÁ¿</td><td>¼ÓÈë</td><td>Ô´IPµØ" #~ "Ö·</td>" #~ msgid "Authorization failed (%s)" #~ msgstr "¼ìÑé´íÎó (%s)" #~ msgid "" #~ "<body>\n" #~ "<h1>Authorization Required</h1>\n" #~ "</body>\n" #~ "</html>\n" #~ msgstr "" #~ "<body>\n" #~ "<h1>ÐèÒªÉí·Ý¼ìÑé</h1>\n" #~ "</body>\n" #~ "</html>\n" #, fuzzy #~ msgid "<p><a href=\"/\">Reload</a>" #~ msgstr "<a href=\"/\">Ë¢ÐÂ</a><br>\n" #, fuzzy #~ msgid "" #~ "<br>\n" #~ "(automatic refresh every %d seconds)</p>\n" #~ msgstr "(ÿ%dÃëÖÓºó×Ô¶¯Ë¢ÐÂ)<br>\n" #, fuzzy #~ msgid "" #~ "<tr><td>Alert threshold:</td><td>%d entries</td></tr>\n" #~ "<tr><td>Discard timeout:</td><td>%s</td></tr>\n" #~ msgstr "" #~ "<tr><td>¾¯¸æthreshold:</td><td>%d entries</td></tr>\n" #~ "<tr><td>³¬Ê±:</td><td>%d Ãë</td></tr>\n" #, fuzzy #~ msgid " -f <file> specify input file (defaults to %s)\n" #~ msgstr " -f <Îļþ> \tÖ¸¶¨ÊäÈëÎļþ (ȱʡ %s) \n" #~ msgid "\"%s\" are packet logs, " #~ msgstr "\"%s\" ÊÇÊý¾Ý°ü¼Ç¼" #~ msgid " (defaults to '%s')\n" #~ msgstr " \t(ȱʡΪ '%s')\n" #~ msgid " (defaults to %s)\n" #~ msgstr "\t\t \t(ȱʡΪ %s)\n" #~ msgid "SIGHUP caught, ignoring" #~ msgstr "²¶×½µ½SIGHUP, ºöÂÔ" #~ msgid "<td>Hostname</td>" #~ msgstr "<td>Ö÷»úÃû</td>" #~ msgid "<td>Destination IP address</td>" #~ msgstr "<td>Ä¿±êIPµØÖ·</td>" #~ msgid "<td>Protocol</td>" #~ msgstr "<td>´«ÊäЭÒé</td>" #~ msgid "<td>Source port</td>" #~ msgstr "<td>Ô´¶Ë¿Ú</td>" #~ msgid "<td>Service</td>" #~ msgstr "<td>·þÎñ</td>" #~ msgid "<td>Destination port</td>" #~ msgstr "<td>Ä¿±ê¶Ë¿Ú</td>" �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������fwlogwatch-1.2/po/zh_TW.po��������������������������������������������������������������������������0000644�0000764�0000144�00000070200�11453065602�014066� 0����������������������������������������������������������������������������������������������������ustar �bw������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������msgid "" msgstr "" "Project-Id-Version: fwlogwatch 0.5.2\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-10-06 13:58+0200\n" "PO-Revision-Date: 2001-11-11 00:20+0100\n" "Last-Translator: Ying-Chieh Liao <ijliao@csie.nctu.edu.tw>\n" "Language-Team: -\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=Big5\n" "Content-Transfer-Encoding: 8bit\n" #: ../compare.c:158 #, c-format msgid "conn_sort_up: wrong mode\n" msgstr "conn_sort_up: ¼Ò¦¡¿ù»~\n" #: ../compare.c:264 #, c-format msgid "Error in sort string: '%c', order expected, ignoring.\n" msgstr "±Æ§Ç¿ù»~: '%c', »Ý­n¶¶§Ç,©¿²¤\n" #: ../compare.c:278 #, c-format msgid "Error in sort string: '%c', direction expected, ignoring.\n" msgstr "±Æ§Ç¿ù»~: '%c', »Ý­n­S³ò,©¿²¤\n" #: ../compare.c:282 #, fuzzy, c-format msgid "Error in sort string, direction expected, ignoring.\n" msgstr "±Æ§Ç¿ù»~: '%c', »Ý­n­S³ò,©¿²¤\n" #: ../compare.c:382 ../compare.c:384 ../modes.c:196 ../modes.c:203 #: ../modes.c:813 ../modes.c:815 ../output.c:106 ../output.c:113 #: ../output.c:193 ../output.c:202 ../output.c:380 msgid "%b %d %H:%M:%S" msgstr "" #: ../compare.c:383 #, c-format msgid "Timewarp in log file (%s" msgstr "log¤å¥ó¤¤ªº®É¶¡(%s" #: ../main.c:25 #, fuzzy, c-format msgid "Usage: %s [options] [input_files]\n" msgstr "¨Ï¥Î¤èªk: %s [¿ï¶µ] \n" #: ../main.c:26 #, fuzzy, c-format msgid "General options:\n" msgstr "¥þ§½¿ï¶µ: \n" #: ../main.c:27 #, fuzzy, c-format msgid " -h this help\n" msgstr " -h \tÀ°§U¤å¥ó\n" #: ../main.c:28 #, fuzzy, c-format msgid " -L show time of first and last log entry\n" msgstr " -L <¤å¥ó> \tÅã¥Ü¤å¥ó¤¤²Ä¤@¦¸»P³Ì«á¤@¦¸µn³°¬ö¿ýªº®É¶¡\n" #: ../main.c:29 #, fuzzy, c-format msgid " -V show version and copyright info\n" msgstr " -V \tÅã¥Üª©¥»»Pª©Åv«H®§\n" #: ../main.c:32 #, c-format msgid "Global options:\n" msgstr "¥þ§½¿ï¶µ: \n" #: ../main.c:33 #, fuzzy, c-format msgid " -b show amount of data (sum of total packet lengths)\n" msgstr " -b\t\tÅã¥Ü¼Æ¾Ú¶q (©Ò¦³¼Æ¾Ú¥]ªø«×ªºÁ`©M)\n" #: ../main.c:34 #, fuzzy, c-format msgid " -c <file> specify config file (defaults to %s)\n" msgstr " -c <¤å¥ó>\t«ü©w°t¸m¤å¥ó (¯Ê¬Ù %s) \n" #: ../main.c:35 #, fuzzy, c-format msgid " -D do not differentiate destination IP addresses\n" msgstr " -D \t¤£°Ï¤À¥Ø¼ÐIP¦a§}\n" #: ../main.c:36 #, fuzzy, c-format msgid " -d differentiate destination ports\n" msgstr " -d \t°Ï¤À¥Ø¼ÐºÝ¤f\n" #: ../main.c:37 #, c-format msgid " -E <format> select or exclude hosts, ports, chains and targets\n" msgstr "" #: ../main.c:38 #, c-format msgid " quick reference: -E[ie][hp][sd]<ip/number>\n" msgstr "" #: ../main.c:39 #, c-format msgid " -E[ie][cb]<name>\n" msgstr "" #: ../main.c:40 #, fuzzy, c-format msgid " -m <count> only show entries with at least so many incidents\n" msgstr "\t-m <¼Æ¶q> \t¥uÅã¥Ü¦Ü¤Ö¦³³o»ò¦h¼Æ¶qªº°O¿ý\n" #: ../main.c:41 #, c-format msgid " -M <number> only show this amount of entries\n" msgstr "" #: ../main.c:42 #, fuzzy, c-format msgid " -N resolve service names\n" msgstr " -n \t¸ÑªR°ì¦W\n" #: ../main.c:43 #, fuzzy, c-format msgid " -n resolve host names\n" msgstr " -n \t¸ÑªR°ì¦W\n" #: ../main.c:44 #, fuzzy, c-format msgid " -O <order> define the sort order (see the man page for details)\n" msgstr "\t-O <±Æ§Ç¤èªk> \t¹ï¿é¥X¶i¦æ±Æ§Ç (¨ãÅé°Ñ¨£¬ÛÀ³¤åÀÉ\n" #: ../main.c:45 #, fuzzy, c-format msgid "" " -P <format> use parsers for specific formats (defaults to netfilter)\n" msgstr " -P <®æ¦¡> \n" #: ../main.c:46 #, c-format msgid " i: ipchains, n: netfilter, f: ipfilter, c: cisco ios\n" msgstr "" #: ../main.c:47 #, c-format msgid "" " p: cisco pix, e: netscreen, l: lancom, s: snort, b: ipfw\n" msgstr "" #: ../main.c:48 #, fuzzy, c-format msgid " -p differentiate protocols\n" msgstr " -p \t°Ï¤À¶Ç¿é¨óij\n" #: ../main.c:49 #, fuzzy, c-format msgid " -s differentiate source ports\n" msgstr " -s \t°Ï¤À·½ºÝ¤f\n" #: ../main.c:50 #, c-format msgid " -U <title> set report and status page title and email subject\n" msgstr "" #: ../main.c:51 #, fuzzy, c-format msgid " -v verbose, specify twice for more info\n" msgstr " -v \t³B²z®ÉÅã¥Ü«H®§,¨Ï¥Î -vv ±o¨ì§ó¦h«H®§\n" #: ../main.c:52 #, fuzzy, c-format msgid " -y differentiate TCP options\n" msgstr " -y \t°Ï¤ÀTCP¿ï¶µ\n" #: ../main.c:55 #, c-format msgid "Log summary mode (default):\n" msgstr "" #: ../main.c:56 #, fuzzy, c-format msgid " -C <email> carbon copy recipients\n" msgstr " -C <email> \tÂàµo¦a§}\n" #: ../main.c:57 #, fuzzy, c-format msgid " -e show end times\n" msgstr " -t \tÅã¥Ü¶}©l»Pµ²§ô®É¶¡\n" #: ../main.c:58 #, fuzzy, c-format msgid " -F <email> report sender address (defaults to '%s')\n" msgstr " -F <email> \tµo«H¤H¦a§}\n" #: ../main.c:59 #, fuzzy, c-format msgid " -l <time> process recent events only (defaults to off)\n" msgstr " -l <®É¶¡> \t¥u³B²z·í«e¨Æ¥ó (¯Ê¬Ù¬°Ãö³¬)\n" #: ../main.c:60 #, fuzzy, c-format msgid " -o <file> specify output file\n" msgstr " -o <¤å¥ó> \t«ü©w¿é¥X¤å¥ó\n" #: ../main.c:61 #, fuzzy, c-format msgid " -S do not differentiate source IP addresses\n" msgstr " -S \t¤£°Ï¤À·½IP¦a§}\n" #: ../main.c:62 #, c-format msgid " -T <email> send report by email to this address\n" msgstr "" #: ../main.c:63 #, fuzzy, c-format msgid " -t show start times\n" msgstr " -t \tÅã¥Ü¶}©l»Pµ²§ô®É¶¡\n" #: ../main.c:64 #, fuzzy, c-format msgid " -W activate whois lookups for source addresses\n" msgstr " -W \t±Ò°Ê¹ï·½IP¦a§}ªºwhois¬d¸ß\n" #: ../main.c:65 #, fuzzy, c-format msgid " -w HTML output\n" msgstr " -w \t¥HHTML®æ¦¡¿é¥X\n" #: ../main.c:66 #, fuzzy, c-format msgid " -z show time interval\n" msgstr " -z \tÅã¥Ü®É¶¡¶¡¹j\n" #: ../main.c:69 #, c-format msgid "Realtime response mode:\n" msgstr "¹ê®É¦^À³¼Ò¦¡:\n" #: ../main.c:70 #, fuzzy, c-format msgid " -R realtime response as daemon (default action: log only)\n" msgstr "\t-R \t\t¹ê®É¦^À³§@¬°¶Ç¿é¥N²zµ{§Ç (¯Ê¬Ù: ¥u¦³¹B¦æ°O¿ý)\n" #: ../main.c:71 #, fuzzy, c-format msgid " -a <count> alert threshold (defaults to %d entries)\n" msgstr "\t-a <¼Æ¶q> \tĵ§i¬y (¯Ê¬Ù %d °O¿ý)\n" #: ../main.c:72 #, fuzzy, c-format msgid " -l <time> forget events this old (defaults to %d hours)\n" msgstr "\t-l <®É¶¡> \t©¿²¤¦¹®É¶¡«e¨ƥó (¯Ê¬Ù: %d¤p®É)\n" #: ../main.c:73 #, fuzzy, c-format msgid " -k <IP/net> add this IP address or net to the list of known hosts\n" msgstr "\t-k <IP/ºôµ¸> \t±N¦¹IP¦a§}¥[¤J¨ì¤wª¾¥D¾÷¦Cªí¤¤\n" #: ../main.c:74 #, fuzzy, c-format msgid " -A invoke notification script if threshold is reached\n" msgstr "\t-A\t\t¦pªG¦³¬y¶i¤J±Ò°Ê³qª¾¤å¥»\n" #: ../main.c:75 #, fuzzy, c-format msgid " -B invoke response action script (e.g. block host)\n" msgstr "\t-B\t \t±Ò°Ê¦^À³¤å¥» (¤ñ¦p ¤ÁÂ_¥D¾÷»P¥~³¡Áp¨t)\n" #: ../main.c:76 #, fuzzy, c-format msgid " -X <port> activate internal status information web server\n" msgstr "\t-X \t±Ò°Ê¤º³¡ª¬ºA«H®§webªA°È¾¹\n" #: ../main.c:102 #, fuzzy msgid "You can contact the author at <bw@inside-security.de>." msgstr "½Ð¨Ï¥Î¥H¤U¦a§}»P§@ªÌÁp¨t¹ê»Ú<bw@inside-security.de>." #: ../main.c:104 msgid "Compile-time options of this version:" msgstr "" #: ../main.c:105 #, c-format msgid "Short name limit " msgstr "" #: ../main.c:107 ../main.c:113 ../main.c:119 ../main.c:125 ../main.c:131 msgid "enabled" msgstr "" #: ../main.c:109 ../main.c:115 ../main.c:121 ../main.c:127 ../main.c:133 msgid "disabled" msgstr "" #: ../main.c:111 #, c-format msgid "Zlib support " msgstr "" #: ../main.c:117 #, c-format msgid "Gettext (i18n) support " msgstr "" #: ../main.c:123 #, c-format msgid "IPv6 support " msgstr "" #: ../main.c:129 #, c-format msgid "GNU adns support " msgstr "" #: ../main.c:287 #, c-format msgid "Illegal inclusion/exclusion pos. 1 (expected [ie]): %s\n" msgstr "" #: ../main.c:288 ../main.c:305 ../main.c:314 ../main.c:452 #, c-format msgid "Exiting\n" msgstr "°h¥X\n" #: ../main.c:304 #, c-format msgid "Illegal inclusion/exclusion pos. 2 (expected [hpcb]): %s\n" msgstr "" #: ../main.c:313 #, c-format msgid "Illegal inclusion/exclusion pos. 3 (expected [sd]): %s\n" msgstr "" #: ../modes.c:109 #, c-format msgid "Using stdin as input\n" msgstr "¨Ï¥Î¼Ð·Ç¿é¤J\n" #: ../modes.c:115 #, c-format msgid "Opening input file '%s'\n" msgstr "¥´¶}¿é¤J¤å¥ó '%s'\n" #: ../modes.c:133 #, c-format msgid "Processing\n" msgstr "³B²z\n" #: ../modes.c:140 #, c-format msgid "Unrecognized entries or tokens can be submitted at\n" msgstr "" #: ../modes.c:149 ../modes.c:396 ../modes.c:782 ../rcfile.c:321 #, c-format msgid "Closing '%s'\n" msgstr "Ãö³¬ '&s'\n" #: ../modes.c:178 #, c-format msgid "Sorting data\n" msgstr "¼Æ¾Ú±Æ§Ç\n" #: ../modes.c:215 #, c-format msgid "Opening output file '%s'\n" msgstr "¥´¶}¿é¥X¤å¥ó '%s'\n" #: ../modes.c:226 #, fuzzy, c-format msgid "Sending\n" msgstr "µo°e...\n" #: ../modes.c:249 ../net.c:364 ../net.c:367 msgid "%A %B %d %H:%M:%S %Z %Y" msgstr "" #: ../modes.c:250 #, c-format msgid "Generated %s by " msgstr "¥Í¦¨ %s ¥Ñ" #: ../modes.c:260 #, c-format msgid "an unknown user.\n" msgstr "¤£©ú¨Ï¥ÎªÌ\n" #: ../modes.c:268 #, c-format msgid "(and %d older than %d seconds) " msgstr "(¨Ã¥B &d ¤ñ %d ¦Ñ) " #: ../modes.c:271 #, c-format msgid "(and %d malformed) " msgstr "(¨Ã¥B %d ¦³¿ù»~)" #: ../modes.c:274 #, fuzzy, c-format msgid "of %d entries in the file \"%s\" are packet logs, " msgstr "\"%s\" ¬O¼Æ¾Ú¥]°O¿ý" #: ../modes.c:276 #, c-format msgid "of %d entries in standard input are packet logs, " msgstr "" #: ../modes.c:278 #, c-format msgid "of %d entries in %d input files are packet logs, " msgstr "" #: ../modes.c:282 #, c-format msgid "one has unique characteristics.\n" msgstr "¤@­Ó¦³¯S®í§Î¦¡\n" #: ../modes.c:284 #, c-format msgid "%d have unique characteristics.\n" msgstr "%d¦³¯S®í§Î¦¡\n" #: ../modes.c:292 #, c-format msgid "One entry was excluded by configuration.\n" msgstr "¤@±ø°O¿ý¦b°t¸m®É³Q§R°£\n" #: ../modes.c:294 #, c-format msgid "%d entries were excluded by configuration.\n" msgstr "%d°O¿ý¦b°t¸m®É³Q§R°£\n" #: ../modes.c:302 #, c-format msgid "First packet log entry: %s, last: %s.\n" msgstr "²Ä¤@±ø¼Æ¾Ú¥]µn³°°O¿ý: %s, ³Ì«á¤@±ø: %s.\n" #: ../modes.c:304 ../modes.c:811 #, c-format msgid "No valid time entries found.\n" msgstr "¨S§ä¨ì¦³®Ä®É¶¡°O¿ý\n" #: ../modes.c:311 #, c-format msgid "All entries were logged by the same host: \"%s\".\n" msgstr "©Ò¦³ªº°O¿ý³£¬O±q¦P¤@­Ó¥D¾÷µn³°ªº: \"%s\".\n" #: ../modes.c:318 #, c-format msgid "All entries are from the same chain: \"%s\".\n" msgstr "©Ò¦³ªº°O¿ý³£¨Ó¦Û¦P¤@­ÓÃì: \"%s\".\n" #: ../modes.c:325 #, c-format msgid "All entries have the same target: \"%s\".\n" msgstr "©Ò¦³ªº°O¿ý³£¦³¦P¼Ëªº¥Ø¼Ð: \"%s\".\n" #: ../modes.c:332 #, c-format msgid "All entries are from the same interface: \"%s\".\n" msgstr "©Ò¦³ªº°O¿ý³£¨Ó¦Û¦P¤@­Ó¬É­±: \"%s\".\n" #: ../modes.c:339 #, fuzzy, c-format msgid "Only entries with a count of at least %d are shown.\n" msgstr "¥uÅã¥Ü¤j¤_%dªº°O¿ý.\n" #: ../modes.c:346 #, fuzzy, c-format msgid "Only the top %d entries are shown.\n" msgstr "¥uÅã¥Ü¤j¤_%dªº°O¿ý.\n" #: ../modes.c:357 #, fuzzy, c-format msgid "Resolving\n" msgstr "¸ÑªR %s\n" #: ../modes.c:416 #, c-format msgid "Warning: pidfile exists, another fwlogwatch might be running.\n" msgstr "ĵ§i: ¦s¦bpid¤å¥ó,¥i¯à¥t¤@­Ófwlogwatch¦b¹B¦æ.\n" #: ../modes.c:430 #, fuzzy, c-format msgid "SIGHUP caught, reread configuration file %s" msgstr "®·®»¨ìSIGHUP, ­«·s¥´¶}log¤å¥ó" #: ../modes.c:432 #, fuzzy, c-format msgid "SIGHUP caught, unable to reread configuration file %s" msgstr "®·®»¨ìSIGHUP, ­«·s¥´¶}log¤å¥ó" #: ../modes.c:455 msgid "SIGUSR1 caught, reading input from stdin, no need to reopen log file" msgstr "" #: ../modes.c:457 #, fuzzy, c-format msgid "SIGUSR1 caught, reopening log file %s" msgstr "®·®»¨ìSIGHUP, ­«·s¥´¶}log¤å¥ó" #: ../modes.c:529 msgid "SIGTERM caught, cleaning up" msgstr "®·®»¨ìSIGTERM, ²M°£¤º¦s" #: ../modes.c:611 #, c-format msgid "Starting (pid %d)" msgstr "¶}©l (pid %d)" #: ../modes.c:661 msgid "User to run as was not found" msgstr "" #: ../modes.c:676 #, c-format msgid "Changed uid from %d to %d, gid from %d to %d" msgstr "" #: ../modes.c:678 #, c-format msgid "Running with uid %d, gid %d" msgstr "" #: ../modes.c:682 msgid "Alert threshold is one attempt" msgstr "ĵ§ithreshold¬O¤@¦¸¹Á¸Õ" #: ../modes.c:684 #, c-format msgid "Alert threshold is %d attempts" msgstr "ĵ§ithreshold¬O%d¦¸¹Á¸Õ" #: ../modes.c:688 #, c-format msgid "Events older than %d second(s) are discarded" msgstr "¦b%d¬í¤§«eªº¨Æ¥ó±N¤£¨ü²z" #: ../modes.c:690 #, c-format msgid "Events older than %d hour(s) are discarded" msgstr "¦b%d¤p®É¤§«eªº¨Æ¥ó±N¤£¨ü²z" #: ../modes.c:693 #, fuzzy, c-format msgid "Response mode: Log%s%s" msgstr "¦^À³¼Ò¦¡: log%s%s" #: ../modes.c:693 ../net.c:373 msgid ", notify" msgstr "³qª¾" #: ../modes.c:693 ../net.c:373 msgid ", respond" msgstr ". ¦^µª" #: ../modes.c:724 #, c-format msgid "Reading standard input\n" msgstr "Ū¨ú¼Ð·Ç¿é¤J\n" #: ../modes.c:742 #, c-format msgid "Reading '%s'\n" msgstr "Ū '%s'\n" #: ../modes.c:808 #, fuzzy, c-format msgid "Number of files: %d\n" msgstr "¹Á¸Õµn³°ªº¦¸¼Æ: %s\n" #: ../modes.c:809 #, fuzzy, c-format msgid "Number of lines: %d\n" msgstr "¦æ¼Æ : %d\n" #: ../modes.c:814 #, c-format msgid "First entry: %s\n" msgstr "²Ä¤@±ø°O¿ý: %s\n" #: ../modes.c:816 #, c-format msgid "Last entry : %s\n" msgstr "³Ì«á¤@±ø°O¿ý : %s\n" #: ../modes.c:818 #, c-format msgid "Difference : %s\n" msgstr "" #: ../net.c:130 ../net.c:132 #, c-format msgid "Listening on %s port %i" msgstr "¦C¥X¦b &s ¤WªººÝ¤f %i" #: ../net.c:172 msgid "decode_base64: input string incomplete" msgstr "decode_base64: ¿é¤J¦r²Å¦ê¤£§¹¾ã" #: ../net.c:179 #, c-format msgid "decode_base64: illegal character '%c' in input string" msgstr "decode_base64: ¦b¿é¤J¦r²Å¦ê¦³«Dªk¦r²Å '%c'" #: ../net.c:214 msgid "count" msgstr "" #: ../net.c:215 msgid "added" msgstr "" #: ../net.c:217 msgid "proto" msgstr "" #: ../net.c:219 #, fuzzy msgid "bytes" msgstr "¦r¸`)" #: ../net.c:220 msgid "source" msgstr "" #: ../net.c:222 ../net.c:231 #, fuzzy msgid "hostname" msgstr "<td>¥D¾÷¦W</td>" #: ../net.c:224 ../net.c:234 #, fuzzy msgid "port" msgstr "ºÝ¤f" #: ../net.c:226 ../net.c:236 #, fuzzy msgid "service" msgstr "<td>·½</td>" #: ../net.c:229 #, fuzzy msgid "destination" msgstr "<td>¥Ø¼Ð</td>" #: ../net.c:239 msgid "opts" msgstr "" #: ../net.c:240 #, fuzzy msgid "time remaining" msgstr "<td>³Ñ§E®É¶¡</td></tr>\n" #: ../net.c:241 msgid "action" msgstr "" #: ../net.c:293 ../net.c:295 ../net.c:360 #, fuzzy msgid "Information" msgstr "" "\n" "</div>\n" "<h2>°ò¥»«H®§</h2>\n" #: ../net.c:299 ../net.c:301 ../net.c:398 msgid "Options" msgstr "" #: ../net.c:305 ../net.c:307 ../net.c:426 #, fuzzy msgid "Packet cache" msgstr "<h2> ¼Æ¾Ú½w¦s</h2>\n" #: ../net.c:311 ../net.c:313 ../net.c:495 #, fuzzy msgid "Host status" msgstr "<h2>¥D¾÷ª¬ºA</h2>\n" #: ../net.c:316 msgid "Reload" msgstr "" #: ../net.c:365 msgid "Daemon start time" msgstr "" #: ../net.c:368 msgid "Current time" msgstr "" #: ../net.c:371 msgid "Running time" msgstr "" #: ../net.c:373 msgid "Log" msgstr "" #: ../net.c:374 #, fuzzy msgid "Response mode" msgstr "¦^À³¼Ò¦¡: log%s%s" #: ../net.c:376 msgid "Lines seen" msgstr "" #: ../net.c:377 msgid "Hits" msgstr "" #: ../net.c:378 msgid "Old/excluded/malformed" msgstr "" #: ../net.c:385 #, fuzzy msgid "Entries in packet cache" msgstr "<h2> ¼Æ¾Ú½w¦s</h2>\n" #: ../net.c:392 #, fuzzy msgid "Entries in host status" msgstr "<h2>¥D¾÷ª¬ºA</h2>\n" #: ../net.c:400 msgid "Parameter" msgstr "" #: ../net.c:402 msgid "Decrease" msgstr "" #: ../net.c:404 msgid "Current" msgstr "" #: ../net.c:406 msgid "Increase" msgstr "" #: ../net.c:408 #, fuzzy msgid "Alert threshold" msgstr "ĵ§ithreshold¬O¤@¦¸¹Á¸Õ" #: ../net.c:410 msgid "Discard timeout" msgstr "" #: ../net.c:411 msgid "Minimum count in packet cache" msgstr "" #: ../net.c:413 ../net.c:415 msgid "Top amount of entries in packet cache" msgstr "" #: ../net.c:418 ../net.c:420 msgid "Refresh time" msgstr "" #: ../net.c:442 ../net.c:565 msgid "%Y/%m/%d %H:%M:%S" msgstr "" #: ../net.c:479 ../net.c:595 msgid "drop" msgstr "" #: ../net.c:481 msgid "escalate" msgstr "" #: ../net.c:527 ../net.c:546 ../net.c:552 ../net.c:558 msgid "<td>any</td>" msgstr "<td>¥ô¦ó</td>" #: ../net.c:540 #, fuzzy msgid "<td>(known host)</td>" msgstr "<td>-</td><td>%s/%d (¤wª¾¥D¾÷/ºôµ¸)</td>" #: ../net.c:542 #, fuzzy msgid "<td>(known net)</td>" msgstr "<td>-</td><td>%s/%d (¤wª¾¥D¾÷/ºôµ¸)</td>" #: ../net.c:654 ../net.c:657 #, c-format msgid "Rejected connect from unallowed ip %s port %i" msgstr "©Úµ´¨Ó¦Û %s ºÝ¤f %i ªº³X°Ý" #: ../net.c:668 ../net.c:670 #, c-format msgid "Connect from %s port %i" msgstr "¨Ó¦Û %s ºÝ¤f %i ªº³X°Ý" #: ../net.c:734 msgid "Authorization failed" msgstr "ÀËÅç¿ù»~" #: ../net.c:737 #, fuzzy msgid "Authorization required" msgstr "ÀËÅç¿ù»~" #: ../net.c:814 msgid "Bad request" msgstr "" #: ../net.c:819 msgid "Redirect" msgstr "" #: ../net.c:819 msgid "You should be redirected to the <a href=\"/\">root directory</a>" msgstr "" #: ../net.c:831 #, c-format msgid "Requested function: %s" msgstr "" #: ../net.c:834 msgid "Connection closed" msgstr "Ãö³¬Áp±µ" #: ../output.c:200 #, fuzzy, c-format msgid " to " msgstr "¨ì" #: ../output.c:255 #, c-format msgid " packet" msgstr "¼Æ¾Ú¥]" #: ../output.c:257 #, c-format msgid " packets" msgstr "¼Æ¾Ú¥]" #: ../output.c:261 #, fuzzy, c-format msgid " (%lu bytes)" msgstr "¦r¸`)" #: ../output.c:264 #, fuzzy, c-format msgid " from %s" msgstr "±q" #: ../output.c:280 ../output.c:293 #, fuzzy, c-format msgid " port %d" msgstr "ºÝ¤f" #: ../output.c:286 #, fuzzy, c-format msgid " to %s" msgstr "¨ì" #: ../output.c:313 #, fuzzy, c-format msgid "<th>start</th>" msgstr "<td>¥Ø¼Ð</td>" #: ../output.c:316 #, fuzzy, c-format msgid "<th>end</th>" msgstr "<td>¥ô¦ó</td>" #: ../output.c:319 #, fuzzy, c-format msgid "<th>interval</th>" msgstr "<td>¶¡¶Z</td>" #: ../output.c:322 #, fuzzy, c-format msgid "<th>loghost</th>" msgstr "<td>log¥D¾÷</td>" #: ../output.c:325 #, fuzzy, c-format msgid "<th>chain</th>" msgstr "<td>chain</td>" #: ../output.c:328 #, fuzzy, c-format msgid "<th>target</th>" msgstr "<td>¥Ø¼Ð</td>" #: ../output.c:331 #, fuzzy, c-format msgid "<th>interface</th>" msgstr "<td>¬É­±</td>" #: ../output.c:334 #, fuzzy, c-format msgid "<th>proto</th>" msgstr "<td>¶Ç¿é¨óij</td>" #: ../output.c:337 #, fuzzy, c-format msgid "<th>bytes</th>" msgstr "<td>¦r¸`</td>" #: ../output.c:340 #, fuzzy, c-format msgid "<th>source</th>" msgstr "<td>·½</td>" #: ../output.c:342 ../output.c:356 #, fuzzy, c-format msgid "<th>hostname</th>" msgstr "<td>¥D¾÷¦W</td>" #: ../output.c:344 #, fuzzy, c-format msgid "<th>whois information</th>" msgstr "<td>whois«H®§</td>" #: ../output.c:348 ../output.c:360 #, fuzzy, c-format msgid "<th>port</th>" msgstr "<td>¶Ç¿é¨óij</td>" #: ../output.c:350 ../output.c:362 #, fuzzy, c-format msgid "<th>service</th>" msgstr "<td>·½</td>" #: ../output.c:354 #, fuzzy, c-format msgid "<th>destination</th>" msgstr "<td>¥Ø¼Ð</td>" #: ../output.c:366 #, fuzzy, c-format msgid "<th>opts</th>" msgstr "<td>¿ï¶µ</td>" #: ../parser.c:263 #, c-format msgid "Unknown parser: '%c'.\n" msgstr "¤£ª¾parser: '%c'.\n" #: ../rcfile.c:57 #, c-format msgid "Error in configuration file '%s' line %d: not a number\n" msgstr "" #: ../rcfile.c:86 #, c-format msgid "Error in configuration file '%s' line %d, assuming 'true'\n" msgstr "" #: ../rcfile.c:278 #, fuzzy, c-format msgid "Unrecognized option in configuration file '%s' line %d\n" msgstr "°t¸m¤å¥ó¤¤¤£©ú¿ï¶µ: %s" #: ../rcfile.c:299 #, c-format msgid "%s is not a regular file, ignoring.\n" msgstr "%s ¤£¬O¼Ð·Ç¤å¥ó, ©¿²¤.\n" #: ../rcfile.c:307 #, fuzzy, c-format msgid "Opening configuration file '%s'\n" msgstr "¥´¶}¿é¤J¤å¥ó '%s'\n" #: ../resolve.c:62 #, c-format msgid "port mismatch: %d != %d\n" msgstr "ºÝ¤f¤£¤Ç°t: %d != %d\n" #: ../resolve.c:81 ../resolve.c:151 #, c-format msgid "Resolving %s from cache\n" msgstr "½w¦s¤¤¸ÑªR%s\n" #: ../resolve.c:89 ../resolve.c:112 #, c-format msgid "Resolving %s\n" msgstr "¸ÑªR %s\n" #: ../resolve.c:95 #, c-format msgid "Wrong host name size\n" msgstr "¥D¾÷¦Wªø«×¿ù»~\n" #: ../resolve.c:119 #, c-format msgid "%s [forward lookup: %s]" msgstr "%s [¦V«e·j¯Á: %s]" #: ../resolve.c:122 #, c-format msgid "%s [forward lookup failed]" msgstr "%s [¦V«e·j¯Á¥¢±Ñ]" #: ../resolve.c:163 #, fuzzy, c-format msgid "Resolving %s from adns\n" msgstr "½w¦s¤¤¸ÑªR%s\n" #: ../resolve.c:167 #, fuzzy msgid "[inconsistent forward lookup]" msgstr "%s [¦V«e·j¯Á: %s]" #: ../resolve.c:171 #, c-format msgid "[adns status %d]" msgstr "" #: ../resolve.c:189 msgid "DNS cache error" msgstr "" #: ../resolve.c:207 #, c-format msgid "Submitted %s to adns\n" msgstr "" #: ../response.c:56 msgid "One logging ipchains firewall rule defined" msgstr "¤@±øµn³°ipchains¨¾¤õÀð³W©w¤w©w¸q" #: ../response.c:58 #, c-format msgid "%u logging ipchains firewall rules defined" msgstr "±øµn³°ipchains¨¾¤õÀð³W©w¤w©w¸q" #: ../response.c:61 msgid "No logging ipchains firewall rules defined, format was requested" msgstr "¨S¦³©w¸qµn³°ipchains¨¾¤õÀð³W©w, »Ý­n®æ¦¡" #: ../response.c:82 #, c-format msgid "%s is group/world writable" msgstr "%s ¥i³Qgroup/world­×§ï" #: ../response.c:168 #, c-format msgid "Deleting packet cache entry (%s)" msgstr "§R°£¼Æ¾Ú¥]½w¦s¤¤ªº¤º®e" #: ../response.c:202 #, c-format msgid "Deleting host status entry (%s)" msgstr "§R°£¥D¾÷ª¬ºA¤¤ªº¤º®e" #: ../response.c:276 #, c-format msgid "ALERT: %d attempts from %s" msgstr "ĵ§i: ¨Ó¦Û %s ªº %d ¹Á¸Õ" #: ../utils.c:53 #, c-format msgid "" "\n" "Memory allocation error, exiting.\n" msgstr "" "\n" "´M§ä¤º¦s¦a§}¿ù»~, °h¥X.\n" #: ../utils.c:68 msgid "Exiting" msgstr "°h¥X" #: ../utils.c:77 msgid "Not executing buffer containing format string" msgstr "±a¦³®æ¦¡¦r²Å½w¦s±N¤£³Q°õ¦æ" #: ../utils.c:82 #, c-format msgid "Executing '%s'" msgstr "°õ¦æ '%s" #: ../utils.c:194 #, fuzzy, c-format msgid "" "fwlogwatch error: mode collision, please check that you didn't specify\n" " several modes on the command line or a second mode is active in the\n" " configuration file.\n" " Please use a separate configuration file for each mode or comment out " "all\n" " entries in the default configuration and use command line parameters.\n" msgstr "" "fwlogwatch¿ù»~: ¼Ò¦¡¨R¬ð, ½ÐÀˬd±z¨S¦³¦b©R¥O¦æ¤¤«ü©w¦hºØ¼Ò¦¡\n" " ©ÎªÌ¦³²Ä¤GºØ¼Ò¦¡³QÀq»{±Ò°Ê,©Î¦b°t¸m¤å¥ó¤¤¦³§_«ü©w\n" " ¹ï¤_¤£¦Pªº¼Ò¦¡½Ð¨Ï¥Î¤£¦Pªº°t¸m¤å¥ó, ©Î¨Ï¥Î©R¥O¦æ°Ñ¼Æ\n" #: ../utils.c:268 #, c-format msgid "IP address error: %s\n" msgstr "IP¦a§}¿ù»~: %s\n" #: ../utils.c:294 #, c-format msgid "Error in CIDR format: %s\n" msgstr "CIDR®æ¦¡¦³¿ù»~: %s\n" #: ../utils.c:312 #, c-format msgid "(known host)\n" msgstr "(¤£©ú¥D¾÷)\n" #: ../utils.c:351 #, c-format msgid "(excluded host)\n" msgstr "(³Q±Æ°£ªº¥D¾÷)\n" #: ../whois.c:220 #, c-format msgid "Looking up whois info for %s from cache\n" msgstr "¦b½w¦s¤¤¬° %s ´M§äwhois«H®§\n" #: ../whois.c:227 #, c-format msgid "Looking up whois info for %s\n" msgstr "¬° %s ´M§äwhois«H®§\n" #: ../whois.c:248 #, c-format msgid "lookup failed: %s\n" msgstr "·j¯Á¥¢±Ñ: %s\n" #: ../main.h:300 msgid "fwlogwatch summary" msgstr "" #: ../main.h:310 msgid "fwlogwatch status" msgstr "" #, fuzzy #~ msgid "Interactive report mode (summary mode extension):\n" #~ msgstr "¥æ¤¬¦¡³ø§i¼Ò¦¡:\n" #, fuzzy #~ msgid " -i <count> interactive mode with report threshold\n" #~ msgstr " -i <¼Æ¶q> \t³ø§i¬y¥æ¤¬¼Ò¦¡\n" #, fuzzy #~ msgid " -T <email> address of CERT or abuse contact to send report to\n" #~ msgstr "\t-T <email> \t¦¬«H¤H¦a§} (CERT©ÎÁp¨t¤H)\n" #, fuzzy #~ msgid " -I <file> template file for report (defaults to %s)\n" #~ msgstr " -I <¤å¥ó> \t³ø§i¼ÒªO¤å¥ó\n" #~ msgid "" #~ "Reporting threshold: %d\n" #~ "\n" #~ msgstr "" #~ "³ø§i¬y: %d\n" #~ "\n" #~ msgid "Offending IP address: %s\n" #~ msgstr "¶i§ðIP¦a§}:\t%s\n" #~ msgid "Offending IP name: %s\n" #~ msgstr "¶i§ðIP¦a§}¦W:\t%s\n" #~ msgid "Target IP address: %s\n" #~ msgstr "¥Ø¼ÐIP¦a§}:\t%s\n" #~ msgid "Target IP name: %s\n" #~ msgstr "¥Ø¼ÐIP¦a§}¦W:\t%s\n" #~ msgid "Number of logged attempts: %s\n" #~ msgstr "¹Á¸Õµn³°ªº¦¸¼Æ: %s\n" #~ msgid "Start time: %s\n" #~ msgstr "¶}©l®É¶¡:\t\t%s\n" #~ msgid "End time: %s\n" #~ msgstr "µ²§ô®É¶¡: %s\n" #~ msgid "Timezone: %s\n" #~ msgstr "®É¶¡°Ï:\t\t\t %s\n" #~ msgid "Duration: %s\n" #~ msgstr "«ùÄò:\t\t\t%s\n" #~ msgid "Protocol: %s\n" #~ msgstr "¶Ç¿é¨óij:\t\t %s\n" #~ msgid "Source port: %s\n" #~ msgstr "·½ºÝ¤f:\t\t\t%s\n" #~ msgid "Destination port: %s\n" #~ msgstr "¥Ø¼ÐºÝ¤f: %s\n" #~ msgid "TCP options: %s\n" #~ msgstr "TCP¿ï¶µ: %s\n" #~ msgid "Tracking number: %s\n" #~ msgstr "Tracking¼Æ: %s\n" #~ msgid "Incident report %s-%s" #~ msgstr "¨Æ¥ó³ø§i %s-%s" #~ msgid "no SYNs" #~ msgstr "¨S¦³SYNs" #~ msgid "SYNs only" #~ msgstr "¥u¦³SYNs" #~ msgid "" #~ "\n" #~ "What do you want to change? [1-18/(o)k] " #~ msgstr "" #~ "\n" #~ "±z·Q­×§ï¤°»ò? [1-18/(o)k] " #~ msgid "New value: " #~ msgstr "·s­È:" #~ msgid "" #~ "\n" #~ "Should this report be sent? [(s)end/(m)odify/(q)uit] " #~ msgstr "" #~ "\n" #~ "¬O§_¶Ç°e³o¥÷³ø§i? [(s)end/(m)odify/(q)uit] " #, fuzzy #~ msgid "<tr><td align=\"right\">Daemon start time:</td><td>%s</td></tr>\n" #~ msgstr "<tr><td>Daemon±Ò°Ê®É¶¡:</td><td>%s</td></tr>\n" #, fuzzy #~ msgid "<tr><td align=\"right\">Current time:</td><td>%s</td></tr>\n" #~ msgstr "<tr><td>·í«e®É¶¡:</td><td>%s</td></tr>\n" #, fuzzy #~ msgid "<tr><td align=\"right\">Running time:</td><td>%s</td></tr>\n" #~ msgstr "<tr><td>¹B¦æ®É¶¡:</td><td>%s</td></tr>\n" #, fuzzy #~ msgid "<tr><td align=\"right\">Response mode:</td><td>Log%s%s</td></tr>\n" #~ msgstr "<tr><td>¦^À³¼Ò¦¡:</td><td>log%s%s</td></tr>\n" #, fuzzy #~ msgid "Host status: %d</td></tr>\n" #~ msgstr "<h2>¥D¾÷ª¬ºA</h2>\n" #, fuzzy #~ msgid "<tr align=\"center\"><th>count</th><th>added</th>" #~ msgstr "" #~ "<tr bgcolor=\"#%s\" align=\"center\"><td>¼Æ¶q</td><td>¥[¤J</td><td>·½IP¦a" #~ "§}</td>" #~ msgid "Authorization failed (%s)" #~ msgstr "ÀËÅç¿ù»~ (%s)" #~ msgid "" #~ "<body>\n" #~ "<h1>Authorization Required</h1>\n" #~ "</body>\n" #~ "</html>\n" #~ msgstr "" #~ "<body>\n" #~ "<h1>»Ý­n¨­¥÷ÀËÅç</h1>\n" #~ "</body>\n" #~ "</html>\n" #, fuzzy #~ msgid "<p><a href=\"/\">Reload</a>" #~ msgstr "<a href=\"/\">¨ê·s</a><br>\n" #, fuzzy #~ msgid "" #~ "<br>\n" #~ "(automatic refresh every %d seconds)</p>\n" #~ msgstr "(¨C%d¬íÄÁ«á¦Û°Ê¨ê·s)<br>\n" #, fuzzy #~ msgid "" #~ "<tr><td>Alert threshold:</td><td>%d entries</td></tr>\n" #~ "<tr><td>Discard timeout:</td><td>%s</td></tr>\n" #~ msgstr "" #~ "<tr><td>ĵ§ithreshold:</td><td>%d entries</td></tr>\n" #~ "<tr><td>¶W®É:</td><td>%d ¬í</td></tr>\n" #, fuzzy #~ msgid " -f <file> specify input file (defaults to %s)\n" #~ msgstr " -f <¤å¥ó> \t«ü©w¿é¤J¤å¥ó (¯Ê¬Ù %s) \n" #~ msgid " (defaults to '%s')\n" #~ msgstr " \t(¯Ê¬Ù¬° '%s')\n" #~ msgid " (defaults to %s)\n" #~ msgstr "\t\t \t(¯Ê¬Ù¬° %s)\n" #~ msgid "SIGHUP caught, ignoring" #~ msgstr "®·®»¨ìSIGHUP, ©¿²¤" #~ msgid "<td>Hostname</td>" #~ msgstr "<td>¥D¾÷¦W</td>" #~ msgid "<td>Destination IP address</td>" #~ msgstr "<td>¥Ø¼ÐIP¦a§}</td>" #~ msgid "<td>Protocol</td>" #~ msgstr "<td>¶Ç¿é¨óij</td>" #~ msgid "<td>Source port</td>" #~ msgstr "<td>·½ºÝ¤f</td>" #, fuzzy #~ msgid "<td>Service</td>" #~ msgstr "<td>·½</td>" #~ msgid "<td>Destination port</td>" #~ msgstr "<td>¥Ø¼ÐºÝ¤f</td>" #~ msgid "" #~ "<html>\n" #~ "<head>\n" #~ "<title>fwlogwatch status\n" #~ msgstr "" #~ "\n" #~ "\n" #~ "fwlogwatchª¬ºA\n" #~ msgid "" #~ "
\n" #~ "

fwlogwatch status

\n" #~ msgstr "" #~ "
\n" #~ "

fwlogwatchª¬ºA

\n" #~ msgid "fwlogwatch output: %s\n" #~ msgstr "fwlogwatch¿é¥X: %s\n" #~ msgid "

fwlogwatch output

\n" #~ msgstr "

fwlogwatch¿é¥X

\n" #~ msgid "
" #~ msgstr "" #~ msgid "" #~ msgstr "" fwlogwatch-1.2/po/sv.po0000644000076400001440000007636211453065602013502 0ustar bwusersmsgid "" msgstr "" "Project-Id-Version: fwlogwatch 1.0.6\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-10-06 13:58+0200\n" "PO-Revision-Date: 2005-12-06 16:06+0100\n" "Last-Translator: Daniel Nylander \n" "Language-Team: Swedish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=iso-8859-1\n" "Content-Transfer-Encoding: 8bit\n" #: ../compare.c:158 #, c-format msgid "conn_sort_up: wrong mode\n" msgstr "conn_sort_up: Fel läge\n" #: ../compare.c:264 #, c-format msgid "Error in sort string: '%c', order expected, ignoring.\n" msgstr "" "Fel i sorteringssträng: \"%c\", sorteringsordning förväntad, ignorerar.\n" #: ../compare.c:278 #, c-format msgid "Error in sort string: '%c', direction expected, ignoring.\n" msgstr "" "Fel i sorteringssträng: \"%c\", sorteringsrikting förväntad, ignorerar.\n" #: ../compare.c:282 #, fuzzy, c-format msgid "Error in sort string, direction expected, ignoring.\n" msgstr "Fel i sorteringssträng: \"%c\", riktning förväntad, felet ignoreras.\n" #: ../compare.c:382 ../compare.c:384 ../modes.c:196 ../modes.c:203 #: ../modes.c:813 ../modes.c:815 ../output.c:106 ../output.c:113 #: ../output.c:193 ../output.c:202 ../output.c:380 msgid "%b %d %H:%M:%S" msgstr "%b %d %H:%M:%S" #: ../compare.c:383 #, c-format msgid "Timewarp in log file (%s" msgstr "Tidsomställning i loggfil (%s" #: ../main.c:25 #, c-format msgid "Usage: %s [options] [input_files]\n" msgstr "Användning: %s [flaggor] [inmatningsfiler]\n" #: ../main.c:26 #, c-format msgid "General options:\n" msgstr "Allmänna flaggor:\n" #: ../main.c:27 #, c-format msgid " -h this help\n" msgstr " -h denna hjälptext\n" #: ../main.c:28 #, c-format msgid " -L show time of first and last log entry\n" msgstr " -L visa tid för första och sista loggposten\n" #: ../main.c:29 #, c-format msgid " -V show version and copyright info\n" msgstr " -V visa versions- och copyrightinformation\n" #: ../main.c:32 #, c-format msgid "Global options:\n" msgstr "Globala flaggor:\n" #: ../main.c:33 #, c-format msgid " -b show amount of data (sum of total packet lengths)\n" msgstr "" " -b visa mängden data (summering av totala paketstorlekar)\n" #: ../main.c:34 #, c-format msgid " -c specify config file (defaults to %s)\n" msgstr " -c konfigurationsfil (förval: %s)\n" #: ../main.c:35 #, c-format msgid " -D do not differentiate destination IP addresses\n" msgstr " -D skilj ej på mottagande IP-adresser\n" #: ../main.c:36 #, c-format msgid " -d differentiate destination ports\n" msgstr " -d skilj ej på mottagande portnummer\n" #: ../main.c:37 #, c-format msgid " -E select or exclude hosts, ports, chains and targets\n" msgstr " -E välj eller uteslut värdar, portar, kedjor och mål\n" #: ../main.c:38 #, c-format msgid " quick reference: -E[ie][hp][sd]\n" msgstr "" #: ../main.c:39 #, c-format msgid " -E[ie][cb]\n" msgstr "" #: ../main.c:40 #, c-format msgid " -m only show entries with at least so many incidents\n" msgstr " -m visa enbart poster med åtminstone ANTAL incidenter\n" #: ../main.c:41 #, c-format msgid " -M only show this amount of entries\n" msgstr " -M visa endast detta antal poster\n" #: ../main.c:42 #, c-format msgid " -N resolve service names\n" msgstr " -N slå upp namn på tjänster\n" #: ../main.c:43 #, c-format msgid " -n resolve host names\n" msgstr " -n slå upp värdnamn\n" #: ../main.c:44 #, c-format msgid " -O define the sort order (see the man page for details)\n" msgstr "" " -O ange sorteringsordning (se manualsida för beskrivning)\n" #: ../main.c:45 #, fuzzy, c-format msgid "" " -P use parsers for specific formats (defaults to netfilter)\n" msgstr " -P använd enbart tolkar för specifika format\n" #: ../main.c:46 #, c-format msgid " i: ipchains, n: netfilter, f: ipfilter, c: cisco ios\n" msgstr "" #: ../main.c:47 #, c-format msgid "" " p: cisco pix, e: netscreen, l: lancom, s: snort, b: ipfw\n" msgstr "" #: ../main.c:48 #, c-format msgid " -p differentiate protocols\n" msgstr " -p skilj mellan protokoll\n" #: ../main.c:49 #, c-format msgid " -s differentiate source ports\n" msgstr " -s skilj på källportar\n" #: ../main.c:50 #, c-format msgid " -U set report and status page title and email subject\n" msgstr "" " -U <titel> sätt titel för rapport- och statussida och ämne för e-post\n" #: ../main.c:51 #, c-format msgid " -v verbose, specify twice for more info\n" msgstr " -v var informativ, ange två gånger för mer data\n" #: ../main.c:52 #, c-format msgid " -y differentiate TCP options\n" msgstr " -y skilj på TCP-flaggor\n" #: ../main.c:55 #, c-format msgid "Log summary mode (default):\n" msgstr "Läge för loggsammandrag (standard):\n" #: ../main.c:56 #, c-format msgid " -C <email> carbon copy recipients\n" msgstr " -C <e-post> kännedomskopia av rapporten\n" #: ../main.c:57 #, c-format msgid " -e show end times\n" msgstr " -e visa stopptider\n" #: ../main.c:58 #, c-format msgid " -F <email> report sender address (defaults to '%s')\n" msgstr " -F <epost> avsändaradress för rapporten (förval \"%s\")\n" #: ../main.c:59 #, c-format msgid " -l <time> process recent events only (defaults to off)\n" msgstr "" " -l <tid> bearbeta endast senaste händelser (avstängd som standard)\n" #: ../main.c:60 #, c-format msgid " -o <file> specify output file\n" msgstr " -o <fil> ange fil för utdata\n" #: ../main.c:61 #, c-format msgid " -S do not differentiate source IP addresses\n" msgstr " -S skilj inte på källornas IP-adresser\n" #: ../main.c:62 #, c-format msgid " -T <email> send report by email to this address\n" msgstr " -T <email> skicka rapport via e-post till denna address\n" #: ../main.c:63 #, c-format msgid " -t show start times\n" msgstr " -t visa starttider\n" #: ../main.c:64 #, c-format msgid " -W activate whois lookups for source addresses\n" msgstr " -W aktivera whois-uppslag för källadresser\n" #: ../main.c:65 #, c-format msgid " -w HTML output\n" msgstr " -w utdata som HTML\n" #: ../main.c:66 #, c-format msgid " -z show time interval\n" msgstr " -z visa tidsintervall\n" #: ../main.c:69 #, c-format msgid "Realtime response mode:\n" msgstr "Läge för realtidssvar:\n" #: ../main.c:70 #, c-format msgid " -R realtime response as daemon (default action: log only)\n" msgstr "" " -R låt demonen åtgärda i realtid (förvald åtgärd: enbart " "loggning)\n" #: ../main.c:71 #, c-format msgid " -a <count> alert threshold (defaults to %d entries)\n" msgstr " -a <antal> tröskelvärde för larm (förval: %d poster)\n" #: ../main.c:72 #, c-format msgid " -l <time> forget events this old (defaults to %d hours)\n" msgstr " -l <tid> glöm händelser äldre än (förval: %d timmar)\n" #: ../main.c:73 #, c-format msgid " -k <IP/net> add this IP address or net to the list of known hosts\n" msgstr "" " -k <IP/nät> lägg till IP-adress eller nät till listan över kända värdar\n" #: ../main.c:74 #, c-format msgid " -A invoke notification script if threshold is reached\n" msgstr " -A anropa notifieringsskript om tröskelvärdet nås\n" #: ../main.c:75 #, c-format msgid " -B invoke response action script (e.g. block host)\n" msgstr " -B anropa åtgärdsskriptet (exempelvis spärra värd)\n" #: ../main.c:76 #, c-format msgid " -X <port> activate internal status information web server\n" msgstr "" " -X <port> aktivera den interna webbservern för statusinformation\n" #: ../main.c:102 msgid "You can contact the author at <bw@inside-security.de>." msgstr "Upphovsmannen kan kontaktas på adressen <bw@inside-security.de>" #: ../main.c:104 msgid "Compile-time options of this version:" msgstr "Byggtidsflaggor för denna version:" #: ../main.c:105 #, c-format msgid "Short name limit " msgstr "Gräns för kort namn " #: ../main.c:107 ../main.c:113 ../main.c:119 ../main.c:125 ../main.c:131 msgid "enabled" msgstr "aktiverad" #: ../main.c:109 ../main.c:115 ../main.c:121 ../main.c:127 ../main.c:133 msgid "disabled" msgstr "avstängd" #: ../main.c:111 #, c-format msgid "Zlib support " msgstr "Stöd för Zlib" #: ../main.c:117 #, c-format msgid "Gettext (i18n) support " msgstr "Stöd för gettext (i18n)" #: ../main.c:123 #, c-format msgid "IPv6 support " msgstr "Stöd för IPv6" #: ../main.c:129 #, fuzzy, c-format msgid "GNU adns support " msgstr "Stöd för IPv6" #: ../main.c:287 #, c-format msgid "Illegal inclusion/exclusion pos. 1 (expected [ie]): %s\n" msgstr "Ogiltigt inkludering/exkludering pos. 1 (förväntade [ie]): %s\n" #: ../main.c:288 ../main.c:305 ../main.c:314 ../main.c:452 #, c-format msgid "Exiting\n" msgstr "Avslutar\n" #: ../main.c:304 #, c-format msgid "Illegal inclusion/exclusion pos. 2 (expected [hpcb]): %s\n" msgstr "Ogiltigt inkludering/exkludering pos. 2 (förväntade [hpcb]): %s\n" #: ../main.c:313 #, c-format msgid "Illegal inclusion/exclusion pos. 3 (expected [sd]): %s\n" msgstr "Ogiltigt inkludering/exkludering pos. 3 (förväntade [sd]): %s\n" #: ../modes.c:109 #, c-format msgid "Using stdin as input\n" msgstr "Använder standard in för inmatning\n" #: ../modes.c:115 #, c-format msgid "Opening input file '%s'\n" msgstr "Öppnar inmatningsfil \"%s\"\n" #: ../modes.c:133 #, c-format msgid "Processing\n" msgstr "Bearbetar\n" #: ../modes.c:140 #, c-format msgid "Unrecognized entries or tokens can be submitted at\n" msgstr "Okända poster eller token kan skickas på\n" #: ../modes.c:149 ../modes.c:396 ../modes.c:782 ../rcfile.c:321 #, c-format msgid "Closing '%s'\n" msgstr "Stänger \"%s\"\n" #: ../modes.c:178 #, c-format msgid "Sorting data\n" msgstr "Sorterar data\n" #: ../modes.c:215 #, c-format msgid "Opening output file '%s'\n" msgstr "Öppnar utdatafil \"%s\"\n" #: ../modes.c:226 #, c-format msgid "Sending\n" msgstr "Sänder\n" #: ../modes.c:249 ../net.c:364 ../net.c:367 msgid "%A %B %d %H:%M:%S %Z %Y" msgstr "%A %B %d %H:%M:%S %Z %Y" #: ../modes.c:250 #, c-format msgid "Generated %s by " msgstr "Genererad %s av " #: ../modes.c:260 #, c-format msgid "an unknown user.\n" msgstr "en okänd användare.\n" #: ../modes.c:268 #, c-format msgid "(and %d older than %d seconds) " msgstr "(och %d äldre än %d sekunder) " #: ../modes.c:271 #, c-format msgid "(and %d malformed) " msgstr "(och %d felaktiga) " #: ../modes.c:274 #, c-format msgid "of %d entries in the file \"%s\" are packet logs, " msgstr "av %d posterna i filen \"%s\" är paketloggar, " #: ../modes.c:276 #, c-format msgid "of %d entries in standard input are packet logs, " msgstr "av %d poster i standard in är paketloggar, " #: ../modes.c:278 #, c-format msgid "of %d entries in %d input files are packet logs, " msgstr "av %d posterna i %d inmatningsfiler är paketloggar, " #: ../modes.c:282 #, c-format msgid "one has unique characteristics.\n" msgstr "en har unika egenskaper.\n" #: ../modes.c:284 #, c-format msgid "%d have unique characteristics.\n" msgstr "%d har unika egenskaper.\n" #: ../modes.c:292 #, c-format msgid "One entry was excluded by configuration.\n" msgstr "En post utelämnades av konfigurationen.\n" #: ../modes.c:294 #, c-format msgid "%d entries were excluded by configuration.\n" msgstr "%d poster utelämnades av konfigurationen.\n" #: ../modes.c:302 #, c-format msgid "First packet log entry: %s, last: %s.\n" msgstr "Den första posten i loggen: %s, sista: %s.\n" #: ../modes.c:304 ../modes.c:811 #, c-format msgid "No valid time entries found.\n" msgstr "Inga giltiga tidsposter funna.\n" #: ../modes.c:311 #, c-format msgid "All entries were logged by the same host: \"%s\".\n" msgstr "Alla poster var loggade av samma värd: \"%s\".\n" #: ../modes.c:318 #, c-format msgid "All entries are from the same chain: \"%s\".\n" msgstr "Alla poster kom från samma kedja: \"%s\".\n" #: ../modes.c:325 #, c-format msgid "All entries have the same target: \"%s\".\n" msgstr "Alla poster har samma måladress: \"%s\".\n" #: ../modes.c:332 #, c-format msgid "All entries are from the same interface: \"%s\".\n" msgstr "Alla poster kommer från samma nätverksgränssnitt: \"%s\".\n" #: ../modes.c:339 #, c-format msgid "Only entries with a count of at least %d are shown.\n" msgstr "Bara poster med ett antal av minst %d visas.\n" #: ../modes.c:346 #, c-format msgid "Only the top %d entries are shown.\n" msgstr "Bara de översta %d posterna visas.\n" #: ../modes.c:357 #, fuzzy, c-format msgid "Resolving\n" msgstr "Slår upp %s\n" #: ../modes.c:416 #, c-format msgid "Warning: pidfile exists, another fwlogwatch might be running.\n" msgstr "" "Varning: En pid-fil existerar redan, ytterligare en fwlogwatch kanske körs?\n" #: ../modes.c:430 #, c-format msgid "SIGHUP caught, reread configuration file %s" msgstr "SIGHUP fångad, konfigurationsfil %s läses om" #: ../modes.c:432 #, c-format msgid "SIGHUP caught, unable to reread configuration file %s" msgstr "SIGHUP fångad, konfigurationsfil %s kunde inte att läsas om" #: ../modes.c:455 msgid "SIGUSR1 caught, reading input from stdin, no need to reopen log file" msgstr "" "SIGUSR1 fångad, läser indata från standard in, ingen idé att öppna loggfil " "igen" #: ../modes.c:457 #, c-format msgid "SIGUSR1 caught, reopening log file %s" msgstr "SIGUSR1 fångad, loggfilen %s öppnas igen" #: ../modes.c:529 msgid "SIGTERM caught, cleaning up" msgstr "SIGTERM påträffades, rensar upp" #: ../modes.c:611 #, c-format msgid "Starting (pid %d)" msgstr "Startar (pid %d)" #: ../modes.c:661 msgid "User to run as was not found" msgstr "Användaren som ska köras som hittades inte" #: ../modes.c:676 #, c-format msgid "Changed uid from %d to %d, gid from %d to %d" msgstr "Ändrade uid från %d till %d, gid från %d till %d" #: ../modes.c:678 #, c-format msgid "Running with uid %d, gid %d" msgstr "Kör med uid %d, gid %d" #: ../modes.c:682 msgid "Alert threshold is one attempt" msgstr "Tröskelvärde för <alert> är ett försök" #: ../modes.c:684 #, c-format msgid "Alert threshold is %d attempts" msgstr "Tröskelvärde för <alert> är %d försök" #: ../modes.c:688 #, c-format msgid "Events older than %d second(s) are discarded" msgstr "Poster äldre än %d sekund(er) sållas bort" #: ../modes.c:690 #, c-format msgid "Events older than %d hour(s) are discarded" msgstr "Poster äldre än %d timme/timmar sållas bort" #: ../modes.c:693 #, c-format msgid "Response mode: Log%s%s" msgstr "Svarsläge: Log%s%s" #: ../modes.c:693 ../net.c:373 msgid ", notify" msgstr ", notifiera" #: ../modes.c:693 ../net.c:373 msgid ", respond" msgstr ", svara" #: ../modes.c:724 #, c-format msgid "Reading standard input\n" msgstr "Läser från standard in\n" #: ../modes.c:742 #, c-format msgid "Reading '%s'\n" msgstr "Läser \"%s\"\n" #: ../modes.c:808 #, c-format msgid "Number of files: %d\n" msgstr "Antal filer: %d\n" #: ../modes.c:809 #, c-format msgid "Number of lines: %d\n" msgstr "Antal rader: %d\n" #: ../modes.c:814 #, c-format msgid "First entry: %s\n" msgstr "Första posten: %s\n" #: ../modes.c:816 #, c-format msgid "Last entry : %s\n" msgstr "Sista posten: %s\n" #: ../modes.c:818 #, c-format msgid "Difference : %s\n" msgstr "Skillnad : %s\n" #: ../net.c:130 ../net.c:132 #, c-format msgid "Listening on %s port %i" msgstr "Lyssnar på %s port %i" #: ../net.c:172 msgid "decode_base64: input string incomplete" msgstr "decode_base64: okomplett indatasträng" #: ../net.c:179 #, c-format msgid "decode_base64: illegal character '%c' in input string" msgstr "decode_base64: Otillåtet tecken \"%c\" i indatasträngen" #: ../net.c:214 msgid "count" msgstr "antal" #: ../net.c:215 msgid "added" msgstr "lagt till" #: ../net.c:217 msgid "proto" msgstr "proto" #: ../net.c:219 msgid "bytes" msgstr "byte" #: ../net.c:220 msgid "source" msgstr "källa" #: ../net.c:222 ../net.c:231 msgid "hostname" msgstr "värdnamn" #: ../net.c:224 ../net.c:234 msgid "port" msgstr "port" #: ../net.c:226 ../net.c:236 msgid "service" msgstr "tjänst" #: ../net.c:229 msgid "destination" msgstr "destination" #: ../net.c:239 msgid "opts" msgstr "flaggor" #: ../net.c:240 msgid "time remaining" msgstr "återstående tid" #: ../net.c:241 msgid "action" msgstr "åtgärd" #: ../net.c:293 ../net.c:295 ../net.c:360 msgid "Information" msgstr "Information" #: ../net.c:299 ../net.c:301 ../net.c:398 msgid "Options" msgstr "Inställningar" #: ../net.c:305 ../net.c:307 ../net.c:426 msgid "Packet cache" msgstr "Paketcache" #: ../net.c:311 ../net.c:313 ../net.c:495 msgid "Host status" msgstr "Värdstatus" #: ../net.c:316 msgid "Reload" msgstr "Läs om" #: ../net.c:365 msgid "Daemon start time" msgstr "Demonens starttid" #: ../net.c:368 msgid "Current time" msgstr "Nuvarande tid" #: ../net.c:371 msgid "Running time" msgstr "Körtid" #: ../net.c:373 msgid "Log" msgstr "Logg" #: ../net.c:374 msgid "Response mode" msgstr "Svarsläge" #: ../net.c:376 msgid "Lines seen" msgstr "Rader sedda" #: ../net.c:377 msgid "Hits" msgstr "Träffar" #: ../net.c:378 msgid "Old/excluded/malformed" msgstr "Gammal/utesluten/felaktig" #: ../net.c:385 msgid "Entries in packet cache" msgstr "Poster i paketcache" #: ../net.c:392 msgid "Entries in host status" msgstr "Post i värdstatus" #: ../net.c:400 msgid "Parameter" msgstr "Parameter" #: ../net.c:402 msgid "Decrease" msgstr "Minska" #: ../net.c:404 msgid "Current" msgstr "Nuvarande" #: ../net.c:406 msgid "Increase" msgstr "Öka" #: ../net.c:408 msgid "Alert threshold" msgstr "Tröskelvärde för larm" #: ../net.c:410 msgid "Discard timeout" msgstr "Kasta timeout" #: ../net.c:411 msgid "Minimum count in packet cache" msgstr "Minimum antal i paketcache" #: ../net.c:413 ../net.c:415 msgid "Top amount of entries in packet cache" msgstr "Max antal poster i paketcache" #: ../net.c:418 ../net.c:420 msgid "Refresh time" msgstr "Uppdateringsfrekvens" #: ../net.c:442 ../net.c:565 msgid "%Y/%m/%d %H:%M:%S" msgstr "%Y/%m/%d %H:%M:%S" #: ../net.c:479 ../net.c:595 msgid "drop" msgstr "" #: ../net.c:481 msgid "escalate" msgstr "" #: ../net.c:527 ../net.c:546 ../net.c:552 ../net.c:558 msgid "<td>any</td>" msgstr "<td>någon</td>" #: ../net.c:540 msgid "<td>(known host)</td>" msgstr "<td>(kända värdar)</td>" #: ../net.c:542 msgid "<td>(known net)</td>" msgstr "<td>(kända nät)</td>" #: ../net.c:654 ../net.c:657 #, c-format msgid "Rejected connect from unallowed ip %s port %i" msgstr "Avvisad anslutning från otillåten IP-adress %s port %i" #: ../net.c:668 ../net.c:670 #, c-format msgid "Connect from %s port %i" msgstr "Anslutning från %s port %i" #: ../net.c:734 msgid "Authorization failed" msgstr "Auktorisation misslyckades" #: ../net.c:737 msgid "Authorization required" msgstr "Auktorisation krävs" #: ../net.c:814 msgid "Bad request" msgstr "Felaktig begäran" #: ../net.c:819 msgid "Redirect" msgstr "Dirigera om" #: ../net.c:819 msgid "You should be redirected to the <a href=\"/\">root directory</a>" msgstr "Du bör bli omdirigerad till <a href=\"/\">rotkatalogen</a>" #: ../net.c:831 #, c-format msgid "Requested function: %s" msgstr "Begärd funktion: %s" #: ../net.c:834 msgid "Connection closed" msgstr "Anslutning stängd" #: ../output.c:200 #, c-format msgid " to " msgstr " till " #: ../output.c:255 #, c-format msgid " packet" msgstr " paket" #: ../output.c:257 #, c-format msgid " packets" msgstr " paket" #: ../output.c:261 #, fuzzy, c-format msgid " (%lu bytes)" msgstr " (%d byte)" #: ../output.c:264 #, c-format msgid " from %s" msgstr " från %s" #: ../output.c:280 ../output.c:293 #, c-format msgid " port %d" msgstr " port %d" #: ../output.c:286 #, c-format msgid " to %s" msgstr " till %s" #: ../output.c:313 #, c-format msgid "<th>start</th>" msgstr "<th>start</th>" #: ../output.c:316 #, c-format msgid "<th>end</th>" msgstr "<th>slut</th>" #: ../output.c:319 #, c-format msgid "<th>interval</th>" msgstr "<th>intervall</th>" #: ../output.c:322 #, c-format msgid "<th>loghost</th>" msgstr "<th>loggvärd</th>" #: ../output.c:325 #, c-format msgid "<th>chain</th>" msgstr "<th>kedja</th>" #: ../output.c:328 #, c-format msgid "<th>target</th>" msgstr "<th>mål</th>" #: ../output.c:331 #, c-format msgid "<th>interface</th>" msgstr "<th>gränssnitt</th>" #: ../output.c:334 #, c-format msgid "<th>proto</th>" msgstr "<th>proto</th>" #: ../output.c:337 #, c-format msgid "<th>bytes</th>" msgstr "<th>antal byte</th>" #: ../output.c:340 #, c-format msgid "<th>source</th>" msgstr "<th>källa</th>" #: ../output.c:342 ../output.c:356 #, c-format msgid "<th>hostname</th>" msgstr "<th>värdnamn</th>" #: ../output.c:344 #, c-format msgid "<th>whois information</th>" msgstr "<th>whois-information</th>" #: ../output.c:348 ../output.c:360 #, c-format msgid "<th>port</th>" msgstr "<th>port</th>" #: ../output.c:350 ../output.c:362 #, c-format msgid "<th>service</th>" msgstr "<th>tjänst</th>" #: ../output.c:354 #, c-format msgid "<th>destination</th>" msgstr "<th>destination</th>" #: ../output.c:366 #, c-format msgid "<th>opts</th>" msgstr "<th>flaggor</th>" #: ../parser.c:263 #, c-format msgid "Unknown parser: '%c'.\n" msgstr "Okänd tolk: \"%c\".\n" #: ../rcfile.c:57 #, c-format msgid "Error in configuration file '%s' line %d: not a number\n" msgstr "Fel i konfigurationsfil \"%s\" rad %d: inte ett nummer\n" #: ../rcfile.c:86 #, c-format msgid "Error in configuration file '%s' line %d, assuming 'true'\n" msgstr "Fel i konfigurationsfil \"%s\" rad %d, antar \"true\"\n" #: ../rcfile.c:278 #, c-format msgid "Unrecognized option in configuration file '%s' line %d\n" msgstr "Okänd inställning i konfigurationsfil \"%s\" line %d\n" #: ../rcfile.c:299 #, c-format msgid "%s is not a regular file, ignoring.\n" msgstr "%s är inte en vanlig fil, ignoreras.\n" #: ../rcfile.c:307 #, c-format msgid "Opening configuration file '%s'\n" msgstr "Öppnar konfigurationsfil '%s'\n" #: ../resolve.c:62 #, c-format msgid "port mismatch: %d != %d\n" msgstr "Port stämmer inte: %d != %d\n" #: ../resolve.c:81 ../resolve.c:151 #, c-format msgid "Resolving %s from cache\n" msgstr "Slår upp %s från cache\n" #: ../resolve.c:89 ../resolve.c:112 #, c-format msgid "Resolving %s\n" msgstr "Slår upp %s\n" #: ../resolve.c:95 #, c-format msgid "Wrong host name size\n" msgstr "Felaktig storlek för värdnamn\n" #: ../resolve.c:119 #, c-format msgid "%s [forward lookup: %s]" msgstr "%s [uppslag: %s]" #: ../resolve.c:122 #, c-format msgid "%s [forward lookup failed]" msgstr "%s [uppslag misslyckades]" #: ../resolve.c:163 #, fuzzy, c-format msgid "Resolving %s from adns\n" msgstr "Slår upp %s från cache\n" #: ../resolve.c:167 #, fuzzy msgid "[inconsistent forward lookup]" msgstr "%s [uppslag: %s]" #: ../resolve.c:171 #, c-format msgid "[adns status %d]" msgstr "" #: ../resolve.c:189 msgid "DNS cache error" msgstr "" #: ../resolve.c:207 #, c-format msgid "Submitted %s to adns\n" msgstr "" #: ../response.c:56 msgid "One logging ipchains firewall rule defined" msgstr "En loggregel för ipchains definierad" #: ../response.c:58 #, c-format msgid "%u logging ipchains firewall rules defined" msgstr "%u loggregler för ipchains definierade" #: ../response.c:61 msgid "No logging ipchains firewall rules defined, format was requested" msgstr "Inga loggregler för ipchains definierade, format var begärd" #: ../response.c:82 #, c-format msgid "%s is group/world writable" msgstr "%s är skrivbar för grupp/världen" #: ../response.c:168 #, c-format msgid "Deleting packet cache entry (%s)" msgstr "Raderar paketpost från cache (%s)" #: ../response.c:202 #, c-format msgid "Deleting host status entry (%s)" msgstr "Raderar statuspost för värd (%s)" #: ../response.c:276 #, c-format msgid "ALERT: %d attempts from %s" msgstr "LARM: %d angreppsförsök från %s" #: ../utils.c:53 #, c-format msgid "" "\n" "Memory allocation error, exiting.\n" msgstr "" "\n" "Minneshanteringsfel i programmet. Programmet avslutas.\n" #: ../utils.c:68 msgid "Exiting" msgstr "Avslutar" #: ../utils.c:77 msgid "Not executing buffer containing format string" msgstr "Exekverar inte buffert som innehåller formateringssträng" #: ../utils.c:82 #, c-format msgid "Executing '%s'" msgstr "Startar \"%s\"" #: ../utils.c:194 #, c-format msgid "" "fwlogwatch error: mode collision, please check that you didn't specify\n" " several modes on the command line or a second mode is active in the\n" " configuration file.\n" " Please use a separate configuration file for each mode or comment out " "all\n" " entries in the default configuration and use command line parameters.\n" msgstr "" "Fel i fwlogwatch: Kollision mellan lägen. Kontrollera att du inte angav\n" " flera lägen på kommandoraden eller ett annat läge är konfigurerad i " "konfigurationsfilen.\n" " Använd en separat konfigurationsfil för varje läge eller kommentera ut\n" " delar av standardkonfigurationen och använd parametrar på kommandoraden.\n" #: ../utils.c:268 #, c-format msgid "IP address error: %s\n" msgstr "IP-adressfel: %s\n" #: ../utils.c:294 #, c-format msgid "Error in CIDR format: %s\n" msgstr "Fel i CIDR-format: %s\n" #: ../utils.c:312 #, c-format msgid "(known host)\n" msgstr "(känd värd)\n" #: ../utils.c:351 #, c-format msgid "(excluded host)\n" msgstr "(utesluten värd)\n" #: ../whois.c:220 #, c-format msgid "Looking up whois info for %s from cache\n" msgstr "Slår upp whois-information för %s från cache\n" #: ../whois.c:227 #, c-format msgid "Looking up whois info for %s\n" msgstr "Slår upp whois-information för %s\n" #: ../whois.c:248 #, c-format msgid "lookup failed: %s\n" msgstr "Uppslag misslyckades: %s\n" #: ../main.h:300 msgid "fwlogwatch summary" msgstr "Sammandrag från fwlogwatch" #: ../main.h:310 msgid "fwlogwatch status" msgstr "Status för fwlogwatch" #~ msgid "Interactive report mode (summary mode extension):\n" #~ msgstr "Interaktivt rapporteringsläge (utökning för kortfattat läge):\n" #~ msgid " -i <count> interactive mode with report threshold\n" #~ msgstr " -i <antal> interaktivt läge med tröskelvärde för rapport\n" #~ msgid " -T <email> address of CERT or abuse contact to send report to\n" #~ msgstr "" #~ " -T <epost> adress till CERT eller \"abuse\"-kontakt att sända rapport " #~ "till\n" #~ msgid " -I <file> template file for report (defaults to %s)\n" #~ msgstr " -I <fil> rapportmall (förval \"%s\")\n" #~ msgid "" #~ "Reporting threshold: %d\n" #~ "\n" #~ msgstr "" #~ "Tröskelvärde för rapport: %d\n" #~ "\n" #~ msgid "Offending IP address: %s\n" #~ msgstr "Angripande IP-adress: %s\n" #~ msgid "Offending IP name: %s\n" #~ msgstr "Angriparens DNS-namn: %s\n" #~ msgid "Target IP address: %s\n" #~ msgstr "Målets IP-adress: %s\n" #~ msgid "Target IP name: %s\n" #~ msgstr "Målets DNS-namn: %s\n" #~ msgid "Number of logged attempts: %s\n" #~ msgstr "Antal loggade försök: %s\n" #~ msgid "Start time: %s\n" #~ msgstr "Starttid: %s\n" #~ msgid "End time: %s\n" #~ msgstr "Sluttid: %s\n" #~ msgid "Timezone: %s\n" #~ msgstr "Tidszon: %s\n" #~ msgid "Duration: %s\n" #~ msgstr "Längd: %s\n" #~ msgid "Protocol: %s\n" #~ msgstr "Protokoll: %s\n" #~ msgid "Source port: %s\n" #~ msgstr "Källport: %s\n" #~ msgid "Destination port: %s\n" #~ msgstr "Mottagarport: %s\n" #~ msgid "TCP options: %s\n" #~ msgstr "TCP-flaggor: %s\n" #~ msgid "Tracking number: %s\n" #~ msgstr "Spårnummer: %s\n" #~ msgid "Incident report %s-%s" #~ msgstr "Incidentrapport %s-%s" #~ msgid "%d (unknown)" #~ msgstr "%d (okänd)" #~ msgid "no SYNs" #~ msgstr "inga SYN" #~ msgid "SYNs only" #~ msgstr "endast SYN" #~ msgid "" #~ "\n" #~ "What do you want to change? [1-18/(o)k] " #~ msgstr "" #~ "\n" #~ "Vad vill du ändra? [1-18/(o)k] " #~ msgid "New value: " #~ msgstr "Nytt värde: " #~ msgid "" #~ "\n" #~ "Should this report be sent? [(s)end/(m)odify/(q)uit] " #~ msgstr "" #~ "\n" #~ "Skall denna rapport sändas? [(s)änd |(m)odifiera |(q) sluta] " #, fuzzy #~ msgid "<tr><td align=\"right\">Daemon start time:</td><td>%s</td></tr>\n" #~ msgstr "<tr><td>Startid för Daemonprocessen:</td><td>%s</td></tr>\n" #, fuzzy #~ msgid "<tr><td align=\"right\">Current time:</td><td>%s</td></tr>\n" #~ msgstr "<tr><td>Aktuell tid:</td><td>%s</td></tr>\n" #, fuzzy #~ msgid "<tr><td align=\"right\">Running time:</td><td>%s</td></tr>\n" #~ msgstr "<tr><td>Tid för Exekvering:</td><td>%s</td></tr>\n" #, fuzzy #~ msgid "<tr><td align=\"right\">Response mode:</td><td>Log%s%s</td></tr>\n" #~ msgstr "<tr><td>Svarsmod:</td><td>logg%s%s</td></tr>\n" #, fuzzy #~ msgid "Host status: %d</td></tr>\n" #~ msgstr "<h2>Status för serverdatorn</h2>\n" #, fuzzy #~ msgid "<tr align=\"center\"><th>count</th><th>added</th>" #~ msgstr "" #~ "<tr bgcolor=\"#%s\" align=\"center\"><td>Antal</td><td>Adderade</" #~ "td><td>IP-adress på avsändare</td>" #~ msgid "Authorization failed (%s)" #~ msgstr "Misslyckad auktorisation (%s)" #~ msgid "" #~ "<body>\n" #~ "<h1>Authorization Required</h1>\n" #~ "</body>\n" #~ "</html>\n" #~ msgstr "" #~ "<body>\n" #~ "<h1>Auktorisation krävs</h1>\n" #~ "</body>\n" #~ "</html>\n" #, fuzzy #~ msgid "<p><a href=\"/\">Reload</a>" #~ msgstr "<a href=\"/\">Ladda om</a><br>\n" #, fuzzy #~ msgid "" #~ "<br>\n" #~ "(automatic refresh every %d seconds)</p>\n" #~ msgstr "(Automatisk återladdning var %d sekund)<br>\n" #, fuzzy #~ msgid "" #~ "<tr><td>Alert threshold:</td><td>%d entries</td></tr>\n" #~ "<tr><td>Discard timeout:</td><td>%s</td></tr>\n" #~ msgstr "" #~ "<tr><td>Tröskelvärde för larm (alert):</td><td>%d poster</td></tr>\n" #~ "<tr><td>Tidsmässigt tröskelvärde för att släppa:</td><td>%d sekunder</" #~ "td></tr>\n" #, fuzzy #~ msgid " -f <file> specify input file (defaults to %s)\n" #~ msgstr " -f <filnamn> Specificera indatafil (Standardförval: %s)\n" #~ msgid "\"%s\" are packet logs, " #~ msgstr "\"%s\" är paketloggar, " #~ msgid " (defaults to '%s')\n" #~ msgstr " (Standardmässigt förval: '%s')\n" #~ msgid " (defaults to %s)\n" #~ msgstr " (Standardmässigt förval: %s)\n" #~ msgid "SIGHUP caught, ignoring" #~ msgstr "signalen SIGHUP fångad, ignorerad" #~ msgid "<td>Hostname</td>" #~ msgstr "<td>Namn</td>" #~ msgid "<td>Destination IP address</td>" #~ msgstr "<td>IP-Adress på mottagare</td>" #~ msgid "<td>Protocol</td>" #~ msgstr "<td>Protokoll</td>" #~ msgid "<td>Source port</td>" #~ msgstr "<td>Avsändarport</td>" #, fuzzy #~ msgid "<td>Service</td>" #~ msgstr "<td>avsändare</td>" #~ msgid "<td>Destination port</td>" #~ msgstr "<td>Mottagarport</td>" #~ msgid "" #~ "<html>\n" #~ "<head>\n" #~ "<title>fwlogwatch status\n" #~ msgstr "" #~ "\n" #~ "\n" #~ "Status fwlogwatch\n" #~ msgid "" #~ "
\n" #~ "

fwlogwatch status

\n" #~ msgstr "" #~ "
\n" #~ "

Status fwlogwatch

\n" #~ msgid "fwlogwatch output: %s\n" #~ msgstr "utmatning fwlogwatch: %s\n" #~ msgid "

fwlogwatch output

\n" #~ msgstr "

utmatning från fwlogwatch

\n" #~ msgid "
" #~ msgstr "" #~ msgid "" #~ msgstr "" fwlogwatch-1.2/po/fwlogwatch.pot0000644000076400001440000004536711453065602015404 0ustar bwusers# SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-10-06 13:58+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" #: ../compare.c:158 #, c-format msgid "conn_sort_up: wrong mode\n" msgstr "" #: ../compare.c:264 #, c-format msgid "Error in sort string: '%c', order expected, ignoring.\n" msgstr "" #: ../compare.c:278 #, c-format msgid "Error in sort string: '%c', direction expected, ignoring.\n" msgstr "" #: ../compare.c:282 #, c-format msgid "Error in sort string, direction expected, ignoring.\n" msgstr "" #: ../compare.c:382 ../compare.c:384 ../modes.c:196 ../modes.c:203 #: ../modes.c:813 ../modes.c:815 ../output.c:106 ../output.c:113 #: ../output.c:193 ../output.c:202 ../output.c:380 msgid "%b %d %H:%M:%S" msgstr "" #: ../compare.c:383 #, c-format msgid "Timewarp in log file (%s" msgstr "" #: ../main.c:25 #, c-format msgid "Usage: %s [options] [input_files]\n" msgstr "" #: ../main.c:26 #, c-format msgid "General options:\n" msgstr "" #: ../main.c:27 #, c-format msgid " -h this help\n" msgstr "" #: ../main.c:28 #, c-format msgid " -L show time of first and last log entry\n" msgstr "" #: ../main.c:29 #, c-format msgid " -V show version and copyright info\n" msgstr "" #: ../main.c:32 #, c-format msgid "Global options:\n" msgstr "" #: ../main.c:33 #, c-format msgid " -b show amount of data (sum of total packet lengths)\n" msgstr "" #: ../main.c:34 #, c-format msgid " -c specify config file (defaults to %s)\n" msgstr "" #: ../main.c:35 #, c-format msgid " -D do not differentiate destination IP addresses\n" msgstr "" #: ../main.c:36 #, c-format msgid " -d differentiate destination ports\n" msgstr "" #: ../main.c:37 #, c-format msgid " -E select or exclude hosts, ports, chains and targets\n" msgstr "" #: ../main.c:38 #, c-format msgid " quick reference: -E[ie][hp][sd]\n" msgstr "" #: ../main.c:39 #, c-format msgid " -E[ie][cb]\n" msgstr "" #: ../main.c:40 #, c-format msgid " -m only show entries with at least so many incidents\n" msgstr "" #: ../main.c:41 #, c-format msgid " -M only show this amount of entries\n" msgstr "" #: ../main.c:42 #, c-format msgid " -N resolve service names\n" msgstr "" #: ../main.c:43 #, c-format msgid " -n resolve host names\n" msgstr "" #: ../main.c:44 #, c-format msgid " -O define the sort order (see the man page for details)\n" msgstr "" #: ../main.c:45 #, c-format msgid "" " -P use parsers for specific formats (defaults to netfilter)\n" msgstr "" #: ../main.c:46 #, c-format msgid " i: ipchains, n: netfilter, f: ipfilter, c: cisco ios\n" msgstr "" #: ../main.c:47 #, c-format msgid "" " p: cisco pix, e: netscreen, l: lancom, s: snort, b: ipfw\n" msgstr "" #: ../main.c:48 #, c-format msgid " -p differentiate protocols\n" msgstr "" #: ../main.c:49 #, c-format msgid " -s differentiate source ports\n" msgstr "" #: ../main.c:50 #, c-format msgid " -U set report and status page title and email subject\n" msgstr "" #: ../main.c:51 #, c-format msgid " -v verbose, specify twice for more info\n" msgstr "" #: ../main.c:52 #, c-format msgid " -y differentiate TCP options\n" msgstr "" #: ../main.c:55 #, c-format msgid "Log summary mode (default):\n" msgstr "" #: ../main.c:56 #, c-format msgid " -C <email> carbon copy recipients\n" msgstr "" #: ../main.c:57 #, c-format msgid " -e show end times\n" msgstr "" #: ../main.c:58 #, c-format msgid " -F <email> report sender address (defaults to '%s')\n" msgstr "" #: ../main.c:59 #, c-format msgid " -l <time> process recent events only (defaults to off)\n" msgstr "" #: ../main.c:60 #, c-format msgid " -o <file> specify output file\n" msgstr "" #: ../main.c:61 #, c-format msgid " -S do not differentiate source IP addresses\n" msgstr "" #: ../main.c:62 #, c-format msgid " -T <email> send report by email to this address\n" msgstr "" #: ../main.c:63 #, c-format msgid " -t show start times\n" msgstr "" #: ../main.c:64 #, c-format msgid " -W activate whois lookups for source addresses\n" msgstr "" #: ../main.c:65 #, c-format msgid " -w HTML output\n" msgstr "" #: ../main.c:66 #, c-format msgid " -z show time interval\n" msgstr "" #: ../main.c:69 #, c-format msgid "Realtime response mode:\n" msgstr "" #: ../main.c:70 #, c-format msgid " -R realtime response as daemon (default action: log only)\n" msgstr "" #: ../main.c:71 #, c-format msgid " -a <count> alert threshold (defaults to %d entries)\n" msgstr "" #: ../main.c:72 #, c-format msgid " -l <time> forget events this old (defaults to %d hours)\n" msgstr "" #: ../main.c:73 #, c-format msgid " -k <IP/net> add this IP address or net to the list of known hosts\n" msgstr "" #: ../main.c:74 #, c-format msgid " -A invoke notification script if threshold is reached\n" msgstr "" #: ../main.c:75 #, c-format msgid " -B invoke response action script (e.g. block host)\n" msgstr "" #: ../main.c:76 #, c-format msgid " -X <port> activate internal status information web server\n" msgstr "" #: ../main.c:102 msgid "You can contact the author at <bw@inside-security.de>." msgstr "" #: ../main.c:104 msgid "Compile-time options of this version:" msgstr "" #: ../main.c:105 #, c-format msgid "Short name limit " msgstr "" #: ../main.c:107 ../main.c:113 ../main.c:119 ../main.c:125 ../main.c:131 msgid "enabled" msgstr "" #: ../main.c:109 ../main.c:115 ../main.c:121 ../main.c:127 ../main.c:133 msgid "disabled" msgstr "" #: ../main.c:111 #, c-format msgid "Zlib support " msgstr "" #: ../main.c:117 #, c-format msgid "Gettext (i18n) support " msgstr "" #: ../main.c:123 #, c-format msgid "IPv6 support " msgstr "" #: ../main.c:129 #, c-format msgid "GNU adns support " msgstr "" #: ../main.c:287 #, c-format msgid "Illegal inclusion/exclusion pos. 1 (expected [ie]): %s\n" msgstr "" #: ../main.c:288 ../main.c:305 ../main.c:314 ../main.c:452 #, c-format msgid "Exiting\n" msgstr "" #: ../main.c:304 #, c-format msgid "Illegal inclusion/exclusion pos. 2 (expected [hpcb]): %s\n" msgstr "" #: ../main.c:313 #, c-format msgid "Illegal inclusion/exclusion pos. 3 (expected [sd]): %s\n" msgstr "" #: ../modes.c:109 #, c-format msgid "Using stdin as input\n" msgstr "" #: ../modes.c:115 #, c-format msgid "Opening input file '%s'\n" msgstr "" #: ../modes.c:133 #, c-format msgid "Processing\n" msgstr "" #: ../modes.c:140 #, c-format msgid "Unrecognized entries or tokens can be submitted at\n" msgstr "" #: ../modes.c:149 ../modes.c:396 ../modes.c:782 ../rcfile.c:321 #, c-format msgid "Closing '%s'\n" msgstr "" #: ../modes.c:178 #, c-format msgid "Sorting data\n" msgstr "" #: ../modes.c:215 #, c-format msgid "Opening output file '%s'\n" msgstr "" #: ../modes.c:226 #, c-format msgid "Sending\n" msgstr "" #: ../modes.c:249 ../net.c:364 ../net.c:367 msgid "%A %B %d %H:%M:%S %Z %Y" msgstr "" #: ../modes.c:250 #, c-format msgid "Generated %s by " msgstr "" #: ../modes.c:260 #, c-format msgid "an unknown user.\n" msgstr "" #: ../modes.c:268 #, c-format msgid "(and %d older than %d seconds) " msgstr "" #: ../modes.c:271 #, c-format msgid "(and %d malformed) " msgstr "" #: ../modes.c:274 #, c-format msgid "of %d entries in the file \"%s\" are packet logs, " msgstr "" #: ../modes.c:276 #, c-format msgid "of %d entries in standard input are packet logs, " msgstr "" #: ../modes.c:278 #, c-format msgid "of %d entries in %d input files are packet logs, " msgstr "" #: ../modes.c:282 #, c-format msgid "one has unique characteristics.\n" msgstr "" #: ../modes.c:284 #, c-format msgid "%d have unique characteristics.\n" msgstr "" #: ../modes.c:292 #, c-format msgid "One entry was excluded by configuration.\n" msgstr "" #: ../modes.c:294 #, c-format msgid "%d entries were excluded by configuration.\n" msgstr "" #: ../modes.c:302 #, c-format msgid "First packet log entry: %s, last: %s.\n" msgstr "" #: ../modes.c:304 ../modes.c:811 #, c-format msgid "No valid time entries found.\n" msgstr "" #: ../modes.c:311 #, c-format msgid "All entries were logged by the same host: \"%s\".\n" msgstr "" #: ../modes.c:318 #, c-format msgid "All entries are from the same chain: \"%s\".\n" msgstr "" #: ../modes.c:325 #, c-format msgid "All entries have the same target: \"%s\".\n" msgstr "" #: ../modes.c:332 #, c-format msgid "All entries are from the same interface: \"%s\".\n" msgstr "" #: ../modes.c:339 #, c-format msgid "Only entries with a count of at least %d are shown.\n" msgstr "" #: ../modes.c:346 #, c-format msgid "Only the top %d entries are shown.\n" msgstr "" #: ../modes.c:357 #, c-format msgid "Resolving\n" msgstr "" #: ../modes.c:416 #, c-format msgid "Warning: pidfile exists, another fwlogwatch might be running.\n" msgstr "" #: ../modes.c:430 #, c-format msgid "SIGHUP caught, reread configuration file %s" msgstr "" #: ../modes.c:432 #, c-format msgid "SIGHUP caught, unable to reread configuration file %s" msgstr "" #: ../modes.c:455 msgid "SIGUSR1 caught, reading input from stdin, no need to reopen log file" msgstr "" #: ../modes.c:457 #, c-format msgid "SIGUSR1 caught, reopening log file %s" msgstr "" #: ../modes.c:529 msgid "SIGTERM caught, cleaning up" msgstr "" #: ../modes.c:611 #, c-format msgid "Starting (pid %d)" msgstr "" #: ../modes.c:661 msgid "User to run as was not found" msgstr "" #: ../modes.c:676 #, c-format msgid "Changed uid from %d to %d, gid from %d to %d" msgstr "" #: ../modes.c:678 #, c-format msgid "Running with uid %d, gid %d" msgstr "" #: ../modes.c:682 msgid "Alert threshold is one attempt" msgstr "" #: ../modes.c:684 #, c-format msgid "Alert threshold is %d attempts" msgstr "" #: ../modes.c:688 #, c-format msgid "Events older than %d second(s) are discarded" msgstr "" #: ../modes.c:690 #, c-format msgid "Events older than %d hour(s) are discarded" msgstr "" #: ../modes.c:693 #, c-format msgid "Response mode: Log%s%s" msgstr "" #: ../modes.c:693 ../net.c:373 msgid ", notify" msgstr "" #: ../modes.c:693 ../net.c:373 msgid ", respond" msgstr "" #: ../modes.c:724 #, c-format msgid "Reading standard input\n" msgstr "" #: ../modes.c:742 #, c-format msgid "Reading '%s'\n" msgstr "" #: ../modes.c:808 #, c-format msgid "Number of files: %d\n" msgstr "" #: ../modes.c:809 #, c-format msgid "Number of lines: %d\n" msgstr "" #: ../modes.c:814 #, c-format msgid "First entry: %s\n" msgstr "" #: ../modes.c:816 #, c-format msgid "Last entry : %s\n" msgstr "" #: ../modes.c:818 #, c-format msgid "Difference : %s\n" msgstr "" #: ../net.c:130 ../net.c:132 #, c-format msgid "Listening on %s port %i" msgstr "" #: ../net.c:172 msgid "decode_base64: input string incomplete" msgstr "" #: ../net.c:179 #, c-format msgid "decode_base64: illegal character '%c' in input string" msgstr "" #: ../net.c:214 msgid "count" msgstr "" #: ../net.c:215 msgid "added" msgstr "" #: ../net.c:217 msgid "proto" msgstr "" #: ../net.c:219 msgid "bytes" msgstr "" #: ../net.c:220 msgid "source" msgstr "" #: ../net.c:222 ../net.c:231 msgid "hostname" msgstr "" #: ../net.c:224 ../net.c:234 msgid "port" msgstr "" #: ../net.c:226 ../net.c:236 msgid "service" msgstr "" #: ../net.c:229 msgid "destination" msgstr "" #: ../net.c:239 msgid "opts" msgstr "" #: ../net.c:240 msgid "time remaining" msgstr "" #: ../net.c:241 msgid "action" msgstr "" #: ../net.c:293 ../net.c:295 ../net.c:360 msgid "Information" msgstr "" #: ../net.c:299 ../net.c:301 ../net.c:398 msgid "Options" msgstr "" #: ../net.c:305 ../net.c:307 ../net.c:426 msgid "Packet cache" msgstr "" #: ../net.c:311 ../net.c:313 ../net.c:495 msgid "Host status" msgstr "" #: ../net.c:316 msgid "Reload" msgstr "" #: ../net.c:365 msgid "Daemon start time" msgstr "" #: ../net.c:368 msgid "Current time" msgstr "" #: ../net.c:371 msgid "Running time" msgstr "" #: ../net.c:373 msgid "Log" msgstr "" #: ../net.c:374 msgid "Response mode" msgstr "" #: ../net.c:376 msgid "Lines seen" msgstr "" #: ../net.c:377 msgid "Hits" msgstr "" #: ../net.c:378 msgid "Old/excluded/malformed" msgstr "" #: ../net.c:385 msgid "Entries in packet cache" msgstr "" #: ../net.c:392 msgid "Entries in host status" msgstr "" #: ../net.c:400 msgid "Parameter" msgstr "" #: ../net.c:402 msgid "Decrease" msgstr "" #: ../net.c:404 msgid "Current" msgstr "" #: ../net.c:406 msgid "Increase" msgstr "" #: ../net.c:408 msgid "Alert threshold" msgstr "" #: ../net.c:410 msgid "Discard timeout" msgstr "" #: ../net.c:411 msgid "Minimum count in packet cache" msgstr "" #: ../net.c:413 ../net.c:415 msgid "Top amount of entries in packet cache" msgstr "" #: ../net.c:418 ../net.c:420 msgid "Refresh time" msgstr "" #: ../net.c:442 ../net.c:565 msgid "%Y/%m/%d %H:%M:%S" msgstr "" #: ../net.c:479 ../net.c:595 msgid "drop" msgstr "" #: ../net.c:481 msgid "escalate" msgstr "" #: ../net.c:527 ../net.c:546 ../net.c:552 ../net.c:558 msgid "<td>any</td>" msgstr "" #: ../net.c:540 msgid "<td>(known host)</td>" msgstr "" #: ../net.c:542 msgid "<td>(known net)</td>" msgstr "" #: ../net.c:654 ../net.c:657 #, c-format msgid "Rejected connect from unallowed ip %s port %i" msgstr "" #: ../net.c:668 ../net.c:670 #, c-format msgid "Connect from %s port %i" msgstr "" #: ../net.c:734 msgid "Authorization failed" msgstr "" #: ../net.c:737 msgid "Authorization required" msgstr "" #: ../net.c:814 msgid "Bad request" msgstr "" #: ../net.c:819 msgid "Redirect" msgstr "" #: ../net.c:819 msgid "You should be redirected to the <a href=\"/\">root directory</a>" msgstr "" #: ../net.c:831 #, c-format msgid "Requested function: %s" msgstr "" #: ../net.c:834 msgid "Connection closed" msgstr "" #: ../output.c:200 #, c-format msgid " to " msgstr "" #: ../output.c:255 #, c-format msgid " packet" msgstr "" #: ../output.c:257 #, c-format msgid " packets" msgstr "" #: ../output.c:261 #, c-format msgid " (%lu bytes)" msgstr "" #: ../output.c:264 #, c-format msgid " from %s" msgstr "" #: ../output.c:280 ../output.c:293 #, c-format msgid " port %d" msgstr "" #: ../output.c:286 #, c-format msgid " to %s" msgstr "" #: ../output.c:313 #, c-format msgid "<th>start</th>" msgstr "" #: ../output.c:316 #, c-format msgid "<th>end</th>" msgstr "" #: ../output.c:319 #, c-format msgid "<th>interval</th>" msgstr "" #: ../output.c:322 #, c-format msgid "<th>loghost</th>" msgstr "" #: ../output.c:325 #, c-format msgid "<th>chain</th>" msgstr "" #: ../output.c:328 #, c-format msgid "<th>target</th>" msgstr "" #: ../output.c:331 #, c-format msgid "<th>interface</th>" msgstr "" #: ../output.c:334 #, c-format msgid "<th>proto</th>" msgstr "" #: ../output.c:337 #, c-format msgid "<th>bytes</th>" msgstr "" #: ../output.c:340 #, c-format msgid "<th>source</th>" msgstr "" #: ../output.c:342 ../output.c:356 #, c-format msgid "<th>hostname</th>" msgstr "" #: ../output.c:344 #, c-format msgid "<th>whois information</th>" msgstr "" #: ../output.c:348 ../output.c:360 #, c-format msgid "<th>port</th>" msgstr "" #: ../output.c:350 ../output.c:362 #, c-format msgid "<th>service</th>" msgstr "" #: ../output.c:354 #, c-format msgid "<th>destination</th>" msgstr "" #: ../output.c:366 #, c-format msgid "<th>opts</th>" msgstr "" #: ../parser.c:263 #, c-format msgid "Unknown parser: '%c'.\n" msgstr "" #: ../rcfile.c:57 #, c-format msgid "Error in configuration file '%s' line %d: not a number\n" msgstr "" #: ../rcfile.c:86 #, c-format msgid "Error in configuration file '%s' line %d, assuming 'true'\n" msgstr "" #: ../rcfile.c:278 #, c-format msgid "Unrecognized option in configuration file '%s' line %d\n" msgstr "" #: ../rcfile.c:299 #, c-format msgid "%s is not a regular file, ignoring.\n" msgstr "" #: ../rcfile.c:307 #, c-format msgid "Opening configuration file '%s'\n" msgstr "" #: ../resolve.c:62 #, c-format msgid "port mismatch: %d != %d\n" msgstr "" #: ../resolve.c:81 ../resolve.c:151 #, c-format msgid "Resolving %s from cache\n" msgstr "" #: ../resolve.c:89 ../resolve.c:112 #, c-format msgid "Resolving %s\n" msgstr "" #: ../resolve.c:95 #, c-format msgid "Wrong host name size\n" msgstr "" #: ../resolve.c:119 #, c-format msgid "%s [forward lookup: %s]" msgstr "" #: ../resolve.c:122 #, c-format msgid "%s [forward lookup failed]" msgstr "" #: ../resolve.c:163 #, c-format msgid "Resolving %s from adns\n" msgstr "" #: ../resolve.c:167 msgid "[inconsistent forward lookup]" msgstr "" #: ../resolve.c:171 #, c-format msgid "[adns status %d]" msgstr "" #: ../resolve.c:189 msgid "DNS cache error" msgstr "" #: ../resolve.c:207 #, c-format msgid "Submitted %s to adns\n" msgstr "" #: ../response.c:56 msgid "One logging ipchains firewall rule defined" msgstr "" #: ../response.c:58 #, c-format msgid "%u logging ipchains firewall rules defined" msgstr "" #: ../response.c:61 msgid "No logging ipchains firewall rules defined, format was requested" msgstr "" #: ../response.c:82 #, c-format msgid "%s is group/world writable" msgstr "" #: ../response.c:168 #, c-format msgid "Deleting packet cache entry (%s)" msgstr "" #: ../response.c:202 #, c-format msgid "Deleting host status entry (%s)" msgstr "" #: ../response.c:276 #, c-format msgid "ALERT: %d attempts from %s" msgstr "" #: ../utils.c:53 #, c-format msgid "" "\n" "Memory allocation error, exiting.\n" msgstr "" #: ../utils.c:68 msgid "Exiting" msgstr "" #: ../utils.c:77 msgid "Not executing buffer containing format string" msgstr "" #: ../utils.c:82 #, c-format msgid "Executing '%s'" msgstr "" #: ../utils.c:194 #, c-format msgid "" "fwlogwatch error: mode collision, please check that you didn't specify\n" " several modes on the command line or a second mode is active in the\n" " configuration file.\n" " Please use a separate configuration file for each mode or comment out " "all\n" " entries in the default configuration and use command line parameters.\n" msgstr "" #: ../utils.c:268 #, c-format msgid "IP address error: %s\n" msgstr "" #: ../utils.c:294 #, c-format msgid "Error in CIDR format: %s\n" msgstr "" #: ../utils.c:312 #, c-format msgid "(known host)\n" msgstr "" #: ../utils.c:351 #, c-format msgid "(excluded host)\n" msgstr "" #: ../whois.c:220 #, c-format msgid "Looking up whois info for %s from cache\n" msgstr "" #: ../whois.c:227 #, c-format msgid "Looking up whois info for %s\n" msgstr "" #: ../whois.c:248 #, c-format msgid "lookup failed: %s\n" msgstr "" #: ../main.h:300 msgid "fwlogwatch summary" msgstr "" #: ../main.h:310 msgid "fwlogwatch status" msgstr "" �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������fwlogwatch-1.2/fwlogwatch.config��������������������������������������������������������������������0000644�0000764�0000144�00000027170�11454321551�015420� 0����������������������������������������������������������������������������������������������������ustar �bw������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# $Id: fwlogwatch.config 710 2010-10-10 11:28:41Z bw $ # # Sample fwlogwatch configuration file # # The values filled in or mentioned in the description are the default values, # you only need to uncomment an option if you change it's value. # Valid parameters to binary options are on/yes/true and off/no/false. # Whitespace and comments are ignored anywhere in the file, case does not # matter. ### Include files ### # The option 'include_file' can be used to include external configuration # files. # #include_file = ### Global options ### # Use 'verbose' if you want extra information and log messages. # Use it twice for even more info. fwlogwatch is quiet by default. # Command line option: -v[v] # #verbose = no #verbose = no # Use 'resolve_hosts' if you want IP addresses looked up in the DNS (output # will be slower). # 'resolve_services' enables lookup of port numbers in /etc/services. # Command line options: -n / -N # #resolve_hosts = no #resolve_services = no # Specify the input file(s) if you don't want to use the default. Use one line # for each file. Compressed files (gzip) are supported. You can use '-' for # standard input (stdin). In realtime response mode the daemon needs the # absolute path to the file. # Command line option: [file(s)] # #input = /var/log/messages ### Evaluation options ### # You can select which parsers you want to use if you don't want fwlogwatch # to check for all known log formats. You can choose one or a combination # of: # # i ipchains # n netfilter # f ipfilter # c Cisco IOS # p Cisco PIX/ASA # e NetScreen # l Elsa Lancom # s Snort # # Command line option: -P <format> # #parser = infcp # The following six options define which criteria will be considered when # comparing logged packets. You can turn off the source or destination IP # address distinction ('src_ip'/'dst_ip') or activate the protocol, source # and destination port and TCP option distinction # ('protocol'/'src_port'/'dst_port'/'tcp_opts'). # Command line options: -S / -D / -p / -s / -d / -y # #src_ip = on #dst_ip = on #protocol = off #src_port = off #dst_port = off #tcp_opts = off # The following eight options permit to select and/or exclude certain # hosts or ports. Rules can be added and combined, source and destination # hosts and ports are differentiated, specifying networks is possible in # CIDR format. # Command line option: -E <format> # #exclude_src_host = #exclude_src_port = #exclude_dst_host = #exclude_dst_port = #include_src_host = #include_src_port = #include_dst_host = #include_dst_port = # The following four options permit to include and/or exclude chain and # branch (target) strings such as "input", "forward", "output" and # "accept", "deny", "pass", "block", "p", etc. Use one string per line # without quotes. Including a string causes all others to be excluded. # Command line option: -E <format> # #exclude_chain = #include_chain = #exclude_branch = #include_branch = ### Sorting options ### # Since the sort algorithm used is stable you can sort several times, # entries that are equal for the primary criteria will be sorted by the # next criteria. The sort string can be composed of 11 fields of the form # 'ab' where 'a' is the sort criteria: # # c count # t start time # e end time # z duration # n target name # p protocol # b byte count # S source host # s source port # D destination host # d destination port # # and 'b' the order: # # a ascending # d descending # # Sorting is done in the given sequence, so the last option is the primary # criteria. If you don't use the 'sort_order' option the summary mode # default 'tacd' will be used (start with the highest count, if two counts # match list the one earlier in time first), of which 'ta' is built in, so # if you specify an empty sort string or everything else is equal entries # will be sorted ascending by time. In realtime response mode the default # is 'cd'. # # Command line option: -O <order> # #sort_order = ### Output options ### # With the option 'title' you can change the title of the summary and the # status page and the subject of summaries sent by email. # The default title in summary mode is 'fwlogwatch summary' and in realtime # response mode it is 'fwlogwatch status'. # #title = # With the option 'stylesheet' you can make fwlogwatch omit the inline CSS # used to define the page colors and reference an external stylesheet. # In summary mode the string you specify will be taken as it is and used in a # link tag, in realtime response mode this only happens if it is an external # URL and starts with "http", else a local file will be assumed and embedded # at the corresponding position. # #stylesheet = # With the following four options you can customize the colors of the HTML # output (summary and realtime response status page), use the RGB value # with '#' or directly one of the 16 basic HTML color names (aqua black # blue fuchsia gray green lime maroon navy olive purple red silver teal # white yellow). # #textcolor = white #bgcolor = black #rowcolor1 = #555555 #rowcolor2 = #333333 ### Log summary mode ### # Use 'data_amount' if you want so see the sum of total packet lengths for # each entry (this obviously only works with log formats that contain this # information). # Command line option: -b # #data_amount = no # Use 'start_times' and/or 'last times' if you want to see the timestamp # of the first and/or last logged packet of each entry. # Command line options: -t / -e # #start_times = no #end_times = no # Use 'duration' if you want to see the time interval between the first and # the last connection attempt of the current entry. # Command line option: -z # #duration = no # Use 'html' to enable HTML output. # Command line option: -w # #html = no # Specify the name of an output file # Command line option: -o <file> # #output = # Use 'recent' to ignore events older than a certain time (off by default). # The default unit is seconds. # Units: m = minutes, h = hours, d = days, w = weeks, M = months, y = years. # Command line option: -l <time> # #recent = # Use 'at_least' to hide entries that have a small number of counts (useful # when analyzing large log files). # Command line option: -m <count> # #at_least = 1 # Use 'maximum' to limit the number of entries shown (e.g. for a "top 20"), # restricted by the 'at_least' option. Zero shows all entries. # Command line option: -M <number> # #maximum = 0 # Use 'whois_lookup' if you want information about the source IP addresses # looked up in the whois database (this is slow, please don't stress the # registry with too many queries). # Command line option: -W # #whois_lookup = no # Use 'sender' to specify your email address for abuse reports. # The default is <user>@<hostname>. # Command line option: -F <email> # #sender = # Use 'recipient' to specify the email address of the abuse contact or CERT # you want to send reports to. If used in log summary mode the summary will # be sent to this address by email (in plain text or HTML as selected with # the -w option and the content of the title option as subject). # Command line option: -T <email> # #recipient = # You can use 'cc' to send a carbon copy of the report (e.g. to you for # your archives or a second abuse or CERT contact). # Command line option: -C <email> # #cc = ### Realtime response mode ### # Use 'realtime_response' to turn this mode on. You can change the # configuration file while fwlogwatch is running and have it reread it # by sending the HUP signal. # Command line option: -R # #realtime_response = no # If 'ipchains_check' is activated (and the ipchains parser is selected), # fwlogwatch will verify that ipchains rules are set up correctly. # #ipchains_check = no # With the 'pidfile' option you can specify a file fwlogwatch will use to # keep it's PID so it can receive signals from scripts. If not specified it # will not be created. # Suggested value: /var/run/fwlogwatch.pid # #pidfile = # Use the 'run_as' option to make fwlogwatch capable of binding a # privileged port and opening a protected log file as root and then (as # daemon) change it's user and group ID to a non-privileged user (a security # feature). Please note that reopening a protected log file (e.g. after a # kill -USR1) will not be possible once privileges are released. Also # remember that you can use fwlogwatch without status web server or with an # unprivileged port and with enough permissions to read a log file to run it # entirely as user, but you will not be able to execute response scripts # that need root privileges (e.g. to modify a firewall). # Suggested value: nobody # #run_as = # The option 'stateful_start' is enabled by default and causes fwlogwatch # to read in the full log file at start and remember all entries that are # within the 'recent' parameter (and notify and/or react to them if # configured to do so). When disabled, fwlogwatch will jump to the end of # the log file and start with an empty packet cache. # #stateful_start = yes # Use 'alert_threshold' to define how many connections must happen (within # the 'forget' time range) to activate an alert/response. # Command line option: -a <count> # #alert_threshold = 5 # Use the option 'recent' as in log summary mode above to control how long # an event should be relevant. After the specified time it is forgotten and # if another connection attempt is started it is treated as new. The default # for 'recent' in realtime response mode is 1 day. # Command line option: -l # #recent = # An alert is logged to syslog by default, you can add predefined and/or # custom notification and response functions using the fwlw_notify and # fwlw_respond scripts that are executed if 'notify' and 'respond' # respectively are specified here. # Command line options: -A / -B # #notify = no #respond = no # Alternative paths for the notification and response scripts can be # specified with the 'notification_script' and 'response_script' options. # #notification_script = /usr/local/sbin/fwlw_notify #response_script = /usr/local/sbin/fwlw_respond # Known hosts are those that will not be warned about or actions taken # against, even if they match the alert/response criteria. # Use 'known_host' for your trusted gateways, peers and DNS servers (this # is an anti-spoofing measure). You can specify single IP addresses or # networks in CIDR notation (e.g. 192.168.1.0/24). # Command line option: -k <IP/net> # #known_host = #known_host = # You can see which hosts fwlogwatch knows about and which ones it is # watching at any time through it's web interface. Use the 'server_status' # option to activate the web server in fwlogwatch, 'bind_to' is the IP # address of the interface to be bound (defaults to the local host, 0.0.0.0 # means all), 'listen_port' is the port it will listen on. 'listen_to' # allows to restrict access to a single IP address. fwlogwatch will want to # authenticate the user, that's what 'status_user' and 'status_password' # are for. The password must be a standard Unix DES encrypted password # including salt, you can for example use # htpasswd -nb user password # to generate one. Finally, 'refresh' activates automatic reloading of the # status page, the parameter is the time in seconds. # Command line option: -X <port> # #server_status = no #bind_to = 127.0.0.1 #listen_port = 888 #listen_to = #status_user = admin #status_password = 2fi4nEVVz0IXo #refresh = ### Show log times mode ### # Use this mode to display the number of lines and the time of the first and # last entry in a log file. Unlike the summary mode report this does not show # the time of the first and last packet log entry but the time of the first # and last entry overall. No other action is performed. Compressed files # (gzip) are supported. Use the command line and/or the input option to # specify the files to show. # Command line option: -L # #show_log_times ### EOF ### ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������fwlogwatch-1.2/compare.h����������������������������������������������������������������������������0000644�0000764�0000144�00000000517�11453062534�013661� 0����������������������������������������������������������������������������������������������������ustar �bw������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: compare.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _COMPARE_H #define _COMPARE_H #include "main.h" struct conn_data *fwlw_pc_mergesort(struct conn_data *list1); void sort_data(unsigned char mode); void build_list(void); int list_stats(void); void show_list(FILE * fd); #endif ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������fwlogwatch-1.2/response.c���������������������������������������������������������������������������0000644�0000764�0000144�00000024215�11453062534�014065� 0����������������������������������������������������������������������������������������������������ustar �bw������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: response.c 706 2010-10-06 12:02:36Z bw $ */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <time.h> #include <errno.h> #include <syslog.h> #include <netinet/in.h> #include <arpa/inet.h> #include <sys/types.h> #include <sys/stat.h> #include "response.h" #include "main.h" #include "utils.h" struct known_hosts *first_host = NULL; extern struct options opt; extern struct conn_data *first; void check_for_ipchains() { char buf[BUFSIZE]; unsigned int found = 0; FILE *fd; int retval; char chain[10], src_dst[36], interface[16]; unsigned int fw_flg, fw_invflg, protocol; char rest[80]; fd = fopen("/proc/net/ip_fwchains", "r"); if (fd == NULL) { syslog(LOG_NOTICE, "fopen /proc/net/ip_fwchains: %s", strerror(errno)); log_exit(EXIT_FAILURE); } while (fgets(buf, BUFSIZE, fd)) { retval = sscanf(buf, "%10s %36s %16s %6X %6X %5u %80s\n", chain, src_dst, interface, &fw_flg, &fw_invflg, &protocol, rest); if (retval == 7) { if (fw_flg & IP_FW_F_PRN) { found++; } } } retval = fclose(fd); if (retval == EOF) { syslog(LOG_NOTICE, "fclose /proc/net/ip_fwchains: %s", strerror(errno)); } if (found > 0) { if (found == 1) { syslog(LOG_NOTICE, _("One logging ipchains firewall rule defined")); } else { syslog(LOG_NOTICE, _("%u logging ipchains firewall rules defined"), found); } } else { syslog(LOG_NOTICE, _("No logging ipchains firewall rules defined, format was requested")); log_exit(EXIT_FAILURE); } } void check_script_perms(char *name) { int retval; struct stat *buf; buf = xmalloc(sizeof(struct stat)); retval = stat(name, buf); if (retval == -1) { syslog(LOG_NOTICE, "stat %s: %s", name, strerror(errno)); free(buf); log_exit(EXIT_FAILURE); } if ((getuid() == 0) || (geteuid() == 0)) { if ((buf->st_mode & (S_IWGRP | S_IWOTH)) != 0) { syslog(LOG_NOTICE, _("%s is group/world writable"), name); free(buf); log_exit(EXIT_FAILURE); } } free(buf); } void modify_firewall(unsigned char action) { char buf[BUFSIZE]; if (action == FW_START) { snprintf(buf, BUFSIZE, "%s start", opt.respond_script); run_command(buf); } else if (action == FW_STOP) { snprintf(buf, BUFSIZE, "%s stop", opt.respond_script); run_command(buf); } } void react(unsigned char mode, struct known_hosts *this_host) { char buf[BUFSIZE], buf2[BUFSIZE]; if (mode == EX_NOTIFY) { xstrncpy(buf, opt.notify_script, BUFSIZE); } else { xstrncpy(buf, opt.respond_script, BUFSIZE); if (mode == EX_RESPOND_ADD) { strncat(buf, " add", BUFSIZE); } else { strncat(buf, " remove", BUFSIZE); } } snprintf(buf2, BUFSIZE, " %d %s", this_host->count, inet_ntoa(this_host->shost)); strncat(buf, buf2, BUFSIZE); if (opt.dst_ip) { snprintf(buf2, BUFSIZE, " %s", inet_ntoa(this_host->dhost)); strncat(buf, buf2, BUFSIZE); } else { strncat(buf, " -", BUFSIZE); } if (opt.proto) { snprintf(buf2, BUFSIZE, " %d", this_host->protocol); strncat(buf, buf2, BUFSIZE); } else { strncat(buf, " -", BUFSIZE); } if (opt.src_port) { snprintf(buf2, BUFSIZE, " %d", this_host->sport); strncat(buf, buf2, BUFSIZE); } else { strncat(buf, " -", BUFSIZE); } if (opt.dst_port) { snprintf(buf2, BUFSIZE, " %d", this_host->dport); strncat(buf, buf2, BUFSIZE); } else { strncat(buf, " -", BUFSIZE); } run_command(buf); } void remove_old(unsigned char mode) { time_t now; unsigned char is_first; now = time(NULL); if (mode & RESP_REMOVE_OPC) { struct conn_data *prev, *this; prev = this = first; is_first = 1; while (this != NULL) { if ((now - this->end_time) >= opt.recent) { if (opt.verbose == 2) syslog(LOG_NOTICE, _("Deleting packet cache entry (%s)"), inet_ntoa(this->shost)); if (is_first == 1) { prev = this->next; free(this->hostname); free(this->chainlabel); free(this->branchname); free(this->interface); free(this); first = this = prev; } else { this = this->next; free(prev->next->hostname); free(prev->next->chainlabel); free(prev->next->branchname); free(prev->next->interface); free(prev->next); prev->next = this; } } else { prev = this; this = this->next; is_first = 0; } } } if (mode & RESP_REMOVE_OHS) { struct known_hosts *prev_host, *this_host; prev_host = this_host = first_host; is_first = 1; while (this_host != NULL) { if ((this_host->time != 0) && ((now - this_host->time) >= opt.recent)) { if (opt.verbose == 2) syslog(LOG_NOTICE, _("Deleting host status entry (%s)"), inet_ntoa(this_host->shost)); if (opt.response & OPT_RESPOND) react(EX_RESPOND_REMOVE, this_host); if (is_first == 1) { prev_host = this_host->next; free(this_host); first_host = this_host = prev_host; } else { this_host = this_host->next; free(prev_host->next); prev_host->next = this_host; } } else { prev_host = this_host; this_host = this_host->next; is_first = 0; } } } } struct known_hosts *is_known(struct conn_data *host) { struct known_hosts *this_host; this_host = first_host; while (this_host != NULL) { if (this_host->shost.s_addr != (host->shost.s_addr & this_host->netmask.s_addr)) { goto no_match; } if (this_host->time == 0) return this_host; if ((opt.dst_ip) && (this_host->dhost.s_addr != host->dhost.s_addr)) { goto no_match; } if ((opt.dst_port) && (this_host->dport != host->dport)) { goto no_match; } if ((opt.src_port) && (this_host->sport != host->sport)) { goto no_match; } if ((opt.proto) && (this_host->protocol != host->protocol)) { goto no_match; } break; no_match: this_host = this_host->next; } return this_host; } void look_for_alert() { struct conn_data *this; unsigned char modified = 0; this = first; while (this != NULL) { if (this->count >= opt.threshold) { struct known_hosts *this_host; this_host = is_known(this); if (this_host == NULL) { this_host = xmalloc(sizeof(struct known_hosts)); this_host->time = time(NULL); this_host->count = (this->count / opt.threshold) * opt.threshold; this_host->shost = this->shost; this_host->netmask.s_addr = 0xFFFFFFFF; this_host->protocol = this->protocol; this_host->dhost = this->dhost; this_host->sport = this->sport; this_host->dport = this->dport; this_host->id = opt.global_id++; this_host->next = first_host; first_host = this_host; syslog(LOG_NOTICE, _("ALERT: %d attempts from %s"), this_host->count, inet_ntoa(this_host->shost)); if (opt.response & OPT_NOTIFY) react(EX_NOTIFY, this_host); if (opt.response & OPT_RESPOND) react(EX_RESPOND_ADD, this_host); } else { this_host->count = this_host->count + ((this->count / opt.threshold) * opt.threshold); if (this_host->time != 0) this_host->time = time(NULL); } this->count = (this->count % opt.threshold); if (this->count == 0) { this->end_time = 1; modified = 1; } } this = this->next; } if (modified) remove_old(RESP_REMOVE_OPC); } unsigned char hs_compare(struct known_hosts *op1, struct known_hosts *op2) { unsigned char cond = 0; time_t now; switch (opt.sortfield) { case SORT_COUNT: if (opt.sortmode == ORDER_ASCENDING) { if (op1->count > op2->count) cond++; } else { if (op1->count < op2->count) cond++; } break; case SORT_START_TIME: if (opt.sortmode == ORDER_ASCENDING) { if (op1->time > op2->time) cond++; } else { if (op1->time < op2->time) cond++; } break; case SORT_END_TIME: now = time(NULL); if (opt.sortmode == ORDER_ASCENDING) { if ((now - op1->time) < (now - op2->time)) cond++; } else { if ((now - op1->time) > (now - op2->time)) cond++; } break; case SORT_PROTOCOL: if (opt.sortmode == ORDER_ASCENDING) { if (op1->protocol > op2->protocol) cond++; } else { if (op1->protocol < op2->protocol) cond++; } break; case SORT_SOURCEHOST: if (opt.sortmode == ORDER_ASCENDING) { if (ntohl(op1->shost.s_addr) > ntohl(op2->shost.s_addr)) cond++; } else { if (ntohl(op1->shost.s_addr) < ntohl(op2->shost.s_addr)) cond++; } break; case SORT_SOURCEPORT: if (opt.sortmode == ORDER_ASCENDING) { if (op1->sport > op2->sport) cond++; } else { if (op1->sport < op2->sport) cond++; } break; case SORT_DESTHOST: if (opt.sortmode == ORDER_ASCENDING) { if (ntohl(op1->dhost.s_addr) > ntohl(op2->dhost.s_addr)) cond++; } else { if (ntohl(op1->dhost.s_addr) < ntohl(op2->dhost.s_addr)) cond++; } break; case SORT_DESTPORT: if (opt.sortmode == ORDER_ASCENDING) { if (op1->dport > op2->dport) cond++; } else { if (op1->dport < op2->dport) cond++; } } return cond; } struct known_hosts *fwlw_hs_mergesort(struct known_hosts *list) { struct known_hosts *p, *q, *e, *tail; int size, merges, psize, qsize, i; switch (opt.sortfield) { case SORT_COUNT: case SORT_START_TIME: case SORT_END_TIME: case SORT_PROTOCOL: case SORT_SOURCEHOST: case SORT_SOURCEPORT: case SORT_DESTHOST: case SORT_DESTPORT: if (list != NULL) { size = 1; while (1) { p = list; list = tail = NULL; merges = 0; while (p != NULL) { merges++; q = p; psize = 0; for (i = 0; i < size; i++) { psize++; q = q->next; if (q == NULL) break; } qsize = size; while (psize > 0 || ((qsize > 0) && (q != NULL))) { if (psize == 0) { e = q; q = q->next; qsize--; } else if (qsize == 0 || (q == NULL)) { e = p; p = p->next; psize--; } else if (hs_compare(p, q) <= 0) { e = p; p = p->next; psize--; } else { e = q; q = q->next; qsize--; } if (tail != NULL) { tail->next = e; } else { list = e; } tail = e; } p = q; } tail->next = NULL; if (merges <= 1) return list; size *= 2; } } else { return NULL; } break; default: return list; } } �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������fwlogwatch-1.2/ipchains.h���������������������������������������������������������������������������0000644�0000764�0000144�00000000314�11453062534�014024� 0����������������������������������������������������������������������������������������������������ustar �bw������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: ipchains.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _IPCHAINS_H #define _IPCHAINS_H unsigned char flex_ipchains(char *input, int linenum); #endif ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������fwlogwatch-1.2/ipfilter.l���������������������������������������������������������������������������0000644�0000764�0000144�00000024117�11453062534�014057� 0����������������������������������������������������������������������������������������������������ustar �bw������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: ipfilter.l 706 2010-10-06 12:02:36Z bw $ */ %option prefix="ipf" %option outfile="ipfilter.c" %option noyywrap %{ #define YY_NO_INPUT #include <unistd.h> #include <string.h> #include <ctype.h> #include <netdb.h> #include "main.h" #include "utils.h" extern struct options opt; void ipf_parse_date(char *input); void ipf_parse_data(char *input, unsigned char mode); void ipf_parse_ips(char *input, unsigned char mode); void ipf_parse_proto(char *input); void ipf_parse_flags(char *input); %} MONTH "Jan"|"Feb"|"Mar"|"Apr"|"May"|"Jun"|"Jul"|"Aug"|"Sep"|"Oct"|"Nov"|"Dec" STRING [a-zA-Z0-9.,_-]* LOGHOST [0-9.a-zA-Z()_:-]* DIGIT [0-9] NUMBER {DIGIT}+ HEXDIGIT [0-9a-f] OCTET {DIGIT}{1,3} PORT {DIGIT}{1,5} IPFILTER "ipmon["{NUMBER}"]:" FLAGS "-"[SAFRPU]+ PROTO [0-9a-z-]+ TARGET [SpPbBnL] %% {MONTH}[ ]{1,2}{DIGIT}{1,2}[ ]{DIGIT}{2}:{DIGIT}{2}:{DIGIT}{2}[ ]{LOGHOST} ipf_parse_date(ipftext); {IPFILTER} /* ignore */ "[ID "{NUMBER}" "{STRING}"]" /* ignore */ {DIGIT}{2}":"{DIGIT}{2}":"{DIGIT}{2}"."{DIGIT}{6} /* ignore */ {STRING}[ ]"@"{NUMBER}":"{NUMBER}[ ]{TARGET} ipf_parse_data(ipftext, IPF_OPT_NONE); {NUMBER}"x"[ ]+{STRING}[ ]"@"{NUMBER}":"{NUMBER}[ ]{TARGET} ipf_parse_data(ipftext, IPF_OPT_COUNT); {OCTET}"."{OCTET}"."{OCTET}"."{OCTET} ipf_parse_ips(ipftext, IPF_OPT_SRC); " -> "{OCTET}"."{OCTET}"."{OCTET}"."{OCTET} ipf_parse_ips(ipftext+4, IPF_OPT_DST); {OCTET}"."{OCTET}"."{OCTET}"."{OCTET}","{PORT} ipf_parse_ips(ipftext, IPF_OPT_SRC|IPF_OPT_PORT); " -> "{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}","{PORT} ipf_parse_ips(ipftext+4, IPF_OPT_DST|IPF_OPT_PORT); {STRING}"["{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"]" ipf_parse_ips(ipftext, IPF_OPT_SRC|IPF_OPT_RES); " -> "{STRING}"["{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"]" ipf_parse_ips(ipftext+4, IPF_OPT_DST|IPF_OPT_RES); {STRING}"["{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"],"{PORT} ipf_parse_ips(ipftext, IPF_OPT_SRC|IPF_OPT_RES|IPF_OPT_PORT); " -> "{STRING}"["{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"],"{PORT} ipf_parse_ips(ipftext+4, IPF_OPT_DST|IPF_OPT_RES|IPF_OPT_PORT); {OCTET}"."{OCTET}"."{OCTET}"."{OCTET}","{STRING} ipf_parse_ips(ipftext, IPF_OPT_SRC|IPF_OPT_RPORT); " -> "{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}","{STRING} ipf_parse_ips(ipftext+4, IPF_OPT_DST|IPF_OPT_RPORT); {STRING}"["{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"],"{STRING} ipf_parse_ips(ipftext, IPF_OPT_SRC|IPF_OPT_RES|IPF_OPT_RPORT); " -> "{STRING}"["{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"],"{STRING} ipf_parse_ips(ipftext+4, IPF_OPT_DST|IPF_OPT_RES|IPF_OPT_RPORT); "PR "{PROTO} ipf_parse_proto(ipftext+3); "len "{NUMBER}[ ][(]?{NUMBER}[)]? opt.line->datalen = atoi(ipftext+4); "frag "{NUMBER}"@"{NUMBER} /* ignore */ "icmp "{DIGIT}{1,2}"/"{DIGIT}{1,2} sscanf(ipftext, "icmp %d/%d", &opt.line->sport, &opt.line->dport); opt.parser=opt.parser|IPF_SRC_PORT|IPF_DST_PORT; "icmp echo/0" opt.line->sport = 8; opt.line->dport = 0; opt.parser=opt.parser|IPF_SRC_PORT|IPF_DST_PORT; "icmp echoreply/0" opt.line->sport = 0; opt.line->dport = 0; opt.parser=opt.parser|IPF_SRC_PORT|IPF_DST_PORT; "icmp sourcequench/0" opt.line->sport = 4; opt.line->dport = 0; opt.parser=opt.parser|IPF_SRC_PORT|IPF_DST_PORT; "icmp unreach/host" opt.line->sport = 3; opt.line->dport = 1; opt.parser=opt.parser|IPF_SRC_PORT|IPF_DST_PORT; "icmp unreach/port" opt.line->sport = 3; opt.line->dport = 3; opt.parser=opt.parser|IPF_SRC_PORT|IPF_DST_PORT; "icmp unreach/admin_prohibit" opt.line->sport = 3; opt.line->dport = 10; opt.parser=opt.parser|IPF_SRC_PORT|IPF_DST_PORT; "icmp timxceed/intrans" opt.line->sport = 11; opt.line->dport = 1; opt.parser=opt.parser|IPF_SRC_PORT|IPF_DST_PORT; "for "{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}","{PORT}" - "{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}","{PORT}" PR "{PROTO}" len "{NUMBER}[ ]{NUMBER} /* ignore */ "for "{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}","{STRING}" - "{STRING}"["{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"],"{STRING}" PR "{PROTO}" len "{NUMBER}[ ]{NUMBER} /* ignore */ "for "{STRING}"["{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"],"{PORT}" - "{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}","{PORT}" PR "{PROTO}" len "{NUMBER}[ ]{NUMBER} /* ignore */ "for "{STRING}"["{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"],"{PORT}" - "{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}","{STRING}" PR "{PROTO}" len "{NUMBER}[ ]{NUMBER} /* ignore */ "for "{STRING}"["{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"] - "{STRING}"["{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"] PR "{PROTO}" len "{NUMBER}" ("{NUMBER}")" /* ignore */ "for "{STRING}"["{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"],"{PORT}" - "{STRING}"["{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"],"{PORT}" PR "{PROTO}" len "{NUMBER}[ ]{NUMBER} /* ignore */ "for "{STRING}"["{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"],"{PORT}" - "{STRING}"["{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"],"{STRING}" PR "{PROTO}" len "{NUMBER}[ ]{NUMBER} /* ignore */ {FLAGS} ipf_parse_flags(ipftext+1); "K-S" /* ignore */ "K-F" /* ignore */ "IN" /* ignore */ "OUT" /* ignore */ "mbcast" /* ignore */ {NUMBER}[ ]{NUMBER}[ ]{NUMBER}" IN" /* ignore */ ({HEXDIGIT}{HEXDIGIT}[ ]?)+[ ]+[ -~]+ opt.parser=opt.parser|IPF_NO_HIT; [ \t]+ /* ignore whitespace */ [\n] /* ignore */ {STRING} if(opt.verbose) fprintf(stderr, "Unrecognized token: %s\n", ipftext); . if(opt.verbose) fprintf(stderr, "Unrecognized character: %s\n", ipftext); %% void ipf_parse_date(char *input) { int retval, day, hour, minute, second; char smonth[4]; retval = sscanf(input, "%3s %2d %2d:%2d:%2d %32s", smonth, &day, &hour, &minute, &second, opt.line->hostname); if (retval != 6) return; build_time(smonth, day, hour, minute, second); opt.parser = opt.parser | IPF_DATE; } void ipf_parse_data(char *input, unsigned char mode) { int retval; if (mode == IPF_OPT_COUNT) { retval = sscanf(input, "%dx %" SHORTLEN_S "s @%" SHORTLEN_S "s %" SHORTLEN_S "s", &opt.line->count, opt.line->interface, opt.line->chainlabel, opt.line->branchname); if (retval != 4) return; } else { retval = sscanf(input, "%" SHORTLEN_S "s @%" SHORTLEN_S "s %" SHORTLEN_S "s", opt.line->interface, opt.line->chainlabel, opt.line->branchname); if (retval != 3) return; opt.line->count = 1; } opt.parser = opt.parser | IPF_DATA; } void ipf_parse_ips(char *input, unsigned char mode) { int host1, host2, host3, host4, port; int retval; char ip[IPLEN]; if (mode == (IPF_OPT_SRC | IPF_OPT_RES | IPF_OPT_RPORT) || mode == (IPF_OPT_DST | IPF_OPT_RES | IPF_OPT_RPORT)) { char name[255], *ptr, portname[32]; ptr = strchr(input, '['); *ptr = ' '; retval = sscanf(input, "%255s %3d.%3d.%3d.%3d],%32s", name, &host1, &host2, &host3, &host4, portname); if (retval != 6) return; } else if (mode == (IPF_OPT_SRC | IPF_OPT_RES | IPF_OPT_PORT) || mode == (IPF_OPT_DST | IPF_OPT_RES | IPF_OPT_PORT)) { char name[255], *ptr; ptr = strchr(input, '['); *ptr = ' '; retval = sscanf(input, "%255s %3d.%3d.%3d.%3d],%5d", name, &host1, &host2, &host3, &host4, &port); if (retval != 6) return; } else if (mode == (IPF_OPT_SRC | IPF_OPT_RES) || mode == (IPF_OPT_DST | IPF_OPT_RES)) { char name[255], *ptr; ptr = strchr(input, '['); *ptr = ' '; retval = sscanf(input, "%255s %3d.%3d.%3d.%3d]", name, &host1, &host2, &host3, &host4); if (retval != 5) return; } else if (mode == (IPF_OPT_SRC | IPF_OPT_RPORT) || mode == (IPF_OPT_DST | IPF_OPT_RPORT)) { char portname[32]; retval = sscanf(input, "%3d.%3d.%3d.%3d,%32s", &host1, &host2, &host3, &host4, portname); if (retval != 5) return; } else if (mode == (IPF_OPT_SRC | IPF_OPT_PORT) || mode == (IPF_OPT_DST | IPF_OPT_PORT)) { retval = sscanf(input, "%3d.%3d.%3d.%3d,%5d", &host1, &host2, &host3, &host4, &port); if (retval != 5) return; } else if (mode == IPF_OPT_SRC || mode == IPF_OPT_DST) { retval = sscanf(input, "%3d.%3d.%3d.%3d", &host1, &host2, &host3, &host4); if (retval != 4) return; } else { return; } snprintf(ip, IPLEN, "%d.%d.%d.%d", host1, host2, host3, host4); if (mode & IPF_OPT_SRC) { if (convert_ip(ip, &opt.line->shost) == IN_ADDR_ERROR) return; opt.parser = opt.parser | IPF_SRC_IP; if (mode & IPF_OPT_PORT) { opt.line->sport = port; opt.parser = opt.parser | IPF_SRC_PORT; } } else { if (convert_ip(ip, &opt.line->dhost) == IN_ADDR_ERROR) return; opt.parser = opt.parser | IPF_DST_IP; if (mode & IPF_OPT_PORT) { opt.line->dport = port; opt.parser = opt.parser | IPF_DST_PORT; } } } void ipf_parse_proto(char *input) { if (isdigit((int) input[0])) { opt.line->protocol = atoi(input); } else { struct protoent *proto; proto = getprotobyname(input); if (proto != NULL) opt.line->protocol = proto->p_proto; } if (opt.line->protocol != 0) { opt.parser = opt.parser | IPF_PROTO; } else { fprintf(stderr, "Unknown protocol (not in /etc/protocols), ignoring: %s\n", input); opt.parser = opt.parser | IPF_NO_HIT; } } void ipf_parse_flags(char *input) { while (*input != '\0') { if (*input == 'S') opt.line->flags = opt.line->flags | TCP_SYN; if (*input == 'A') opt.line->flags = opt.line->flags | TCP_ACK; if (*input == 'F') opt.line->flags = opt.line->flags | TCP_FIN; if (*input == 'R') opt.line->flags = opt.line->flags | TCP_RST; if (*input == 'P') opt.line->flags = opt.line->flags | TCP_PSH; if (*input == 'U') opt.line->flags = opt.line->flags | TCP_URG; input++; } } unsigned char flex_ipfilter(char *input, int linenum) { opt.parser = 0; init_line(); ipf_scan_string(input); ipflex(); ipf_delete_buffer(YY_CURRENT_BUFFER); if (opt.parser & IPF_NO_HIT) return PARSE_NO_HIT; if (opt.parser == (IPF_DATE | IPF_DATA | IPF_PROTO | IPF_SRC_IP | IPF_DST_IP | IPF_SRC_PORT | IPF_DST_PORT)) { return PARSE_OK; } else { if (opt.verbose) fprintf(stderr, "ipfilter parse error in line %d, ignoring.\n", linenum); if (opt.verbose == 2) fprintf(stderr, "input was: \"%s\"\n", input); return PARSE_WRONG_FORMAT; } } �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������fwlogwatch-1.2/modes.h������������������������������������������������������������������������������0000644�0000764�0000144�00000000342�11453062534�013336� 0����������������������������������������������������������������������������������������������������ustar �bw������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: modes.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _MODES_H #define _MODES_H void mode_summary(void); void mode_rt_response(void); void mode_show_log_times(void); #endif ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������fwlogwatch-1.2/contrib/�����������������������������������������������������������������������������0000755�0000764�0000144�00000000000�11454326214�013516� 5����������������������������������������������������������������������������������������������������ustar �bw������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������fwlogwatch-1.2/contrib/fwlogwatch.php���������������������������������������������������������������0000644�0000764�0000144�00000056743�11453062534�016414� 0����������������������������������������������������������������������������������������������������ustar �bw������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������<? /* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: fwlogwatch.php 706 2010-10-06 12:02:36Z bw $ */ /* This program is a rewrite based on work by Kyle Amon amonk@backwatcher.com BackWatcher, Inc. www.backwatcher.com released under the terms of the GNU General Public License. */ $debug = '0'; $logdir = "/var/log"; $logbase = messages; $fwlogwatch = "/usr/local/sbin/fwlogwatch"; /**********************************************************************/ if (!$view) { $view = "list_files"; } echo "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\">\n"; echo "<html>\n"; echo "<head>\n"; echo " <title>fwlogwatch web reporting module\n"; echo "\n"; echo "\n"; $view(); echo "\n"; echo "\n"; function list_files() { global $logdir, $logbase; echo "
#startendintervalloghostchaintargetinterfaceprotobytessourcehostnamewhois informationportservicedestinationhostnameportserviceopts
startend¶}©lendportserviceºÝ¤fªA°ÈstartendStartSlutportservicePorttjänst
\n"; echo "\n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo "\n"; $dirhandle=opendir($logdir); while (false!==($logfile = readdir($dirhandle))) { $abs_logpath = $logdir . "/" . $logfile; if (ereg("^$logbase.*", $logfile)) { if (is_file($abs_logpath)) { $mtime = filemtime($abs_logpath); $stamp = date("D, d M Y H:i:s", $mtime); $size = filesize($abs_logpath); $exp = 1; while($size >= pow(1024, $exp)) { $exp++; } $ext = array(" B", " K", " M", " G", " T"); $summary = round(($size * 100) / pow(1024, ($exp - 1))) / 100; $strsize = sprintf("%.2f%s", $summary, $ext[$exp - 1]); echo "\n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo "\n"; } } } echo "
FileDateSizeActions
$logfile$stamp$strsize\n"; echo " Show / \n"; echo " Report\n"; echo "
\n"; closedir($dirhandle); } function cut($dir_logfile, $start, $end, $total, $amount) { if(!$amount) { $amount = 25; } if($total) { if($start < 1) { $start = 1; $end = $start + $amount; } if($end > $total) { $end = $total; $start = $end - $amount; } } $fd = gzopen($dir_logfile, r); for($i = 0; $i < $start ; $i++) { $line = gzgets($fd, 4096); if(gzeof($fd) || !$line) { return; } } $j = 0; for(; $i < $end; $i++) { $line = gzgets($fd, 4096); if($line && !gzeof($fd)) { $out[$j++] = $line; } else { return $out; } } return $out; } function report() { global $debug, $logdir, $logfile, $HTTP_POST_VARS, $PHP_SELF, $fwlogwatch; extract($HTTP_POST_VARS); echo "
\n"; echo "\n"; echo "\n"; echo " \n"; echo " \n"; echo "\n"; echo "\n"; echo " \n"; echo " \n"; echo "\n"; echo "\n"; echo " \n"; echo "\n"; echo "\n"; echo " \n"; echo "\n"; echo "\n"; echo " \n"; echo "\n"; echo "\n"; echo " \n"; echo "
OptionsSorting
\n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo "
\n"; echo " Description\n"; echo " \n"; echo " On/Off\n"; echo "
\n"; echo " Source address\n"; echo " \n"; echo " \n"; echo "
\n"; echo " Source port\n"; echo " \n"; echo " \n"; echo "
\n"; echo " Destination address\n"; echo " \n"; echo " \n"; echo "
\n"; echo " Destination port\n"; echo " \n"; echo " \n"; echo "
\n"; echo " Protocol\n"; echo " \n"; echo " \n"; echo "
\n"; echo " Start times\n"; echo " \n"; echo " \n"; echo "
\n"; echo " End times\n"; echo " \n"; echo " \n"; echo "
\n"; echo " Time intervals\n"; echo " \n"; echo " \n"; echo "
\n"; echo " Byte counts\n"; echo " \n"; echo " \n"; echo "
\n"; echo " TCP options\n"; echo " \n"; echo " \n"; echo "
\n"; echo " DNS lookups\n"; echo " \n"; echo " \n"; echo "
\n"; echo " Service lookups\n"; echo " \n"; echo " \n"; echo "
\n"; echo " Hide entries with count below:\n"; echo " \n"; echo " \n"; echo "
\n"; echo " Show only this many entries:\n"; echo " \n"; echo " \n"; echo "
\n"; echo " Analyze entries at most this old:\n"; echo " \n"; echo " \n"; echo "
\n"; echo " 		\n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo "
\n"; echo " On/Off\n"; echo " \n"; echo " Description\n"; echo " \n"; echo " Up/Down\n"; echo " \n"; echo " Priority\n"; echo "
\n"; echo " \n"; echo " \n"; echo " Source address\n"; echo " \n"; echo "  \n"; echo " \n"; echo " \n"; echo " \n"; echo "
\n"; echo " \n"; echo " \n"; echo " Source port\n"; echo " \n"; echo "  \n"; echo " \n"; echo " \n"; echo " \n"; echo "
\n"; echo " \n"; echo " \n"; echo " Destination address\n"; echo " \n"; echo "  \n"; echo " \n"; echo " \n"; echo " \n"; echo "
\n"; echo " \n"; echo " \n"; echo " Destination port\n"; echo " \n"; echo "  \n"; echo " \n"; echo " \n"; echo " \n"; echo "
\n"; echo " \n"; echo " \n"; echo " Protocol\n"; echo " \n"; echo "  \n"; echo " \n"; echo " \n"; echo " \n"; echo "
\n"; echo " \n"; echo " \n"; echo " Start time\n"; echo " \n"; echo "  \n"; echo " \n"; echo " \n"; echo " \n"; echo "
\n"; echo " \n"; echo " \n"; echo " End time\n"; echo " \n"; echo "  \n"; echo " \n"; echo " \n"; echo " \n"; echo "
\n"; echo " \n"; echo " \n"; echo " Time interval\n"; echo " \n"; echo "  \n"; echo " \n"; echo " \n"; echo " \n"; echo "
\n"; echo " \n"; echo " \n"; echo " Byte count\n"; echo " \n"; echo "  \n"; echo " \n"; echo " \n"; echo " \n"; echo "
\n"; echo " \n"; echo " \n"; echo " Count\n"; echo " \n"; echo "  \n"; echo " \n"; echo " \n"; echo " \n"; echo "
\n"; echo " \n"; echo " \n"; echo " Target name\n"; echo " \n"; echo "  \n"; echo " \n"; echo " \n"; echo " \n"; echo "
\n"; echo "
Parsers
\n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo "
\n"; echo " ipchains\n"; echo " \n"; echo " \n"; echo " \n"; echo " NetScreen\n"; echo " \n"; echo " \n"; echo "
\n"; echo " netfilter\n"; echo " \n"; echo " \n"; echo " \n"; echo " Windows XP\n"; echo " \n"; echo " \n"; echo "
\n"; echo " ipfilter\n"; echo " \n"; echo " \n"; echo " \n"; echo " Elsa Lancom\n"; echo " \n"; echo " \n"; echo "
\n"; echo " Cisco IOS\n"; echo " \n"; echo " \n"; echo " \n"; echo " Snort\n"; echo " \n"; echo " \n"; echo "
\n"; echo " Cisco PIX\n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo "
\n"; echo "
\n"; echo " \n"; echo " \n"; echo " Back to file overview / \n"; echo " View the log directly\n"; echo "
\n"; if(!$report) { $sorting = 'cd'; } else { if ($sourceip) $sourceip = ''; else $sourceip ='S'; if ($destip) $destip = ''; else $destip ='D'; $selectivity = "$sourceip$sourceport$destip$destport$proto$stimes$etimes$intervals$bytes$tcpopts$dns$slookup"; $joined[0] = ($order[0] = $corder).($criterion[0] = $c).($dir[c] = $cdir); $joined[1] = ($order[1] = $torder).($criterion[1] = $t).($dir[t] = $tdir); $joined[2] = ($order[2] = $zorder).($criterion[2] = $z).($dir[z] = $zdir); $joined[3] = ($order[3] = $norder).($criterion[3] = $n).($dir[n] = $ndir); $joined[4] = ($order[4] = $porder).($criterion[4] = $p).($dir[p] = $pdir); $joined[5] = ($order[5] = $border).($criterion[5] = $b).($dir[b] = $bdir); $joined[6] = ($order[6] = $Sorder).($criterion[6] = $S).($dir[S] = $Sdir); $joined[7] = ($order[7] = $sorder).($criterion[7] = $s).($dir[s] = $sdir); $joined[8] = ($order[8] = $Dorder).($criterion[8] = $D).($dir[D] = $Ddir); $joined[9] = ($order[9] = $dorder).($criterion[9] = $d).($dir[d] = $ddir); $joined[10] = ($order[10] = $eorder).($criterion[10] = $e).($dir[e] = $edir); if($debug) { echo "
\n";
      for($count = 0 ; $count < 11 ; $count++) {
        if($d = $criterion[$count]) {
          echo "order = $order[$count]   ";
          echo "criterion = $criterion[$count]   ";
          echo "dir = $dir[$d]   ";
          echo "joined = $joined[$count]\n";
          unset ($d);
        }
      }
      echo "
\n"; } rsort ($joined); reset ($joined); for($count = 0 ; $count < 11 ; $count++) { if(strlen($joined[$count]) == 3) { $cd = substr($joined[$count], 1, 2); $sorting = $sorting . $cd; if($debug) { echo "
\n";
          echo "sorted = $joined[$count]   ";
          echo "cd = $cd   ";
          echo "sorting = $sorting\n";
          echo "
\n"; } } } } if(is_numeric($hide)) { $hide = "-m $hide"; } if(is_numeric($top)) { $top = "-M $top"; } if($old) { $old = "-l $old"; } $parserstr = "$parsei$parsen$parsef$parsec$parsep$parsee$parsew$parsel$parses"; if($parserstr) { $parser = "-P $parserstr"; } $args = "-w$selectivity -O $sorting $hide $top $old $parser $logdir/$logfile"; $report = `$fwlogwatch $args 2>&1`; if(!$debug) { $report = ereg_replace("", "", "$report"); $report = ereg_replace(".*", "", "$report"); } echo "\n$report\n"; echo "
\n"; echo "
\n"; } function show() { global $logdir, $logfile, $HTTP_POST_VARS, $PHP_SELF; extract($HTTP_POST_VARS); $dir_logfile = $logdir . "/" . $logfile; if(!$amount) { $amount = 25; } if(!($end)) { $fd = gzopen($dir_logfile, r); for($i = 0; !gzeof($fd); $i++) { $lines[] = gzgets($fd, 4096); } $end = count($lines); $end = $end - 1; $total = $end; } if($cmd == "Prev") { $end = $end - $amount; $start = $end - $amount; $log = cut($dir_logfile, $start, $end, $total, $amount); } elseif($cmd == "Next") { $start = $end; $end = $end + $amount; $log = cut($dir_logfile, $start, $end, $total, $amount); } elseif($cmd == "Jump") { $end = $start + $amount; $log = cut($dir_logfile, $start, $end, $total, $amount); } else { $start = $end - $amount; $log = cut($dir_logfile, $start, $end, $total, $amount); } if($total) { if($start < 1) { $start = 1; $end = $start + $amount; } if($end > $total) { $end = $total; $start = $end - $amount; } } echo "
\n"; echo "\n"; echo "\n"; if($start > 1) { echo " \n"; } echo " \n"; echo " \n"; echo " \n"; echo " \n"; if($total > $end) { echo " \n"; } echo "\n"; echo "
\n"; echo " \n"; echo " \n"; echo " Display lines:\n"; echo " \n"; echo " \n"; echo " Lines $start to $end of $total\n"; echo " \n"; echo " Back / \n"; echo " Report\n"; echo " \n"; echo " Jump to line:\n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo " \n"; echo "
\n"; echo "
\n"; echo "
\n";
  for($i = 0; $i < count($log); $i++) {
    echo $log[$i];
  }
  echo "
\n"; } ?> fwlogwatch-1.2/contrib/pix-names.sh0000755000076400001440000000033511147014514015753 0ustar bwusers#!/bin/sh if [ -z "$1" ] then echo "usage: $0 " echo "example: $0 /tftpboot/pix-config.txt >> /etc/hosts" exit 1 fi grep "^name " "$1" | awk '{print $2" "$3}' | sort -k2 exit 0 fwlogwatch-1.2/contrib/fwlogwatch.init.suse0000755000076400001440000000316111145340337017531 0ustar bwusers#!/bin/sh # $Id: fwlogwatch.init.suse 684 2009-02-13 18:50:07Z bw $ # # /etc/init.d/fwlogwatch # ### BEGIN INIT INFO # Provides: fwlogwatch # Required-Start: $local_fs $network # X-UnitedLinux-Should-Start: $local_fs $network # Required-Stop: $local_fs $remote_fs $network # X-UnitedLinux-Should-Stop: # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: fwlogwatch analyzer # Description: Firewall log analysis with realtime response ### END INIT INFO # # load the configuration # test -s /etc/rc.status && \ . /etc/rc.status test -s /etc/sysconfig/fwlogwatch && \ . /etc/sysconfig/fwlogwatch FWLOGWATCH_BIN="/usr/sbin/fwlogwatch" test -x $FWLOGWATCH_BIN || exit 5 rc_reset # # The echo return value for success (defined in /etc/rc.status). # return=$rc_done start() { echo -n "Starting fwlogwatch:" #startproc $FWLOGWATCH_BIN -R -A -X 888 -Pn startproc $FWLOGWATCH_BIN -R -A -Pn ret=$? [ "$ret" = 0 ] && touch /var/lock/subsys/fwlogwatch rc_failed $ret rc_status -v } stop() { echo -n "Stopping fwlogwatch:" killproc $FWLOGWATCH_BIN -TERM ret=$? [ "$ret" = 0 ] && rm -f /var/lock/subsys/fwlogwatch rc_status -v } reload() { echo -n "Reloading fwlogwatch:" killproc $FWLOGWATCH_BIN -HUP ret=$? rc_status -v } case "$1" in start) start ;; stop) stop ;; restart) stop start ;; reload) reload ;; condrestart) if [ -f /var/lock/subsys/fwlogwatch ] ; then stop sleep 3 start fi ;; status) echo -n "Checking for fwlogwatch: " checkproc $FWLOGWATCH_BIN rc_status -v ;; *) echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}" RETVAL=1 esac rc_exit fwlogwatch-1.2/contrib/fwlogsummary.cgi0000755000076400001440000000513711453062534016750 0ustar bwusers#!/bin/sh # Copyright (C) 2000-2010 Boris Wesslowski # $Id: fwlogsummary.cgi 706 2010-10-06 12:02:36Z bw $ # This script generates 8 fwlogwatch html summaries in a directory visible # to your web server. # The log file to be used can be specified as first parameter, default is # /var/log/messages # With respective permissions it can be run as cgi by the webserver. # You can also invoke this script directly from the command line or from # cron (you might want to remove the header output). echo 'Content-type: text/plain' echo echo -n 'fwlogsummary invoked ' date RECENT="-l 1h" WEBDIR="/var/www/html/fwlogwatch" FWLOGWATCH="/usr/local/sbin/fwlogwatch" if [ ! -d $WEBDIR ] ; then echo "Directory $WEBDIR does not exist!" exit fi if [ ! -f $FWLOGWATCH ] ; then echo "$FWLOGWATCH not found!" exit fi if [ -z $1 ] then MESSAGES="/var/log/messages" else MESSAGES="$1" fi $FWLOGWATCH $MESSAGES $RECENT -w -t -z -S -o $WEBDIR/dst.html $FWLOGWATCH $MESSAGES $RECENT -w -t -z -D -o $WEBDIR/src.html $FWLOGWATCH $MESSAGES $RECENT -w -t -z -o $WEBDIR/src_dst.html $FWLOGWATCH $MESSAGES $RECENT -w -t -z -s -o $WEBDIR/src_dst_sp.html $FWLOGWATCH $MESSAGES $RECENT -w -t -z -d -o $WEBDIR/src_dst_dp.html $FWLOGWATCH $MESSAGES $RECENT -w -t -z -s -d -o $WEBDIR/src_dst_sp_dp.html $FWLOGWATCH $MESSAGES $RECENT -w -t -z -s -d -y -o $WEBDIR/src_dst_sp_dp_op.html $FWLOGWATCH $MESSAGES $RECENT -w -t -z -s -d -y -n -o $WEBDIR/all.html cat < $WEBDIR/index.html fwlogwatch

fwlogwatch summaries

regenerate summaries now

Summary by criteria:

Press the back button of your browser to return here.
fwlogwatch © Boris Wesslowski EOF echo -n "Finished " date # EOF fwlogwatch-1.2/contrib/fwlogwatch.init.redhat0000755000076400001440000000236711145340337020030 0ustar bwusers#!/bin/sh # $Id: fwlogwatch.init.redhat 684 2009-02-13 18:50:07Z bw $ # # Init file for fwlogwatch on redhat linux systems # # chkconfig: 2345 90 10 # description: Firewall log analysis with realtime response # # processname: fwlogwatch # config: /etc/fwlogwatch.config # pidfile: /var/run/fwlogwatch.pid # source function library . /etc/rc.d/init.d/functions RETVAL=0 prog="fwlogwatch" # Some functions to make the below more readable FWLOGWATCH=/usr/local/sbin/fwlogwatch PID_FILE=/var/run/fwlogwatch.pid start() { echo -n $"Starting $prog:" initlog -c "$FWLOGWATCH -R -A -X 888 -Pn" && success || failure RETVAL=$? [ "$RETVAL" = 0 ] && touch /var/lock/subsys/fwlogwatch echo } stop() { echo -n $"Stopping $prog:" killproc $FWLOGWATCH -TERM RETVAL=$? [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/fwlogwatch echo } reload() { echo -n $"Reloading $prog:" killproc $FWLOGWATCH -HUP RETVAL=$? echo } case "$1" in start) start ;; stop) stop ;; restart) stop start ;; reload) reload ;; condrestart) if [ -f /var/lock/subsys/fwlogwatch ] ; then stop sleep 3 start fi ;; status) status $FWLOGWATCH RETVAL=$? ;; *) echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}" RETVAL=1 esac exit $RETVAL fwlogwatch-1.2/contrib/fwlw_notify0000755000076400001440000000241211453062534016013 0ustar bwusers#!/bin/sh # Copyright (C) 2000-2010 Boris Wesslowski # $Id: fwlw_notify 706 2010-10-06 12:02:36Z bw $ # fwlogwatch realtime notification script # You can invoke a custom action through this script when fwlogwatch # issues an alert. A few commented examples are shown below. # The available arguments (if activated in the configuration, if not the # fields will contain a '-') are: # $1 count # $2 source IP # $3 destination IP # $4 protocol # $5 source port # $6 destination port ### Use the following lines for email notifications, $EMAIL is the recipient # #EMAIL=root@localhost # #/bin/echo "fwlogwatch ALERT on $HOSTNAME: $1 packet(s) from $2 to $3" | /bin/mail -s "fwlogwatch ALERT: $1 packet(s) from $2" $EMAIL ### Use the following lines for SMB notifications, $SMBHOST is the host the ### alert should appear # #SMBHOST=hostname # #/bin/echo "fwlogwatch ALERT on $HOSTNAME: $1 packet(s) from $2" | /usr/bin/smbclient -M $SMBHOST ### Use the following line to generate a custom log entry # #/usr/bin/logger -p security.alert -t "fwlogwatch ALERT" "$1 packet(s) from $2" ### You may also want to log alerts to a file # #NOW=`date +'%Y-%m-%d-%H-%M-%S'` #/bin/echo "$NOW: $1 packet(s) from $2 to $3" >> /tmp/fwlw.log ### Insert your own ideas here, anything is possible. :-) fwlogwatch-1.2/contrib/fwlogsummary_small.cgi0000755000076400001440000000030311453062534020126 0ustar bwusers#!/bin/sh # Copyright (C) 2000-2010 Boris Wesslowski # $Id: fwlogsummary_small.cgi 706 2010-10-06 12:02:36Z bw $ echo "Content-Type: text/html" echo /usr/local/sbin/fwlogwatch -w -l 1h -z -s -d fwlogwatch-1.2/contrib/fwlw_respond0000755000076400001440000000712011453062534016156 0ustar bwusers#!/bin/sh # Copyright (C) 2000-2010 Boris Wesslowski # $Id: fwlw_respond 706 2010-10-06 12:02:36Z bw $ # fwlogwatch realtime response script # Set the $MODE variable to activate realtime modification of # ipchains or netfilter packet filters. # You may want to add custom commands at the commented spots to modify # tcp wrappers or ipfilter rules or even remote control access lists # on cisco routers... # $TARGET contains the name of the chain that will be used for rules # generated by this script. # See fwlw_notify for the contents of the variables passed by fwlogwatch #MODE=iptables IPCHAINS=/sbin/ipchains IPTABLES=/sbin/iptables TARGET=fwlw RETVAL=0 case "$1" in ############################################################################## start) case "$MODE" in ipchains) if $IPCHAINS -n -L $TARGET 2>/dev/null | /bin/grep "Chain $TARGET " >/dev/null then $IPCHAINS -F $TARGET else $IPCHAINS -N $TARGET $IPCHAINS -I input -j $TARGET fi ;; iptables) if $IPTABLES -t filter -n -L $TARGET 2>/dev/null | /bin/grep "Chain $TARGET " >/dev/null then $IPTABLES -F $TARGET else $IPTABLES -N $TARGET $IPTABLES -I INPUT -j $TARGET $IPTABLES -I FORWARD -j $TARGET fi ;; # Insert setup for custom response here *) RETVAL=1 ;; esac ;; ############################################################################## add) if [ -z "$3" ] then exit 1 fi case "$MODE" in ipchains) if $IPCHAINS -n -L $TARGET 2>/dev/null | /bin/grep "Chain $TARGET " >/dev/null then $IPCHAINS -A $TARGET -s $3 -j DENY else $IPCHAINS -N $TARGET $IPCHAINS -I input -j $TARGET $IPCHAINS -A $TARGET -s $3 -j DENY fi ;; iptables) if $IPTABLES -t filter -n -L $TARGET 2>/dev/null | /bin/grep "Chain $TARGET " >/dev/null then $IPTABLES -A $TARGET -s $3 -j DROP else $IPTABLES -N $TARGET $IPTABLES -I INPUT -j $TARGET $IPTABLES -I FORWARD -j $TARGET $IPTABLES -A $TARGET -s $3 -j DROP fi ;; # Insert custom response action here *) RETVAL=1 ;; esac ;; ############################################################################## remove) if [ -z "$3" ] then exit 1 fi case "$MODE" in ipchains) if $IPCHAINS -n -L $TARGET 2>/dev/null | /bin/grep "Chain $TARGET " >/dev/null then $IPCHAINS -D $TARGET -s $3 -j DENY else RETVAL=1 fi ;; iptables) if $IPTABLES -t filter -n -L $TARGET 2>/dev/null | /bin/grep "Chain $TARGET " >/dev/null then $IPTABLES -D $TARGET -s $3 -j DROP else RETVAL=1 fi ;; # Insert custom response action stop here *) RETVAL=1 ;; esac ;; ############################################################################## stop) case "$MODE" in ipchains) if $IPCHAINS -n -L $TARGET 2>/dev/null | /bin/grep "Chain $TARGET " >/dev/null then $IPCHAINS -F $TARGET $IPCHAINS -D input -j $TARGET $IPCHAINS -X $TARGET fi ;; iptables) if $IPTABLES -t filter -n -L $TARGET 2>/dev/null | /bin/grep "Chain $TARGET " >/dev/null then $IPTABLES -F $TARGET $IPTABLES -D INPUT -j $TARGET $IPTABLES -D FORWARD -j $TARGET $IPTABLES -X $TARGET fi ;; # Insert cleanup for custom response here *) RETVAL=1 ;; esac ;; ############################################################################## *) echo "Usage: $0 {start|add|remove|stop} [count src_ip dst_ip protocol src_port dst_port]" ;; ############################################################################## esac exit $RETVAL # EOF fwlogwatch-1.2/utils.c0000644000076400001440000002435211453062534013371 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: utils.c 706 2010-10-06 12:02:36Z bw $ */ #include #include #include #include #include #include #include #include #include #include #include #include "main.h" struct input_file *first_file = NULL; extern struct options opt; extern struct conn_data *first; extern struct dns_cache *dns_first; extern struct known_hosts *first_host; extern struct whois_entry *whois_first; extern struct parser_options *excluded_first; /* * xstrncpy() - similar to strncpy(3) but always terminates string * with '\0' (if n > 0 and dest != NULL), doesn't do padding. */ char *xstrncpy(char *dest, const char *src, size_t n) { char *r = dest; if ((n <= 0) || (dest == NULL)) { return dest; } if (src != NULL) { while ((--n != 0) && (*src != '\0')) { *dest++ = *src++; } } *dest = '\0'; return r; } void *xmalloc(int size) { void *ptr; ptr = malloc(size); if (ptr == NULL) { fprintf(stderr, _("\nMemory allocation error, exiting.\n")); exit(EXIT_FAILURE); } return ptr; } void log_exit(unsigned char returncode) { if (opt.pidfile[0] != '\0') { if (unlink(opt.pidfile) == -1) { if (opt.verbose) syslog(LOG_NOTICE, "unlink %s: %s", opt.pidfile, strerror(errno)); } } syslog(LOG_NOTICE, _("Exiting")); exit(returncode); } void run_command(char *buf) { pid_t pid; if (strstr(buf, "%") != NULL) { syslog(LOG_NOTICE, _("Not executing buffer containing format string")); return; } if (opt.verbose == 2) { syslog(LOG_NOTICE, _("Executing '%s'"), buf); } pid = fork(); if (pid == -1) { syslog(LOG_NOTICE, "fork: %s", strerror(errno)); log_exit(EXIT_FAILURE); } if (pid == 0) { execl("/bin/sh", "/bin/sh", "-c", buf, NULL); syslog(LOG_NOTICE, "execl: %s", strerror(errno)); log_exit(EXIT_FAILURE); } wait(NULL); } void free_conn_data() { struct conn_data *this; this = first; while (this != NULL) { first = this; this = this->next; free(first->hostname); free(first->chainlabel); free(first->branchname); free(first->interface); free(first); } first = NULL; } void free_dns_cache() { struct dns_cache *dns_this; dns_this = dns_first; while (dns_this != NULL) { dns_first = dns_this; dns_this = dns_this->next; free(dns_first->fqdn); free(dns_first); } dns_first = NULL; } void free_whois() { struct whois_entry *whois_this; whois_this = whois_first; while (whois_this != NULL) { whois_first = whois_this; whois_this = whois_this->next; free(whois_first->ip_route); free(whois_first->ip_descr); free(whois_first->as_descr); free(whois_first); } whois_first = NULL; } void free_hosts() { struct known_hosts *this_host; this_host = first_host; while (this_host != NULL) { first_host = this_host; this_host = this_host->next; free(first_host); } first_host = NULL; } void free_exclude_data() { struct parser_options *excluded_this; excluded_this = excluded_first; while (excluded_this != NULL) { excluded_first = excluded_this; excluded_this = excluded_this->next; if (excluded_first->svalue != NULL) free(excluded_first->svalue); free(excluded_first); } excluded_first = NULL; } void init_line() { opt.line->time = 0; opt.line->hostname[0] = '\0'; opt.line->chainlabel[0] = '\0'; opt.line->branchname[0] = '\0'; opt.line->interface[0] = '\0'; opt.line->protocol = 0; opt.line->datalen = 0; opt.line->shost.s_addr = 0; opt.line->sport = 0; opt.line->dhost.s_addr = 0; opt.line->dport = 0; opt.line->flags = 0; opt.line->count = 0; } void mode_error() { fprintf(stderr, _("fwlogwatch error: mode collision, please check that you didn't specify\n" " several modes on the command line or a second mode is active in the\n" " configuration file.\n" " Please use a separate configuration file for each mode or comment out all\n" " entries in the default configuration and use command line parameters.\n")); exit(EXIT_FAILURE); } void build_time(char *smonth, int day, int hour, int minute, int second) { int month = 0, now, then; struct tm *t; if (opt.mode != REALTIME_RESPONSE) { t = localtime(&opt.now); } else { time_t rr_now; rr_now = time(NULL); t = localtime(&rr_now); } now = (int) mktime(t); if (strncmp(smonth, "Jan", 3) == 0) { month = 0; } else if (strncmp(smonth, "Feb", 3) == 0) { month = 1; } else if (strncmp(smonth, "Mar", 3) == 0) { month = 2; } else if (strncmp(smonth, "Apr", 3) == 0) { month = 3; } else if (strncmp(smonth, "May", 3) == 0) { month = 4; } else if (strncmp(smonth, "Jun", 3) == 0) { month = 5; } else if (strncmp(smonth, "Jul", 3) == 0) { month = 6; } else if (strncmp(smonth, "Aug", 3) == 0) { month = 7; } else if (strncmp(smonth, "Sep", 3) == 0) { month = 8; } else if (strncmp(smonth, "Oct", 3) == 0) { month = 9; } else if (strncmp(smonth, "Nov", 3) == 0) { month = 10; } else if (strncmp(smonth, "Dec", 3) == 0) { month = 11; } t->tm_mon = month; t->tm_mday = day; t->tm_hour = hour; t->tm_min = minute; t->tm_sec = second; t->tm_isdst = -1; then = (int) mktime(t); if (then > now) --t->tm_year; opt.line->time = mktime(t); } unsigned char convert_ip(char *ip, struct in_addr *addr) { #ifndef SOLARIS int retval; retval = inet_aton(ip, addr); if (retval == 0) { #else #ifndef INADDR_NONE #define INADDR_NONE -1 #endif addr->s_addr = inet_addr(ip); if (addr->s_addr == INADDR_NONE) { #endif if (opt.verbose) fprintf(stderr, _("IP address error: %s\n"), ip); return IN_ADDR_ERROR; } return IN_ADDR_OK; } unsigned long int parse_cidr(char *input) { char *pnt; int n; unsigned long int netmask[33] = { 0x0, 0x80000000, 0xC0000000, 0xE0000000, 0xF0000000, 0xF8000000, 0xFC000000, 0xFE000000, 0xFF000000, 0xFF800000, 0xFFC00000, 0xFFE00000, 0xFFF00000, 0xFFF80000, 0xFFFC0000, 0xFFFE0000, 0xFFFF0000, 0xFFFF8000, 0xFFFFC000, 0xFFFFE000, 0xFFFFF000, 0xFFFFF800, 0xFFFFFC00, 0xFFFFFE00, 0xFFFFFF00, 0xFFFFFF80, 0xFFFFFFC0, 0xFFFFFFE0, 0xFFFFFFF0, 0xFFFFFFF8, 0xFFFFFFFC, 0xFFFFFFFE, 0xFFFFFFFF }; pnt = strstr(input, "/"); if (pnt != NULL) { n = atoi(pnt + 1); if ((n < 0) || (n > 32)) { fprintf(stderr, _("Error in CIDR format: %s\n"), input); exit(EXIT_FAILURE); } *pnt = '\0'; } else { n = 32; } return ntohl(netmask[n]); } void add_known_host(char *ip) { struct known_hosts *host, *test_host; host = xmalloc(sizeof(struct known_hosts)); host->netmask.s_addr = parse_cidr(ip); if (convert_ip(ip, &host->shost) == IN_ADDR_ERROR) { fprintf(stderr, _("(known host)\n")); free(host); exit(EXIT_FAILURE); } host->shost.s_addr = host->shost.s_addr & host->netmask.s_addr; test_host = first_host; while (test_host != NULL) { if (test_host->shost.s_addr == host->shost.s_addr) { free(host); return; } test_host = test_host->next; } host->time = 0; host->count = 0; host->protocol = 0; host->dhost.s_addr = 0; host->sport = 0; host->dport = 0; host->id = opt.global_id++; host->next = first_host; first_host = host; } void add_exclude_hpb(char *input, unsigned char mode) { struct parser_options *excluded_this; struct in_addr ip; excluded_this = xmalloc(sizeof(struct parser_options)); excluded_this->mode = mode; excluded_this->svalue = NULL; if (mode & PARSER_MODE_HOST) { struct parser_options *excluded_test; excluded_this->netmask.s_addr = parse_cidr(input); if (convert_ip(input, &ip) == IN_ADDR_ERROR) { fprintf(stderr, _("(excluded host)\n")); free(excluded_this); exit(EXIT_FAILURE); } excluded_this->value = ip.s_addr & excluded_this->netmask.s_addr; excluded_test = excluded_first; while (excluded_test != NULL) { if (excluded_test->value == excluded_this->value) { free(excluded_this); return; } excluded_test = excluded_test->next; } } else if (mode & PARSER_MODE_PORT) { excluded_this->value = atoi(input); } else if (mode & (PARSER_MODE_CHAIN | PARSER_MODE_BRANCH)) { excluded_this->svalue = xmalloc(strlen(input) + 1); xstrncpy(excluded_this->svalue, input, strlen(input) + 1); } excluded_this->next = excluded_first; excluded_first = excluded_this; } void add_input_file(char *name) { struct input_file *file, *ptr; if (!strncmp(name, "-", FILESIZE)) opt.std_in = 1; if (opt.std_in) { opt.filecount = 0; return; } file = xmalloc(sizeof(struct input_file)); file->name = xmalloc(strlen(name) + 1); file->next = NULL; xstrncpy(file->name, name, strlen(name) + 1); ptr = first_file; if (ptr == NULL) { first_file = file; } else { while (ptr->next != NULL) { ptr = ptr->next; } ptr->next = file; } opt.filecount++; } void free_input_file() { struct input_file *file; file = first_file; while (file != NULL) { free(file->name); first_file = file; file = file->next; free(first_file); } first_file = NULL; } void generate_email_header(FILE * fd) { time_t now; char stime[TIMESIZE]; now = time(NULL); strftime(stime, TIMESIZE, "%Y%m%d-%H%M%S", localtime(&now)); fprintf(fd, "From: %s\n", opt.sender); fprintf(fd, "To: %s\n", opt.recipient); if (opt.cc[0] != '\0') fprintf(fd, "Cc: %s\n", opt.cc); fprintf(fd, "Subject: %s\n", opt.title); fprintf(fd, "X-Generator: %s %s (C) %s\n", PACKAGE, VERSION, COPYRIGHT); if (opt.html) { fprintf(fd, "Mime-Version: 1.0\n"); fprintf(fd, "Content-Type: text/html; charset=utf-8\n"); fprintf(fd, "Content-Disposition: inline; filename=\"fwlogwatch_summary-%s.html\"\n", stime); } fprintf(fd, "\n"); } void fdprintf(int fd, char *format, ...) { if (opt.status != FD_ERROR) { char buf[BUFSIZE]; va_list argv; ssize_t retval; va_start(argv, format); vsnprintf(buf, BUFSIZE, format, argv); retval = write(fd, buf, strlen(buf)); va_end(argv); if (retval == -1) { syslog(LOG_NOTICE, "write: %s", strerror(errno)); opt.status = FD_ERROR; return; } fflush(NULL); } } fwlogwatch-1.2/parser.h0000644000076400001440000000037311453062534013527 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: parser.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _PARSER_H #define _PARSER_H unsigned char parse_line(char *input, int linenum); int parse_time(char *input); void select_parsers(void); #endif fwlogwatch-1.2/net.c0000644000076400001440000005765111453062534013027 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: net.c 706 2010-10-06 12:02:36Z bw $ */ #include #include #include #ifndef SOLARIS #include #else #include #include #endif #include #include #include #include #include #include #ifndef __OpenBSD__ #ifndef __FreeBSD__ #ifndef __NetBSD__ #include #endif #endif #endif #ifndef INT_MAX #include #endif #include "utils.h" #include "output.h" #include "response.h" #include "resolve.h" #include "compare.h" extern struct options opt; extern struct conn_data *first; extern struct known_hosts *first_host; void secure_read(int file, char *data_out, int maxlen) { int j = 0, retval; signed char c; bzero(data_out, maxlen); retval = read(file, &c, 1); while ((retval != 0) && !(c == EOF || c == '\n') && (j < (maxlen - 1))) { data_out[j++] = c; retval = read(file, &c, 1); } if (j > 0) data_out[--j] = 0; } void prepare_socket() { int retval, x; #ifndef HAVE_IPV6 struct sockaddr_in sa; struct in_addr ina; #else struct sockaddr_in6 sain6; struct in6_addr in6a; char nab[INET6_ADDRSTRLEN]; #endif #ifndef HAVE_IPV6 opt.sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); #else opt.sock = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP); #endif if (opt.sock == -1) { syslog(LOG_NOTICE, "socket: %s", strerror(errno)); log_exit(EXIT_FAILURE); } retval = setsockopt(opt.sock, SOL_SOCKET, SO_REUSEADDR, (void *) &x, sizeof(x)); if (retval == -1) { syslog(LOG_NOTICE, "setsockopt: %s", strerror(errno)); log_exit(EXIT_FAILURE); } #ifndef HAVE_IPV6 ina.s_addr = inet_addr(opt.listenif); if (ina.s_addr == -1) { syslog(LOG_NOTICE, "inet_addr: Bad address %s", opt.listenif); log_exit(EXIT_FAILURE); } bzero(&sa, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_port = htons(opt.listenport); sa.sin_addr = ina; #else retval = inet_pton(AF_INET6, opt.listenif, in6a.s6_addr); if (retval != 1) { char nnb[HOSTLEN]; snprintf(nnb, HOSTLEN, "::ffff:%s", opt.listenif); retval = inet_pton(AF_INET6, nnb, in6a.s6_addr); if (retval != 1) { syslog(LOG_NOTICE, "inet_pton: Bad address %s", opt.listenif); log_exit(EXIT_FAILURE); } } bzero(&sain6, sizeof(sain6)); sain6.sin6_family = AF_INET6; sain6.sin6_port = htons(opt.listenport); sain6.sin6_addr = in6a; #endif #ifndef HAVE_IPV6 retval = bind(opt.sock, (struct sockaddr *) &sa, sizeof(sa)); #else retval = bind(opt.sock, (struct sockaddr *) &sain6, sizeof(sain6)); #endif if (retval == -1) { syslog(LOG_NOTICE, "bind: %s", strerror(errno)); log_exit(EXIT_FAILURE); } retval = listen(opt.sock, 1); if (retval == -1) { syslog(LOG_NOTICE, "listen: %s", strerror(errno)); log_exit(EXIT_FAILURE); } #ifndef HAVE_IPV6 syslog(LOG_NOTICE, _("Listening on %s port %i"), inet_ntoa(sa.sin_addr), ntohs(sa.sin_port)); #else syslog(LOG_NOTICE, _("Listening on %s port %i"), inet_ntop(AF_INET6, &sain6.sin6_addr, nab, INET6_ADDRSTRLEN), ntohs(sain6.sin6_port)); #endif } /* RFC 1945 Hypertext Transfer Protocol -- HTTP/1.0 Chapter 11.1. Basic Authentication Scheme RFC 1521 MIME (Multipurpose Internet Mail Extensions) Part One Chapter 5.2. Base64 Content-Transfer-Encoding */ void decode_base64(char *input) { int i, j = 0, k; unsigned char a[4], b[4], o[3], c, dtable[256]; char buf[80], *pnt; pnt = buf; for (i = 0; i < 255; i++) { dtable[i] = 0x80; } for (i = 'A'; i <= 'Z'; i++) { dtable[i] = 0 + (i - 'A'); } for (i = 'a'; i <= 'z'; i++) { dtable[i] = 26 + (i - 'a'); } for (i = '0'; i <= '9'; i++) { dtable[i] = 52 + (i - '0'); } dtable['+'] = 62; dtable['/'] = 63; dtable['='] = 0; while (1) { for (i = 0; i < 4; i++) { c = input[j]; if (c == '\0') { if (i > 0) { syslog(LOG_NOTICE, _("decode_base64: input string incomplete")); return; } xstrncpy(input, buf, strlen(input)); return; } if (dtable[c] & 0x80) { syslog(LOG_NOTICE, _("decode_base64: illegal character '%c' in input string"), c); return; } a[i] = c; b[i] = dtable[c]; j++; } o[0] = (b[0] << 2) | (b[1] >> 4); o[1] = (b[1] << 4) | (b[2] >> 2); o[2] = (b[2] << 6) | b[3]; i = (a[2] == '=') ? 1 : ((a[3] == '=') ? 2 : 3); for (k = 0; k < i; k++) { *pnt = o[k]; pnt++; } *pnt = '\0'; if (i < 3) { xstrncpy(input, buf, strlen(input)); return; } } } void put_entry(int conn, char *field, char sort, unsigned char mode) { if ((mode == NO_SORTING) || (sort == 0)) { fdprintf(conn, "%s\n", field); } else { fdprintf(conn, "%s
< >\n", field, sort, sort); } } void table_header(int conn, unsigned char mode, unsigned char opts) { fdprintf(conn, "\n\n"); put_entry(conn, _("count"), 'c', mode); put_entry(conn, _("added"), 't', mode); if (opt.proto) put_entry(conn, _("proto"), 'p', mode); if ((opts == NET_OPTS_PC) && (opt.datalen)) put_entry(conn, _("bytes"), 'b', mode); put_entry(conn, _("source"), 'S', mode); if (opt.resolve) put_entry(conn, _("hostname"), 0, mode); if (opt.src_port) { put_entry(conn, _("port"), 's', mode); if (opt.sresolve) put_entry(conn, _("service"), 0, mode); } if (opt.dst_ip) { put_entry(conn, _("destination"), 'D', mode); if (opt.resolve) put_entry(conn, _("hostname"), 0, mode); } if (opt.dst_port) { put_entry(conn, _("port"), 'd', mode); if (opt.sresolve) put_entry(conn, _("service"), 0, mode); } if ((opts == NET_OPTS_PC) && (opt.opts)) put_entry(conn, _("opts"), 'z', mode); put_entry(conn, _("time remaining"), 'e', mode); put_entry(conn, _("action"), 0, mode); fdprintf(conn, "\n"); } void make_header_h2(int conn, char *text) { fdprintf(conn, "

%s

\n", text); } void make_link(int conn, char *text, char *url) { fdprintf(conn, "%s", url, text); } void make_gen_table_int(int conn, char *desc, int current) { fdprintf(conn, "\n", desc, current); } void make_gen_table_str(int conn, char *desc, char *current) { fdprintf(conn, "\n", desc, current); } void make_opt_table_start(int conn, char *desc, char *opt) { fdprintf(conn, "\n", opt); } void make_opt_table_int(int conn, char *desc, char *opt, int current) { make_opt_table_start(conn, desc, opt); fdprintf(conn, "%d", current); make_opt_table_end(conn, opt); } void make_opt_table_str(int conn, char *desc, char *opt, char *current) { make_opt_table_start(conn, desc, opt); fdprintf(conn, "%s", current); make_opt_table_end(conn, opt); } void show_navigation(int conn) { fdprintf(conn, "

[ "); if (opt.webpage == 'i') { fdprintf(conn, _("Information")); } else { make_link(conn, _("Information"), "?page=i"); } fdprintf(conn, " | "); if (opt.webpage == 'o') { fdprintf(conn, _("Options")); } else { make_link(conn, _("Options"), "?page=o"); } fdprintf(conn, " | "); if (opt.webpage == 'p') { fdprintf(conn, _("Packet cache")); } else { make_link(conn, _("Packet cache"), "?page=p"); } fdprintf(conn, " | "); if (opt.webpage == 'h') { fdprintf(conn, _("Host status")); } else { make_link(conn, _("Host status"), "?page=h"); } fdprintf(conn, " | "); make_link(conn, _("Reload"), "/"); fdprintf(conn, " ]

\n"); } void http_header(int conn, char *code, unsigned char complete) { fdprintf(conn, "HTTP/1.1 %s\r\n", code); fdprintf(conn, "Server: %s/%s (C) %s\r\n", PACKAGE, VERSION, COPYRIGHT); fdprintf(conn, "Connection: close\r\n"); fdprintf(conn, "Content-Type: text/html; charset=utf-8\r\n"); if (complete == HEADER_COMPLETE) fdprintf(conn, "\r\n"); /* Date: Mon, 07 Jul 2003 21:27:17 GMT Last-Modified: Mon, 07 Jul 2003 21:25:26 GMT Accept-Ranges: bytes Content-Length: 80 */ } void basic_html_body(int conn, char *title, char *header) { fdprintf(conn, "\n\n%s\n\n", title); fdprintf(conn, "\n

%s

\n\n\n", header); } void show_status(int conn, int linenum, int hitnum, int ignored) { char buf[BUFSIZE], nows[TIMESIZE]; struct conn_data *this; struct known_hosts *this_host; unsigned char color = 1; time_t now; int count = 0, max = 0; http_header(conn, "200 OK", HEADER_COMPLETE); output_html_header(conn); show_navigation(conn); now = time(NULL); if (opt.webpage == 'i') { make_header_h2(conn, _("Information")); fdprintf(conn, "
%s:%d
%s:%s
%s:<", desc, opt); } void make_opt_table_end(int conn, char *opt) { fdprintf(conn, ">
\n"); strftime(nows, TIMESIZE, _("%A %B %d %H:%M:%S %Z %Y"), localtime(&opt.now)); make_gen_table_str(conn, _("Daemon start time"), nows); strftime(nows, TIMESIZE, _("%A %B %d %H:%M:%S %Z %Y"), localtime(&now)); make_gen_table_str(conn, _("Current time"), nows); output_timediff(opt.now, now, nows); make_gen_table_str(conn, _("Running time"), nows); snprintf(buf, BUFSIZE, "%s%s%s", _("Log"), (opt.response & OPT_NOTIFY) ? _(", notify") : "", (opt.response & OPT_RESPOND) ? _(", respond") : ""); make_gen_table_str(conn, _("Response mode"), buf); make_gen_table_int(conn, _("Lines seen"), linenum); make_gen_table_int(conn, _("Hits"), hitnum); make_gen_table_int(conn, _("Old/excluded/malformed"), ignored); this = first; while (this != NULL) { this = this->next; count++; } make_gen_table_int(conn, _("Entries in packet cache"), count); this_host = first_host; count = 0; while (this_host != NULL) { this_host = this_host->next; count++; } make_gen_table_int(conn, _("Entries in host status"), count); fdprintf(conn, "
\n"); } if (opt.webpage == 'o') { make_header_h2(conn, _("Options")); fdprintf(conn, "\n\n"); make_opt_table_int(conn, _("Alert threshold"), "alert", opt.threshold); output_timediff(0, opt.recent, nows); make_opt_table_str(conn, _("Discard timeout"), "recent", nows); make_opt_table_int(conn, _("Minimum count in packet cache"), "least", opt.least); if (opt.max > 0) { make_opt_table_int(conn, _("Top amount of entries in packet cache"), "max", opt.max); } else { make_opt_table_str(conn, _("Top amount of entries in packet cache"), "max", "-"); } if (opt.refresh > 0) { make_opt_table_int(conn, _("Refresh time"), "refresh", opt.refresh); } else { make_opt_table_str(conn, _("Refresh time"), "refresh", "-"); } fdprintf(conn, "
"); fdprintf(conn, _("Parameter")); fdprintf(conn, ""); fdprintf(conn, _("Decrease")); fdprintf(conn, ""); fdprintf(conn, _("Current")); fdprintf(conn, ""); fdprintf(conn, _("Increase")); fdprintf(conn, "
\n"); } if (opt.webpage == 'p') { make_header_h2(conn, _("Packet cache")); table_header(conn, SORTING, NET_OPTS_PC); sort_data(SORT_PC); #ifdef HAVE_ADNS if (opt.resolve) adns_preresolve(RES_ADNS_PC); #endif this = first; while ((this != NULL) && ((opt.max == 0) || (max < opt.max)) && (opt.status != FD_ERROR)) { if (this->count >= opt.least) { if (opt.max != 0) max++; strftime(nows, TIMESIZE, _("%Y/%m/%d %H:%M:%S"), localtime(&this->start_time)); fdprintf(conn, "%d%s", color, this->count, nows); if (opt.proto) { fdprintf(conn, "%s", resolve_protocol(this->protocol)); } if (opt.datalen) { fdprintf(conn, "%lu", this->datalen); } fdprintf(conn, "%s", inet_ntoa(this->shost)); if (opt.resolve) { fdprintf(conn, "%s", resolve_hostname(this->shost)); } if (opt.src_port) { fdprintf(conn, "%d", this->sport); if (opt.sresolve) { fdprintf(conn, "%s", resolve_service(this->sport, resolve_protocol(this->protocol))); } } if (opt.dst_ip) { fdprintf(conn, "%s", inet_ntoa(this->dhost)); if (opt.resolve) { fdprintf(conn, "%s", resolve_hostname(this->dhost)); } } if (opt.dst_port) { fdprintf(conn, "%d", this->dport); if (opt.sresolve) { fdprintf(conn, "%s", resolve_service(this->dport, resolve_protocol(this->protocol))); } } if (opt.opts) { output_tcp_opts(this, buf); fdprintf(conn, "%s", buf); } output_timediff(0, opt.recent - (now - this->end_time), nows); fdprintf(conn, "%s", nows); fdprintf(conn, "", this->id); fdprintf(conn, _("drop")); fdprintf(conn, " / ", this->id); fdprintf(conn, _("escalate")); fdprintf(conn, "\n"); if (color == 1) { color = 2; } else { color = 1; } } this = this->next; } fdprintf(conn, "\n"); } if (opt.webpage == 'h') { make_header_h2(conn, _("Host status")); color = 1; table_header(conn, SORTING, NO_NET_OPTS_PC); sort_data(SORT_HS); #ifdef HAVE_ADNS if (opt.resolve) adns_preresolve(RES_ADNS_HS); #endif this_host = first_host; while (this_host != NULL && (opt.status != FD_ERROR)) { fdprintf(conn, "%d", color, this_host->count); if (this_host->time == 0) { int mask; unsigned long int netmask[33] = { 0x0, 0x80000000, 0xC0000000, 0xE0000000, 0xF0000000, 0xF8000000, 0xFC000000, 0xFE000000, 0xFF000000, 0xFF800000, 0xFFC00000, 0xFFE00000, 0xFFF00000, 0xFFF80000, 0xFFFC0000, 0xFFFE0000, 0xFFFF0000, 0xFFFF8000, 0xFFFFC000, 0xFFFFE000, 0xFFFFF000, 0xFFFFF800, 0xFFFFFC00, 0xFFFFFE00, 0xFFFFFF00, 0xFFFFFF80, 0xFFFFFFC0, 0xFFFFFFE0, 0xFFFFFFF0, 0xFFFFFFF8, 0xFFFFFFFC, 0xFFFFFFFE, 0xFFFFFFFF }; fdprintf(conn, "-"); if (opt.proto) { fdprintf(conn, _("any")); } for (mask = 0; mask < 32; mask++) { if (ntohl(netmask[mask]) == this_host->netmask.s_addr) break; } if (mask == 32) { fdprintf(conn, "%s", inet_ntoa(this_host->shost)); } else { fdprintf(conn, "%s/%d", inet_ntoa(this_host->shost), mask); } if (opt.resolve) { if (mask == 32) { fdprintf(conn, _("(known host)")); } else { fdprintf(conn, _("(known net)")); } } if (opt.src_port) { fdprintf(conn, _("any")); if (opt.sresolve) { fdprintf(conn, "-"); } } if (opt.dst_ip) { fdprintf(conn, _("any")); if (opt.resolve) { fdprintf(conn, "-"); } } if (opt.dst_port) { fdprintf(conn, _("any")); if (opt.sresolve) { fdprintf(conn, "-"); } } fdprintf(conn, "-\n"); } else { strftime(nows, TIMESIZE, _("%Y/%m/%d %H:%M:%S"), localtime(&this_host->time)); fdprintf(conn, "%s", nows); if (opt.proto) { fdprintf(conn, "%s", resolve_protocol(this_host->protocol)); } fdprintf(conn, "%s", inet_ntoa(this_host->shost)); if (opt.resolve) { fdprintf(conn, "%s", resolve_hostname(this_host->shost)); } if (opt.src_port) { fdprintf(conn, "%d", this_host->sport); if (opt.sresolve) { fdprintf(conn, "%s", resolve_service(this_host->sport, resolve_protocol(this_host->protocol))); } } if (opt.dst_ip) { fdprintf(conn, "%s", inet_ntoa(this_host->dhost)); if (opt.resolve) { fdprintf(conn, "%s", resolve_hostname(this_host->dhost)); } } if (opt.dst_port) { fdprintf(conn, "%d", this_host->dport); if (opt.sresolve) { fdprintf(conn, "%s", resolve_service(this_host->dport, resolve_protocol(this_host->protocol))); } } output_timediff(0, opt.recent - (now - this_host->time), nows); fdprintf(conn, "%s", nows); fdprintf(conn, "", this_host->id); fdprintf(conn, _("drop")); fdprintf(conn, "\n", this_host->id); } if (color == 1) { color = 2; } else { color = 1; } this_host = this_host->next; } fdprintf(conn, "\n"); } show_navigation(conn); output_html_footer(conn); } void handshake(int linenum, int hitnum, int ignored) { #ifdef SOLARIS typedef int socklen_t; /* undefined and not unsigned as in linux */ #endif int conn, retval, id = 0; #ifndef IRIX socklen_t socks; #else size_t socks; #endif #ifndef HAVE_IPV6 struct sockaddr_in sac; #else struct sockaddr_in6 sain6; char nab[INET6_ADDRSTRLEN]; #endif char buf[BUFSIZE], password[PASSWORDSIZE], salt[3], *pnt, command[9] = "", option1 = 'm', option2 = 'm'; unsigned char auth = 0; #ifndef HAVE_IPV6 socks = sizeof(struct sockaddr_in); #else socks = sizeof(struct sockaddr_in6); #endif #ifndef HAVE_IPV6 conn = accept(opt.sock, (struct sockaddr *) &sac, &socks); #else conn = accept(opt.sock, (struct sockaddr *) &sain6, &socks); #endif if (conn == -1) { syslog(LOG_NOTICE, "accept: %s", strerror(errno)); return; } opt.status = STATUS_OK; #ifndef HAVE_IPV6 if ((opt.listento[0] != '\0') && (strncmp(opt.listento, inet_ntoa(sac.sin_addr), IPLEN) != 0)) { syslog(LOG_NOTICE, _("Rejected connect from unallowed ip %s port %i"), inet_ntoa(sac.sin_addr), ntohs(sac.sin_port)); #else if ((opt.listento[0] != '\0') && (strncmp(opt.listento, inet_ntop(AF_INET6, &sain6.sin6_addr, nab, INET6_ADDRSTRLEN), IPLEN) != 0)) { syslog(LOG_NOTICE, _("Rejected connect from unallowed ip %s port %i"), inet_ntop(AF_INET6, &sain6.sin6_addr, nab, INET6_ADDRSTRLEN), ntohs(sain6.sin6_port)); #endif retval = close(conn); if (retval == -1) { syslog(LOG_NOTICE, "close: %s", strerror(errno)); } return; } if (opt.verbose) #ifndef HAVE_IPV6 syslog(LOG_NOTICE, _("Connect from %s port %i"), inet_ntoa(sac.sin_addr), ntohs(sac.sin_port)); #else syslog(LOG_NOTICE, _("Connect from %s port %i"), inet_ntop(AF_INET6, &sain6.sin6_addr, nab, INET6_ADDRSTRLEN), ntohs(sain6.sin6_port)); #endif secure_read(conn, buf, BUFSIZE); while (!(strncmp(buf, "", BUFSIZE) == 0)) { #ifdef WEB_DEBUG fprintf(stderr, "%3d %s\n", strlen(buf), buf); #endif if ((strlen(buf) == 14) && (strncmp(buf, "GET / HTTP/1.", 13) == 0)) { strcpy(command, "show"); } else if ((strlen(buf) == 21) && (strncmp(buf, "GET /?page=", 11) == 0) && (strchr("ioph", buf[11]) != NULL)) { strcpy(command, "page"); option1 = buf[11]; } else if ((strlen(buf) == 22) && (strncmp(buf, "GET /?sort=", 11) == 0) && (strchr("ctpbSsDdze", buf[11]) != NULL) && (strchr("ad", buf[12]) != NULL)) { strcpy(command, "sort"); option1 = buf[11]; option2 = buf[12]; } else if ((strlen(buf) == 22) && (strncmp(buf, "GET /?least=", 12) == 0) && (strchr("ml", buf[12]) != NULL)) { strcpy(command, "least"); option1 = buf[12]; } else if ((strlen(buf) == 20) && (strncmp(buf, "GET /?max=", 10) == 0) && (strchr("ml", buf[10]) != NULL)) { strcpy(command, "max"); option1 = buf[10]; } else if ((strlen(buf) == 22) && (strncmp(buf, "GET /?alert=", 12) == 0) && (strchr("ml", buf[12]) != NULL)) { strcpy(command, "alert"); option1 = buf[12]; } else if ((strlen(buf) == 24) && (strncmp(buf, "GET /?refresh=", 14) == 0) && (strchr("ml", buf[14]) != NULL)) { strcpy(command, "refresh"); option1 = buf[14]; } else if ((strlen(buf) == 23) && (strncmp(buf, "GET /?recent=", 13) == 0) && (strchr("ml", buf[13]) != NULL)) { strcpy(command, "recent"); option1 = buf[13]; } else if ((strlen(buf) == 32) && (strncmp(buf, "GET /?pcdrop=", 13) == 0)) { id = atoi(buf + 13); if ((id >= 0) && (id < INT_MAX)) strcpy(command, "pcdrop"); } else if ((strlen(buf) == 34) && (strncmp(buf, "GET /?escalate=", 15) == 0)) { id = atoi(buf + 15); if ((id >= 0) && (id < INT_MAX)) strcpy(command, "escalate"); } else if ((strlen(buf) == 32) && (strncmp(buf, "GET /?hsdrop=", 13) == 0)) { id = atoi(buf + 13); if ((id >= 0) && (id < INT_MAX)) strcpy(command, "hsdrop"); } else if (strncmp(buf, "Authorization: Basic ", 21) == 0) { xstrncpy(password, buf + 21, PASSWORDSIZE); decode_base64(password); if (strncmp(opt.user, password, strlen(opt.user)) == 0) { salt[0] = opt.password[0]; salt[1] = opt.password[1]; salt[2] = '\0'; pnt = crypt(password + strlen(opt.user) + 1, salt); if (strncmp(opt.password, pnt, strlen(opt.password)) == 0) { auth = 1; } } } secure_read(conn, buf, BUFSIZE); } signal(SIGPIPE, SIG_IGN); if (auth == 0) { if (opt.verbose) syslog(LOG_NOTICE, _("Authorization failed")); http_header(conn, "401 Authorization Required", HEADER_CONTINUES); fdprintf(conn, "WWW-Authenticate: Basic realm=\"fwlogwatch\"\r\n\r\n"); basic_html_body(conn, _("Authorization required"), _("Authorization required")); } else { if (strncmp(command, "show", 4) == 0) { show_status(conn, linenum, hitnum, ignored); } else if (strncmp(command, "page", 4) == 0) { opt.webpage = option1; } else if (strncmp(command, "sort", 4) == 0) { snprintf(opt.sort_order, MAXSORTSIZE, "%c%c", option1, option2); } else if (strncmp(command, "least", 5) == 0) { if ((option1 == 'l') && (opt.least > 1)) { opt.least--; } else if (option1 == 'm') { opt.least++; } } else if (strncmp(command, "max", 3) == 0) { opt.max -= opt.max % 10; if ((option1 == 'l') && (opt.max > 9)) { opt.max = opt.max - 10; } else if (option1 == 'm') { opt.max = opt.max + 10; } } else if (strncmp(command, "alert", 5) == 0) { if ((option1 == 'l') && (opt.threshold > 1)) { opt.threshold--; } else if (option1 == 'm') { opt.threshold++; } look_for_alert(); } else if (strncmp(command, "refresh", 7) == 0) { opt.refresh -= opt.refresh % 15; if ((option1 == 'l') && (opt.refresh > 14)) { opt.refresh = opt.refresh - 15; } else if (option1 == 'm') { opt.refresh = opt.refresh + 15; } } else if (strncmp(command, "recent", 6) == 0) { opt.recent -= opt.recent % 300; if ((option1 == 'l') && (opt.recent > 600)) { opt.recent = opt.recent - 300; } else if (option1 == 'm') { opt.recent = opt.recent + 300; } } else if (strncmp(command, "pcdrop", 6) == 0) { struct conn_data *this; this = first; while (this != NULL) { if (this->id == id) { this->end_time = 1; remove_old(RESP_REMOVE_OPC); break; } this = this->next; } } else if (strncmp(command, "escalate", 8) == 0) { struct conn_data *this; this = first; while (this != NULL) { if (this->id == id) { this->count += opt.threshold - this->count; look_for_alert(); break; } this = this->next; } } else if (strncmp(command, "hsdrop", 6) == 0) { struct known_hosts *this_host; this_host = first_host; while (this_host != NULL) { if (this_host->id == id) { this_host->time = 1; remove_old(RESP_REMOVE_OHS); break; } this_host = this_host->next; } } else { http_header(conn, "400 Bad request", HEADER_COMPLETE); basic_html_body(conn, _("Bad request"), _("Bad request")); } if ((strncmp(command, "show", 4) != 0) && (command[0] != 0)) { http_header(conn, "302 Found", HEADER_CONTINUES); fdprintf(conn, "Location: /\r\n\r\n"); basic_html_body(conn, _("Redirect"), _("You should be redirected to the root directory")); } } signal(SIGPIPE, SIG_DFL); retval = close(conn); if (retval == -1) { syslog(LOG_NOTICE, "close: %s", strerror(errno)); } if (opt.verbose == 2) syslog(LOG_NOTICE, _("Requested function: %s"), command); if (opt.verbose) syslog(LOG_NOTICE, _("Connection closed")); } fwlogwatch-1.2/ipfilter.h0000644000076400001440000000031411453062534014044 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: ipfilter.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _IPFILTER_H #define _IPFILTER_H unsigned char flex_ipfilter(char *input, int linenum); #endif fwlogwatch-1.2/ipchains.l0000644000076400001440000000746211453062534014043 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: ipchains.l 706 2010-10-06 12:02:36Z bw $ */ %option prefix="ipchains" %option outfile="ipchains.c" %option noyywrap %{ #define YY_NO_INPUT #include #include #include #include "main.h" #include "utils.h" extern struct options opt; void ipchains_parse_date(char *input); void ipchains_parse_data(char *input); void ipchains_parse_rdata(char *input); void ipchains_parse_ips(char *input); %} MONTH "Jan"|"Feb"|"Mar"|"Apr"|"May"|"Jun"|"Jul"|"Aug"|"Sep"|"Oct"|"Nov"|"Dec" STRING [a-zA-Z-][a-zA-Z0-9._-]* LOGHOST [0-9.a-zA-Z()_:-]* DIGIT [0-9] NUMBER {DIGIT}+ OCTET {DIGIT}{1,3} PORT {DIGIT}{1,5} HEXDIGIT [0-9a-fA-F] HEXNUM "0x"{HEXDIGIT}+ IPCHAINS " kernel: Packet log: " %% {MONTH}[ ]{1,2}{DIGIT}{1,2}[ ]{DIGIT}{2}:{DIGIT}{2}:{DIGIT}{2}[ ]{LOGHOST} ipchains_parse_date(ipchainstext); {IPCHAINS} /* ignore */ {STRING}[ ]{STRING}[ ]{STRING}" PROTO="{NUMBER} ipchains_parse_data(ipchainstext); {STRING}" REDIRECT "{NUMBER}[ ]{STRING}" PROTO="{NUMBER} ipchains_parse_rdata(ipchainstext); {OCTET}"."{OCTET}"."{OCTET}"."{OCTET}":"{PORT}" "{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}":"{PORT} ipchains_parse_ips(ipchainstext); "L="{NUMBER} opt.line->datalen = atoi(ipchainstext+2); "S="{HEXNUM} /* ignore */ "I="{NUMBER} /* ignore */ "F="{HEXNUM} /* ignore */ "T="{NUMBER} /* ignore */ "O="{HEXNUM} /* ignore */ "SYN" opt.line->flags = TCP_SYN; "(#"{NUMBER}")" /* ignore */ [ ]+ /* ignore whitespace */ [\n] /* ignore */ {STRING} if(opt.verbose) fprintf(stderr, "Unrecognized token: %s\n", ipchainstext); . if(opt.verbose) fprintf(stderr, "Unrecognized character: %s\n", ipchainstext); %% void ipchains_parse_date(char *input) { int retval, day, hour, minute, second; char smonth[4]; retval = sscanf(input, "%3s %2d %2d:%2d:%2d %32s", smonth, &day, &hour, &minute, &second, opt.line->hostname); if (retval != 6) return; build_time(smonth, day, hour, minute, second); opt.parser = opt.parser | IPCHAINS_DATE; } void ipchains_parse_data(char *input) { int retval; retval = sscanf(input, "%" SHORTLEN_S "s %" SHORTLEN_S "s %" SHORTLEN_S "s PROTO=%3d", opt.line->chainlabel, opt.line->branchname, opt.line->interface, &opt.line->protocol); if (retval != 4) return; opt.parser = opt.parser | IPCHAINS_DATA; } void ipchains_parse_rdata(char *input) { int retval, port; retval = sscanf(input, "%" SHORTLEN_S "s REDIRECT %5d %" SHORTLEN_S "s PROTO=%3d", opt.line->chainlabel, &port, opt.line->interface, &opt.line->protocol); if (retval != 4) return; snprintf(opt.line->branchname, SHORTLEN, "RD %d", port); opt.parser = opt.parser | IPCHAINS_DATA; } void ipchains_parse_ips(char *input) { int shost1, shost2, shost3, shost4; int dhost1, dhost2, dhost3, dhost4; int retval; char ip[IPLEN]; retval = sscanf(input, "%3d.%3d.%3d.%3d:%5d %3d.%3d.%3d.%3d:%5d", &shost1, &shost2, &shost3, &shost4, &opt.line->sport, &dhost1, &dhost2, &dhost3, &dhost4, &opt.line->dport); if (retval != 10) return; snprintf(ip, IPLEN, "%d.%d.%d.%d", shost1, shost2, shost3, shost4); if (convert_ip(ip, &opt.line->shost) == IN_ADDR_ERROR) return; snprintf(ip, IPLEN, "%d.%d.%d.%d", dhost1, dhost2, dhost3, dhost4); if (convert_ip(ip, &opt.line->dhost) == IN_ADDR_ERROR) return; opt.parser = opt.parser | IPCHAINS_IPS; } unsigned char flex_ipchains(char *input, int linenum) { opt.parser = 0; init_line(); ipchains_scan_string(input); ipchainslex(); ipchains_delete_buffer(YY_CURRENT_BUFFER); opt.line->count = 1; if (opt.parser == (IPCHAINS_DATE | IPCHAINS_DATA | IPCHAINS_IPS)) { return PARSE_OK; } else { if (opt.verbose) fprintf(stderr, "ipchains parse error in line %d, ignoring.\n", linenum); if (opt.verbose == 2) fprintf(stderr, "input was: \"%s\"\n", input); return PARSE_WRONG_FORMAT; } } fwlogwatch-1.2/resolve.c0000644000076400001440000001420011453062534013677 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: resolve.c 706 2010-10-06 12:02:36Z bw $ */ #include #include #include #include #include #include #include #include #include #ifdef HAVE_ADNS #include #include #endif #include "resolve.h" #include "main.h" #include "utils.h" struct dns_cache *dns_first = NULL; extern struct options opt; #ifdef HAVE_ADNS extern struct conn_data *first; extern struct known_hosts *first_host; adns_state adns; struct adns_entry { struct in_addr ip; adns_query query; struct adns_entry *next; } *adnse_first = NULL; #endif char *resolve_protocol(int proto) { struct protoent *protoent; protoent = getprotobynumber(proto); if (protoent != NULL) { return (protoent->p_name); } else { char *number; number = xmalloc(4); snprintf(number, 4, "%d", proto); return (number); } } char *resolve_service(int port, char *proto) { struct servent *servent; int p; p = htons(port); servent = getservbyport(p, proto); if (servent != NULL) { p = ntohs(servent->s_port); if (p != port) { fprintf(stderr, _("port mismatch: %d != %d\n"), p, port); } else { return (servent->s_name); } } return ("-"); } #ifndef HAVE_ADNS char *resolve_hostname(struct in_addr ip) { struct hostent *reverse, *forward; struct dns_cache *dns; char *pnt, fqdn[HOSTLEN]; dns = dns_first; while (dns != NULL) { if (ip.s_addr == dns->ip.s_addr) { if (opt.verbose) { fprintf(stderr, _("Resolving %s from cache\n"), inet_ntoa(ip)); } return (dns->fqdn); } dns = dns->next; } if (opt.verbose) fprintf(stderr, _("Resolving %s\n"), inet_ntoa(ip)); reverse = gethostbyaddr((void *) &ip.s_addr, sizeof(struct in_addr), AF_INET); if ((reverse != NULL) && (reverse->h_name != NULL)) { if ((unsigned int) reverse->h_length > sizeof(struct in_addr)) { fprintf(stderr, _("Wrong host name size\n")); reverse->h_length = sizeof(struct in_addr); reverse->h_name[reverse->h_length] = '\0'; } pnt = reverse->h_name; while (*pnt != '\0') { if (isalnum((int) *pnt) || *pnt == '.' || *pnt == '-') { pnt++; continue; } else { *pnt = '_'; pnt++; } } if (opt.verbose) fprintf(stderr, _("Resolving %s\n"), reverse->h_name); forward = gethostbyname(reverse->h_name); if ((forward != NULL) && (forward->h_addr_list[0]) != NULL) { if (strncmp(inet_ntoa(ip), inet_ntoa(*(struct in_addr *) forward->h_addr_list[0]), IPLEN) == 0) { xstrncpy(fqdn, reverse->h_name, HOSTLEN); } else { snprintf(fqdn, HOSTLEN, _("%s [forward lookup: %s]"), reverse->h_name, inet_ntoa(*(struct in_addr *) forward->h_addr_list[0])); } } else { snprintf(fqdn, HOSTLEN, _("%s [forward lookup failed]"), reverse->h_name); } } else { xstrncpy(fqdn, "-", HOSTLEN); } dns = xmalloc(sizeof(struct dns_cache)); dns->ip.s_addr = ip.s_addr; dns->fqdn = xmalloc(strlen(fqdn) + 1); xstrncpy(dns->fqdn, fqdn, strlen(fqdn) + 1); dns->next = dns_first; dns_first = dns; return (dns->fqdn); } #else char *resolve_hostname(struct in_addr ip) { struct dns_cache *dns; struct adns_entry *adnse; adns_answer *answer; char fqdn[HOSTLEN]; dns = dns_first; while (dns != NULL) { if (ip.s_addr == dns->ip.s_addr) { if (opt.verbose) fprintf(stderr, _("Resolving %s from cache\n"), inet_ntoa(ip)); return (dns->fqdn); } dns = dns->next; } adnse = adnse_first; while (adnse != NULL) { if (adnse->ip.s_addr == ip.s_addr) { errno = adns_wait(adns, &adnse->query, &answer, NULL); if (!errno) { if (opt.verbose) fprintf(stderr, _("Resolving %s from adns\n"), inet_ntoa(ip)); if (answer->status == adns_s_ok) { xstrncpy(fqdn, *answer->rrs.str, HOSTLEN); } else if (answer->status == adns_s_inconsistent) { xstrncpy(fqdn, _("[inconsistent forward lookup]"), HOSTLEN); } else if (answer->status == adns_s_nxdomain) { xstrncpy(fqdn, "-", HOSTLEN); } else { snprintf(fqdn, HOSTLEN, _("[adns status %d]"), answer->status); } free(answer); dns = xmalloc(sizeof(struct dns_cache)); dns->ip.s_addr = ip.s_addr; dns->fqdn = xmalloc(strlen(fqdn) + 1); xstrncpy(dns->fqdn, fqdn, strlen(fqdn) + 1); dns->next = dns_first; dns_first = dns; return (dns->fqdn); } else { perror("adns_wait"); break; } } adnse = adnse->next; } return _("DNS cache error"); } void adns_list_add(struct in_addr ip) { struct sockaddr_in sa; struct adns_entry *adnse; adnse = xmalloc(sizeof(struct adns_entry)); adnse->ip.s_addr = ip.s_addr; bzero(&sa, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr = adnse->ip; adns_submit_reverse(adns, (struct sockaddr *) &sa, adns_r_ptr, 0, NULL, &adnse->query); adnse->next = adnse_first; adnse_first = adnse; if (opt.verbose == 2) fprintf(stderr, _("Submitted %s to adns\n"), inet_ntoa(adnse->ip)); } void adns_check_entry(struct in_addr ip) { struct dns_cache *dns; struct adns_entry *adnse; unsigned char found = 0; dns = dns_first; while (dns != NULL) { if (ip.s_addr == dns->ip.s_addr) { found++; break; } dns = dns->next; } if (!found) { adnse = adnse_first; while (adnse != NULL) { if (ip.s_addr == adnse->ip.s_addr) { found++; break; } adnse = adnse->next; } } if (!found) adns_list_add(ip); } void adns_preresolve(unsigned char mode) { if (mode == RES_ADNS_PC) { int max = 0; struct conn_data *this; this = first; while ((this != NULL) && (opt.max == 0 || max < opt.max)) { if (this->count >= opt.least) { if (opt.src_ip) adns_check_entry(this->shost); if (opt.dst_ip) adns_check_entry(this->dhost); } if (opt.max != 0) max++; this = this->next; } } else if (mode == RES_ADNS_HS) { struct known_hosts *this_host; this_host = first_host; while (this_host != NULL) { if (opt.src_ip) adns_check_entry(this_host->shost); if (opt.dst_ip) adns_check_entry(this_host->dhost); this_host = this_host->next; } } } #endif fwlogwatch-1.2/ipfw.h0000644000076400001440000000027411453062534013200 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: ipfw.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _IPFW_H #define _IPFW_H unsigned char flex_ipfw(char *input, int linenum); #endif fwlogwatch-1.2/COPYING0000644000076400001440000004313107226554246013125 0ustar bwusers GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. fwlogwatch-1.2/README0000644000076400001440000002301611454321551012737 0ustar bwusers$Id: README 710 2010-10-10 11:28:41Z bw $ fwlogwatch is a security tool written in C by Boris Wesslowski originally for RUS-CERT. It is a packet filter/firewall/IDS log analyzer with support for a lot of log formats and has many analysis options. It also features realtime response capabilities and an interactive web interface. It is available at http://fwlogwatch.inside-security.de/ FEATURES - General features: - Can detect and process log entries in the following formats: - Linux ipchains - Linux netfilter/iptables - Solaris/BSD/Irix/HP-UX ipfilter - BSD ipfw - Cisco IOS - Cisco PIX / FWSM / ASA - NetScreen - Elsa Lancom router - Snort IDS - Entries can be parsed from single, multiple and combined log files, the parsers to be used can be selected. - Gzip-compressed logs are supported transparently. - Can separate recent from old entries and detects timewarps in log files. - Can recognize 'last message repeated' entries concerning the firewall. - Integrated resolver for protocols, services and host names. - Can do lookups in the whois database. - Own DNS and whois information cache and GNU adns support for faster lookups. - Hosts, networks, ports, chains and branches (targets) can be selected or excluded as needed. - Support for internationalization (available in english, german, portuguese, simplified and traditional chinese, swedish and japanese). - Log summary mode: - A lot of options to find and display relevant patterns in connection attempts. - Intelligent selection of certain fields (e.g. the host name column is omitted and the host mentioned in the header of the summary if the log is from a single host, the same happens with chains, targets and interfaces). - Output as plain text or HTML (W3C XHTML 1.1 with inline or linked CSS) with limit and sort options. - Can send summaries by email. - Realtime response mode: - The program detaches and stays in background as a daemon. - For ipchains setups detection of necessary rules with logging turned on can be configured. - Can catch up reading existing entries to provide up-to-date state information from program start on. - Response can be a notification (in form of a log file entry, an email, a remote winpopup message or whatever you can put into a shell script), or a customizable firewall modification. - The included response script adds a new chain for fwlogwatch to ipchains or netfilter setups and attackers are blocked with new firewall rules. - Supports trusted hosts (anti-spoofing). - The current status of the program can be followed and controlled through a web interface (supports IPv6). The commented configuration file supports and explains all options and will get you started quickly. Please read the man page for details on the command line options. PARSER NOTES - Cisco PIX/ASA support focuses on denied packets, knows some permitted packet log entries and ignores all other kinds of log entries. It expects log entries as from a syslog host. If your PIX/ASA uses names you can use the script pix-names.sh from the contrib direcory to extract them from a saved PIX/ASA configuration and add them to your hosts file, if fwlogwatch is not able to resolve the names it will discard the corresponding log entries. - The ipfilter parser does not support logs with resolved service names and tcp/udp entries without ports. - The Snort parser does not analyze portscan entries. - The NetScreen parser does not recognize packet-filter-unrelated entries and some icmp types which the NetScreen does not seem to recognize itself... INSTALLATION - General The Makefile assumes you use Linux, to compile on Solaris, OpenBSD, FreeBSD or IRIX look for the corresponding lines at the top of the Makefile. fwlogwatch may also be compiled and run on Windows with help of cygwin or mingw. You may want to have a look at main.h if you want to change some default values. flex is required to build fwlogwatch. Besides that a simple 'make' should be enough to obtain a working binary. If your make (like the one on OpenBSD) thinks flex can only produce files called lex.yy.c type make several times, after all parsers are generated linking will work. If you use the realtime response mode you will need to install fwlogwatch with superuser permissions for certain configurations. If all you need is read access to the system's standard log file (e.g. /var/log/messages) you can use group permissions. You can also bind a nonprivileged port for the status server. 'make install' will install the binary (in /usr/local/sbin) and the man page, 'make install-config' will also install a sample configuration file in /etc. - Zlib/Gettext/IPv6/GNU adns If you define HAVE_ZLIB, HAVE_GETTEXT, HAVE_IPV6 and HAVE_ADNS fwlogwatch will be compiled with zlib, gettext, IPv6 and adns support. The output of fwlogwatch -V will contain an overview of the compiler options used. You will need the zlib compression library version 1.0.9 or newer and it's header files to be able to use zlib support. To enable the internationalization support you will need to have the gettext package (sometimes with it's surroundings libtool, GNU m4, autoconf and automake) installed. You need an operating system with a IPv6 stack and headers with IPv6 support to be able to use this protocol. The GNU adns library and header files must be installed to build fwlogwatch with support for faster, asynchronous DNS lookups. - Linux For ipchains you will need at least kernel 2.2.10 (which you should have updated for security reasons anyway), kernel versions before 2.2.10 don't log enough. BASICS (with examples for iptables) - You should use a whitelist (meaning your firewall only allows connections that are explicitly permitted and should be as specific as possible), so create a packet filter with ACCEPT rules for all connections you need. - Your default policies can be DROP if you want your firewall to block all connections in case all rules are deleted: iptables -P INPUT DROP iptables -P FORWARD DROP Otherwise you should add a DROP rule at the end of all chains: iptables -A INPUT -j DROP iptables -A FORWARD -j DROP - Before those DROP rules (or the end of chains with DROP policy) you should have a LOG rule with some descriptive text like the context and chain name: iptables -A INPUT -j LOG --log-prefix "fw input drop " iptables -A FORWARD -j LOG --log-prefix "fw forward drop " So the last 2 lines in your INPUT, FORWARD and custom chains should be pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `fw forward drop ` 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 - If you have a persistent log spammer drop his packets by inserting a DROP rule before the logging rule above (or use the block response mode). CONFIGURATION AND EXAMPLES - You should make a configuration file for each function you want, look at the included sample file, it should be easy to adapt to your needs. - Command line example: (The options are in the order they are mentioned in the text) If you want very verbose generation of a HTML summary in the file 'log.html' of all packet filter entries at most one day old representing at least two connection attempts with output including start and end timestamps, time intervals, resolved IP addresses and service names and with connections separated by protocol, source and destination ports and TCP options using the files that match the expression "messages*.gz" as input you would use the command fwlogwatch -v -v -w -o log.html -l 1d -m 2 -t -e -z -n -N -p -s -d -y messages*.gz - If you want to use fwlogwatch as a CGI, e.g. to have a quick look at what happened in the last hour when you get a notification: Copy the file fwlogsummary_small.cgi from the contrib directory to a place where your web server can execute it (fwlogwatch must be reachable and have enough permissions to read the log file). - A script for generation of 8 general summaries (fwlogsummary.cgi) is also included. You can use it as above or if you comment a few lines also on the command line or from cron. It will use the output directory /var/www/html/fwlogwatch as default. Look at the index.html file to select the level of detail you want. - Contrib also contains a web frontend written in PHP (fwlogwatch.php) to apply fwlogwatch to selected files and test different options. Change the header of the script to adapt it to your system (e.g. prefix of the log file names, location of fwlogwatch). - Sample init files (for Red Hat and openSUSE Linux systems) to start fwlogwatch in realtime response mode at system start are also included. - You might want to replace your /etc/services file by the one supplied with nmap (http://www.insecure.org/nmap/), a lot more services will be recognized, you can also add the ICMP types (don't assign one to type 0 since it is the ipchains default). The same applies to /etc/protocols, you can use RFC 1700 (Assigned Numbers) to extend your version. FEEDBACK If you find a bug or have an idea for a new feature please send an email to Boris Wesslowski . If you want to report a parser problem or submit unrecognized entries please use the unrecognized entry submission page: http://fwlogwatch.inside-security.de/unrecognized.php fwlogwatch-1.2/cisco_ios.h0000644000076400001440000000032011453062534014175 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: cisco_ios.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _CISCO_IOS_H #define _CISCO_IOS_H unsigned char flex_cisco_ios(char *input, int linenum); #endif fwlogwatch-1.2/snort.h0000644000076400001440000000030011453062534013366 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: snort.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _SNORT_H #define _SNORT_H unsigned char flex_snort(char *input, int linenum); #endif fwlogwatch-1.2/netscreen.l0000644000076400001440000001347311453062534014232 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: netscreen.l 706 2010-10-06 12:02:36Z bw $ */ %option prefix="ns" %option outfile="netscreen.c" %option noyywrap %{ #define YY_NO_INPUT #include #include #include #include "main.h" #include "utils.h" extern struct options opt; void ns_parse_date(char *input); void ns_parse_ip(char *input, unsigned char mode); %} MONTH "Jan"|"Feb"|"Mar"|"Apr"|"May"|"Jun"|"Jul"|"Aug"|"Sep"|"Oct"|"Nov"|"Dec" STRING [a-zA-Z][a-zA-Z0-9._-]* LOGHOST [0-9.a-zA-Z()_:-]* DIGIT [0-9] NUMBER {DIGIT}+ OCTET {DIGIT}{1,3} PORT {DIGIT}{1,5} PARAM [A-Za-z0-9/:-]+(" ("[A-Za-z ]+")")? %% {MONTH}[ ]{1,2}{DIGIT}{1,2}[ ]{DIGIT}{2}:{DIGIT}{2}:{DIGIT}{2}[ ]{LOGHOST} ns_parse_date(nstext); {STRING}": NetScreen" /* ignore */ "device_id="{STRING} /* ignore */ ("["[a-zA-Z0-9 ]*"]")?"system-information-"{NUMBER}":" /* ignore */ ("["[a-zA-Z0-9 ]*"]")?"system-notification-"{NUMBER}("(traffic)")?":" /* ignore */ ("["[a-zA-Z0-9 ]*"]")?"system-warning-"{NUMBER}":" /* ignore */ "start_time=\""{DIGIT}{4}"-"{DIGIT}{2}"-"{DIGIT}{2}[ ]{DIGIT}{2}":"{DIGIT}{2}":"{DIGIT}{2}"\"" /* ignore */ "duration="{NUMBER} /* ignore */ "policy_id="{NUMBER} /* ignore */ "service="({PARAM}|"Network Time"|"VDO Live (tcp)") /* ignore */ "proto="{NUMBER} {opt.line->protocol=atoi(nstext+6); opt.parser=opt.parser|NS_PROTO;} "direction="{STRING} /* ignore */ "src zone="{STRING} /* ignore */ "dst zone="{STRING} /* ignore */ "action="{PARAM} {xstrncpy(opt.line->branchname,nstext+7,SHORTLEN); opt.parser=opt.parser|NS_BN;} "sent="{NUMBER} opt.line->datalen=opt.line->datalen+atoi(nstext+5); "rcvd="{NUMBER} opt.line->datalen=opt.line->datalen+atoi(nstext+5); "src="{OCTET}"."{OCTET}"."{OCTET}"."{OCTET} ns_parse_ip(nstext+4,NETSCREEN_OPT_SRC); "dst="{OCTET}"."{OCTET}"."{OCTET}"."{OCTET} ns_parse_ip(nstext+4,NETSCREEN_OPT_DST); "src_port="{PORT} {opt.line->sport=atoi(nstext+9); opt.parser=opt.parser|NS_SPORT;} "dst_port="{PORT} {opt.line->dport=atoi(nstext+9); opt.parser=opt.parser|NS_DPORT;} "icmp type="{NUMBER} {opt.line->sport=atoi(nstext+10); opt.line->sport=0; opt.parser=opt.parser|NS_SPORT|NS_DPORT;} "translated ip="{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}" port="{PORT} /* ignore */ "src-xlated ip="{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}" port="{PORT} /* ignore */ "IKE<"{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}">" opt.parser=opt.parser|NS_NO_HIT; ": XAuth login expired and was terminated for username <"[A-Za-z0-9@\.]*"> at <"{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}">." /* ignore */ ": XAuth login "("failed"|"was aborted")" for gateway <"[A-Za-z0-9 _-]*">, username <"[A-Za-z0-9@\.]*">, retry: "{NUMBER}(", timeout: "{NUMBER})?"." /* ignore */ ">> <"{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"> Phase 1: Initiated negotiations in main mode." /* ignore */ "Phase 1: Aborted negotiations because the time limit has elapsed."(" ("[0-9a-f/]*")")? /* ignore */ "Phase 1: Completed "("Aggressive"|"Main")" mode negotiations with a <"{NUMBER}">-second lifetime." /* ignore */ "Phase 1: Completed for user <"[A-Za-z0-9 _-]*">." /* ignore */ "Phase 1: IKE responder has detected NAT in front of the remote device." /* ignore */ "Phase 1: Responder starts "("AGGRESSIVE"|"MAIN")" mode negotiations." /* ignore */ "Phase 2: Initiated negotiations." /* ignore */ "Phase 2 msg"(" ID"|"-id")" <"[0-9a-f]*">: Completed negotiations with SPI <"[0-9a-f]*">, tunnel ID <"{NUMBER}">, and lifetime <"{NUMBER}"> seconds/<"{NUMBER}"> KB." /* ignore */ "Phase 2 msg"(" ID"|"-id")" <"[0-9a-f]*">: Responded to the"(" peer's")?" first"(" peer")?" message." /* ignore */ ": Received a notification message for ".* /* ignore */ "last message repeated "{NUMBER}" time"("s")? opt.parser=opt.parser|NS_NO_HIT; /* only enters parser when last entry was IKE */ "The system clock has been updated through NTP." opt.parser=opt.parser|NS_NO_HIT; "Admin user "[A-Za-z0-9\"]+" "("has ")?"log"("in attempt"|"ged "[io]"n"|"ged out")" "("for Web(http) management (port 80)"|"via Telnet")" from "{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}":"{PORT}(" failed.")? opt.parser=opt.parser|NS_NO_HIT; "Save configuration to IP address "{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}" under filename "[A-Za-z0-9@\.]+" by administrator by admin "[A-Za-z0-9]+ opt.parser=opt.parser|NS_NO_HIT; "Lock configuration ended by task "[A-Za-z0-9:-]+ opt.parser=opt.parser|NS_NO_HIT; "("[0-9: -]{19}")" /* ignore */ [ ]+ /* ignore whitespace */ [\n] return 0; {STRING} if(opt.verbose) fprintf(stderr, "Unrecognized token: %s\n", nstext); . if(opt.verbose) fprintf(stderr, "Unrecognized character: %s\n", nstext); %% void ns_parse_date(char *input) { int retval, day, hour, minute, second; char smonth[4]; retval = sscanf(input, "%3s %2d %2d:%2d:%2d %32s", smonth, &day, &hour, &minute, &second, opt.line->hostname); if (retval != 6) { return; } build_time(smonth, day, hour, minute, second); opt.parser = opt.parser | NS_DATE; } void ns_parse_ip(char *input, unsigned char mode) { if (mode == NETSCREEN_OPT_SRC) { if (convert_ip(input, &opt.line->shost) == IN_ADDR_ERROR) return; opt.parser = opt.parser | NS_SRC; } else { if (convert_ip(input, &opt.line->dhost) == IN_ADDR_ERROR) return; opt.parser = opt.parser | NS_DST; } } unsigned char flex_netscreen(char *input, int linenum) { opt.parser = 0; init_line(); ns_scan_string(input); nslex(); ns_delete_buffer(YY_CURRENT_BUFFER); xstrncpy(opt.line->chainlabel, "-", SHORTLEN); xstrncpy(opt.line->interface, "-", SHORTLEN); opt.line->count = 1; if (opt.parser & NS_NO_HIT) return PARSE_NO_HIT; if (opt.parser == (NS_DATE | NS_SRC | NS_DST | NS_SPORT | NS_DPORT | NS_BN | NS_PROTO)) { return PARSE_OK; } else { if (opt.verbose) fprintf(stderr, "netscreen parse error in line %d, ignoring.\n", linenum); if (opt.verbose == 2) fprintf(stderr, "input was: \"%s\"\n", input); return PARSE_WRONG_FORMAT; } } fwlogwatch-1.2/modes.c0000644000076400001440000004611311453062534013337 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: modes.c 706 2010-10-06 12:02:36Z bw $ */ #include #include #include #include #include #include #include #include #include #include #include #include #ifdef HAVE_ZLIB #include #endif #ifdef HAVE_ADNS #include #endif #include "parser.h" #include "output.h" #include "compare.h" #include "response.h" #include "utils.h" #include "net.h" #include "whois.h" #include "rcfile.h" #ifdef HAVE_ADNS #include "resolve.h" #endif extern struct options opt; extern struct conn_data *first; extern struct input_file *first_file; #ifdef HAVE_ADNS extern adns_state adns; #endif void common_input_loop(int *linenum, int *hitnum, int *errnum, int *oldnum, int *exnum) { char buf[BUFSIZE]; int retval, hit = 0; #ifdef HAVE_ZLIB if ((opt.std_in) || (opt.mode == REALTIME_RESPONSE)) { #endif retval = (fgets(buf, BUFSIZE, opt.inputfd) != NULL); #ifdef HAVE_ZLIB } else { retval = (gzgets(opt.inputfd, buf, BUFSIZE) != Z_NULL); } #endif while (retval) { *linenum += 1; hit = PARSE_NO_HIT; hit = parse_line(buf, *linenum); opt.repeated = 0; switch (hit) { case PARSE_OK: *hitnum += 1; opt.repeated = 1; break; case PARSE_WRONG_FORMAT: *errnum += 1; break; case PARSE_TOO_OLD: *oldnum += 1; break; case PARSE_EXCLUDED: *hitnum += 1; *exnum += 1; } #ifdef HAVE_ZLIB if ((opt.std_in) || (opt.mode == REALTIME_RESPONSE)) { #endif retval = (fgets(buf, BUFSIZE, opt.inputfd) != NULL); #ifdef HAVE_ZLIB } else { retval = (gzgets(opt.inputfd, buf, BUFSIZE) != Z_NULL); } #endif } } void mode_summary() { char nows[TIMESIZE], first_entry[TIMESIZE], last_entry[TIMESIZE], *input = NULL, last_file = 0; FILE *output = NULL; int retval, linenum = 0, hitnum = 0, errnum = 0, old_errnum = 0, oldnum = 0, exnum = 0; time_t now; struct passwd *gen_user; struct input_file *file; opt.line = xmalloc(sizeof(struct log_line)); file = first_file; while (last_file == 0) { if (opt.std_in) { if (opt.verbose) fprintf(stderr, _("Using stdin as input\n")); opt.inputfd = stdin; } else { input = file->name; if (opt.verbose) fprintf(stderr, _("Opening input file '%s'\n"), input); #ifdef HAVE_ZLIB opt.inputfd = gzopen(input, "rb"); #else opt.inputfd = fopen(input, "r"); #endif if (opt.inputfd == NULL) { #ifdef HAVE_ZLIB fprintf(stderr, "gzopen %s: %s\n", input, strerror(errno)); #else fprintf(stderr, "fopen %s: %s\n", input, strerror(errno)); #endif exit(EXIT_FAILURE); } } if (opt.verbose) fprintf(stderr, _("Processing\n")); common_input_loop(&linenum, &hitnum, &errnum, &oldnum, &exnum); if (opt.verbose == 2) fprintf(stderr, "\n"); if (opt.verbose && (errnum > old_errnum)) { fprintf(stderr, _("Unrecognized entries or tokens can be submitted at\n")); fprintf(stderr, "http://fwlogwatch.inside-security.de/unrecognized.php\n"); old_errnum = errnum; } if (opt.std_in) { last_file++; } else { if (opt.verbose) fprintf(stderr, _("Closing '%s'\n"), input); #ifndef HAVE_ZLIB retval = fclose(opt.inputfd); if (retval == EOF) { perror("fclose"); #else retval = gzclose(opt.inputfd); if (retval != 0) { if (retval != Z_ERRNO) { fprintf(stderr, "gzclose %s: %s\n", input, gzerror(opt.inputfd, &retval)); } else { perror("gzclose"); } #endif exit(EXIT_FAILURE); } if (file->next != NULL) { file = file->next; } else { last_file++; } } } free(opt.line); if (opt.verbose) fprintf(stderr, _("Sorting data\n")); if (first != NULL) { time_t last_time; struct conn_data *p; opt.sortfield = SORT_END_TIME; opt.sortmode = ORDER_DESCENDING; first = fwlw_pc_mergesort(first); if (opt.verbose == 2) fprintf(stderr, "."); last_time = first->end_time; opt.sortfield = SORT_START_TIME; opt.sortmode = ORDER_ASCENDING; first = fwlw_pc_mergesort(first); if (opt.verbose == 2) fprintf(stderr, "."); strftime(first_entry, TIMESIZE, _("%b %d %H:%M:%S"), localtime(&first->start_time)); p = first; while (p->next != NULL) p = p->next; if (p->start_time > last_time) last_time = p->start_time; strftime(last_entry, TIMESIZE, _("%b %d %H:%M:%S"), localtime(&last_time)); } else { first_entry[0] = '\0'; } sort_data(SORT_PC); if (opt.verbose == 2) fprintf(stderr, "\n"); if (opt.use_out) { if (opt.verbose) fprintf(stderr, _("Opening output file '%s'\n"), opt.outputfile); output = freopen(opt.outputfile, "w", stdout); if (output == NULL) { fprintf(stderr, "freopen %s: %s\n", opt.outputfile, strerror(errno)); exit(EXIT_FAILURE); } } else if (opt.recipient[0] != '\0') { char buf[BUFSIZE]; if (opt.verbose) fprintf(stderr, _("Sending\n")); snprintf(buf, BUFSIZE, "%s -t", P_SENDMAIL); output = popen(buf, "w"); if (output == NULL) { perror("popen"); exit(EXIT_FAILURE); } generate_email_header(output); fflush(output); } else { output = stdout; } if (opt.html) { output_html_header(fileno(output)); fprintf(output, "

\n"); } else { fprintf(output, "%s\n", opt.title); } now = time(NULL); strftime(nows, TIMESIZE, _("%A %B %d %H:%M:%S %Z %Y"), localtime(&now)); fprintf(output, _("Generated %s by "), nows); gen_user = getpwuid(getuid()); if (gen_user != NULL) { if (gen_user->pw_gecos[0] != '\0') { fprintf(output, "%s.\n", gen_user->pw_gecos); } else { fprintf(output, "%s.\n", gen_user->pw_name); } } else { fprintf(output, _("an unknown user.\n")); } if (opt.html) fprintf(output, "
\n"); fprintf(output, "%d ", hitnum); if (oldnum > 0) { fprintf(output, _("(and %d older than %d seconds) "), oldnum, opt.recent); } if (errnum > 0) { fprintf(output, _("(and %d malformed) "), errnum); } if (opt.filecount == 1) { fprintf(output, _("of %d entries in the file \"%s\" are packet logs, "), linenum, input); } else if (opt.filecount == 0) { fprintf(output, _("of %d entries in standard input are packet logs, "), linenum); } else { fprintf(output, _("of %d entries in %d input files are packet logs, "), linenum, opt.filecount); } retval = list_stats(); if (retval == 1) { fprintf(output, _("one has unique characteristics.\n")); } else { fprintf(output, _("%d have unique characteristics.\n"), retval); } if (exnum != 0) { if (opt.html) fprintf(output, "
\n"); if (exnum == 1) { fprintf(output, _("One entry was excluded by configuration.\n")); } else { fprintf(output, _("%d entries were excluded by configuration.\n"), exnum); } } if (opt.html) fprintf(output, "
\n"); if (first_entry[0] != '\0') { fprintf(output, _("First packet log entry: %s, last: %s.\n"), first_entry, last_entry); } else { fprintf(output, _("No valid time entries found.\n")); } if (!opt.loghost) { if (opt.html) fprintf(output, "
\n"); fprintf(output, _("All entries were logged by the same host: \"%s\".\n"), opt.hostname); } if (!opt.chains) { if (opt.html) fprintf(output, "
\n"); fprintf(output, _("All entries are from the same chain: \"%s\".\n"), opt.chainlabel); } if (!opt.branches) { if (opt.html) fprintf(output, "
\n"); fprintf(output, _("All entries have the same target: \"%s\".\n"), opt.branchname); } if (!opt.ifs) { if (opt.html) fprintf(output, "
\n"); fprintf(output, _("All entries are from the same interface: \"%s\".\n"), opt.interface); } if (opt.least > 1) { if (opt.html) fprintf(output, "
\n"); fprintf(output, _("Only entries with a count of at least %d are shown.\n"), opt.least); } if (opt.max) { if (opt.html) fprintf(output, "
\n"); fprintf(output, _("Only the top %d entries are shown.\n"), opt.max); } if (opt.html) output_html_table(output); else fprintf(output, "\n"); #ifdef HAVE_ADNS if (opt.resolve) { if (opt.verbose) fprintf(stderr, _("Resolving\n")); retval = adns_init(&adns, adns_if_noenv, 0); if (retval) { perror("adns_init"); exit(EXIT_FAILURE); } adns_preresolve(RES_ADNS_PC); } #endif if (opt.whois_lookup) whois_connect(RADB); show_list(output); fflush(output); if (opt.whois_lookup) whois_close(); #ifdef HAVE_ADNS if (opt.resolve) adns_finish(adns); #endif if (opt.html) { fprintf(output, "\n"); fflush(output); output_html_footer(fileno(output)); } free_conn_data(); free_dns_cache(); free_whois(); free_exclude_data(); free_input_file(); if (opt.use_out) { if (opt.verbose) fprintf(stderr, _("Closing '%s'\n"), opt.outputfile); retval = fclose(output); if (retval == EOF) { perror("fclose"); } } else if (opt.recipient[0] != '\0') { retval = pclose(output); if (retval == -1) { perror("pclose"); } } } void check_pidfile() { struct stat *sbuf; sbuf = xmalloc(sizeof(struct stat)); if (stat(opt.pidfile, sbuf) != -1) { fprintf(stderr, _("Warning: pidfile exists, another fwlogwatch might be running.\n")); } else { if ((errno != ENOENT) && (errno != EACCES)) { fprintf(stderr, "stat %s: %d, %s\n", opt.pidfile, errno, strerror(errno)); exit(EXIT_FAILURE); } } free(sbuf); } void mode_rt_response_reread_conf() { free_exclude_data(); if (read_rcfile(opt.rcfile, MAY_NOT_EXIST) == EXIT_SUCCESS) { syslog(LOG_NOTICE, _("SIGHUP caught, reread configuration file %s"), opt.rcfile); } else { syslog(LOG_NOTICE, _("SIGHUP caught, unable to reread configuration file %s"), opt.rcfile); } signal(SIGHUP, mode_rt_response_reread_conf); } void mode_rt_response_open() { if (opt.std_in) { opt.inputfd = stdin; } else { opt.inputfd = fopen(first_file->name, "r"); if (opt.inputfd == NULL) { syslog(LOG_NOTICE, "fopen %s: %s", first_file->name, strerror(errno)); log_exit(EXIT_FAILURE); } } } void mode_rt_response_reopen_log() { int retval; if (opt.std_in) { syslog(LOG_NOTICE, _("SIGUSR1 caught, reading input from stdin, no need to reopen log file")); } else { syslog(LOG_NOTICE, _("SIGUSR1 caught, reopening log file %s"), first_file->name); retval = fclose(opt.inputfd); if (retval == EOF) syslog(LOG_NOTICE, "fclose %s: %s", first_file->name, strerror(errno)); mode_rt_response_open(); signal(SIGUSR1, mode_rt_response_reopen_log); } } void mode_rt_response_core() { int retval, linenum = 0, hitnum = 0, ignored = 0; struct stat info; off_t size = 0; fd_set rfds; struct timeval tv; if ((!opt.std_in) && (!opt.stateful_start)) { retval = fstat(fileno(opt.inputfd), &info); if (retval == -1) { syslog(LOG_NOTICE, "fstat %s: %s", first_file->name, strerror(errno)); log_exit(EXIT_FAILURE); } size = info.st_size; } opt.line = xmalloc(sizeof(struct log_line)); while (1) { if (opt.status) { FD_ZERO(&rfds); FD_SET(opt.sock, &rfds); tv.tv_sec = 1; tv.tv_usec = 0; retval = select(opt.sock + 1, &rfds, NULL, NULL, &tv); if (retval == -1) { if (errno != EINTR) { syslog(LOG_NOTICE, "select: %s", strerror(errno)); exit(EXIT_FAILURE); } } if (retval > 0) { handshake(linenum, hitnum, ignored); } } else { sleep(1); } remove_old(RESP_REMOVE_OPC | RESP_REMOVE_OHS); if (opt.std_in) { common_input_loop(&linenum, &hitnum, &ignored, &ignored, &ignored); look_for_alert(); } else { retval = fstat(fileno(opt.inputfd), &info); if (retval == -1) { syslog(LOG_NOTICE, "fstat %s: %s", first_file->name, strerror(errno)); log_exit(EXIT_FAILURE); } if (size != info.st_size) { size = info.st_size; clearerr(opt.inputfd); common_input_loop(&linenum, &hitnum, &ignored, &ignored, &ignored); look_for_alert(); } } } } void mode_rt_response_terminate() { syslog(LOG_NOTICE, _("SIGTERM caught, cleaning up")); free_hosts(); if (opt.response & OPT_RESPOND) modify_firewall(FW_STOP); log_exit(EXIT_SUCCESS); } void mode_rt_response() { int retval; FILE *pidfile; #ifndef RR_DEBUG pid_t pid; if (opt.pidfile[0] != '\0') check_pidfile(); pid = fork(); if (pid == -1) { perror("fork"); exit(EXIT_FAILURE); } if (pid != 0) { _exit(EXIT_SUCCESS); } pid = setsid(); if (pid == -1) { perror("setsid"); exit(EXIT_FAILURE); } pid = fork(); if (pid == -1) { perror("fork"); exit(EXIT_FAILURE); } if (pid != 0) { _exit(EXIT_SUCCESS); } retval = chdir("/"); if (retval == -1) { perror("chdir"); exit(EXIT_FAILURE); } /* umask() */ retval = close(2); if (retval == -1) { perror("close"); exit(EXIT_FAILURE); } retval = close(1); if (retval == -1) { perror("close"); exit(EXIT_FAILURE); } if (!opt.std_in) { retval = close(0); if (retval == -1) { perror("close"); exit(EXIT_FAILURE); } } retval = open("/dev/null", O_RDWR); if (retval == -1) { perror("open"); exit(EXIT_FAILURE); } retval = dup(0); if (retval == -1) { perror("dup"); exit(EXIT_FAILURE); } if (!opt.std_in) { retval = dup(0); if (retval == -1) { perror("dup"); exit(EXIT_FAILURE); } } openlog("fwlogwatch", LOG_CONS, LOG_DAEMON); #else openlog("fwlogwatch", LOG_CONS | LOG_PERROR, LOG_DAEMON); #endif syslog(LOG_NOTICE, _("Starting (pid %d)"), getpid()); signal(SIGTERM, mode_rt_response_terminate); if (opt.pidfile[0] != '\0') { pidfile = fopen(opt.pidfile, "w"); if (pidfile == NULL) { syslog(LOG_NOTICE, "fopen %s: %s\n", opt.pidfile, strerror(errno)); } else { fprintf(pidfile, "%d\n", (int) getpid()); retval = fclose(pidfile); if (retval == EOF) { syslog(LOG_NOTICE, "fclose %s: %s\n", opt.pidfile, strerror(errno)); } } } if (opt.status) { prepare_socket(); #ifdef HAVE_ADNS if (opt.resolve) { retval = adns_init(&adns, adns_if_noenv, 0); if (retval) { syslog(LOG_NOTICE, "adns_init: %s", strerror(errno)); log_exit(EXIT_FAILURE); } } #endif } if ((opt.ipchains_check == 1) && ((opt.format & PARSER_IPCHAINS) != 0)) check_for_ipchains(); if ((opt.response & OPT_NOTIFY) != 0) check_script_perms(opt.notify_script); if ((opt.response & OPT_RESPOND) != 0) { check_script_perms(opt.respond_script); modify_firewall(FW_START); } mode_rt_response_open(); if (opt.run_as[0] != '\0') { uid_t olduid; gid_t oldgid; struct passwd *pwe; pwe = getpwnam(opt.run_as); if (pwe == NULL) { syslog(LOG_NOTICE, _("User to run as was not found")); log_exit(EXIT_FAILURE); } olduid = getuid(); oldgid = getgid(); retval = setgid(pwe->pw_gid); if (retval == -1) { syslog(LOG_NOTICE, "setgid: %s", strerror(errno)); log_exit(EXIT_FAILURE); } retval = setuid(pwe->pw_uid); if (retval == -1) { syslog(LOG_NOTICE, "setuid: %s", strerror(errno)); log_exit(EXIT_FAILURE); } syslog(LOG_NOTICE, _("Changed uid from %d to %d, gid from %d to %d"), olduid, getuid(), oldgid, getgid()); } else { syslog(LOG_NOTICE, _("Running with uid %d, gid %d"), getuid(), getgid()); } if (opt.threshold == 1) { syslog(LOG_NOTICE, _("Alert threshold is one attempt")); } else { syslog(LOG_NOTICE, _("Alert threshold is %d attempts"), opt.threshold); } if (opt.recent < 3600) { syslog(LOG_NOTICE, _("Events older than %d second(s) are discarded"), opt.recent); } else { syslog(LOG_NOTICE, _("Events older than %d hour(s) are discarded"), opt.recent / 3600); } syslog(LOG_NOTICE, _("Response mode: Log%s%s"), (opt.response & OPT_NOTIFY) ? _(", notify") : "", (opt.response & OPT_RESPOND) ? _(", respond") : ""); if ((!opt.std_in) && (!opt.stateful_start)) { retval = fseek(opt.inputfd, 0, SEEK_END); if (retval == -1) { syslog(LOG_NOTICE, "fseek %s: %s", first_file->name, strerror(errno)); log_exit(EXIT_FAILURE); } } signal(SIGHUP, mode_rt_response_reread_conf); signal(SIGUSR1, mode_rt_response_reopen_log); mode_rt_response_core(); } void mode_show_log_times() { char buf[BUFSIZE], stime[TIMESIZE], month[4], *input = NULL, last_file = 0; int retval = 0, loop, hour, minute, second, linenum = 0; unsigned int day; struct input_file *file; time_t first = 0, last = 0; opt.line = xmalloc(sizeof(struct log_line)); file = first_file; while (last_file == 0) { if (opt.std_in) { opt.inputfd = stdin; if (opt.verbose) fprintf(stderr, _("Reading standard input\n")); } else { input = file->name; #ifdef HAVE_ZLIB opt.inputfd = gzopen(input, "rb"); #else opt.inputfd = fopen(input, "r"); #endif if (opt.inputfd == NULL) { #ifdef HAVE_ZLIB fprintf(stderr, "gzopen %s: %s\n", input, strerror(errno)); #else fprintf(stderr, "fopen %s: %s\n", input, strerror(errno)); #endif exit(EXIT_FAILURE); } if (opt.verbose) fprintf(stderr, _("Reading '%s'\n"), input); } #ifdef HAVE_ZLIB if (opt.std_in) { #endif loop = (fgets(buf, BUFSIZE, opt.inputfd) != NULL); #ifdef HAVE_ZLIB } else { loop = (gzgets(opt.inputfd, buf, BUFSIZE) != Z_NULL); } #endif while (loop) { linenum++; retval = sscanf(buf, "%3s %u %2d:%2d:%2d ", month, &day, &hour, &minute, &second); if (retval == 5) { build_time(month, day, hour, minute, second); if (first == 0) first = last = opt.line->time; if (opt.line->time < first) first = opt.line->time; if (opt.line->time > last) last = opt.line->time; } #ifdef HAVE_ZLIB if (opt.std_in) { #endif loop = (fgets(buf, BUFSIZE, opt.inputfd) != NULL); #ifdef HAVE_ZLIB } else { loop = (gzgets(opt.inputfd, buf, BUFSIZE) != Z_NULL); } #endif } if (opt.std_in) { last_file++; } else { if (opt.verbose) fprintf(stderr, _("Closing '%s'\n"), input); #ifndef HAVE_ZLIB retval = fclose(opt.inputfd); if (retval == EOF) { perror("fclose"); #else retval = gzclose(opt.inputfd); if (retval != 0) { if (retval != Z_ERRNO) { fprintf(stderr, "gzclose %s: %s\n", input, gzerror(opt.inputfd, &retval)); } else { perror("gzclose"); } #endif exit(EXIT_FAILURE); } if (file->next != NULL) { file = file->next; } else { last_file++; } } } printf(_("Number of files: %d\n"), opt.filecount); printf(_("Number of lines: %d\n"), linenum); if (first == 0) { printf(_("No valid time entries found.\n")); } else { strftime(stime, TIMESIZE, _("%b %d %H:%M:%S"), localtime(&first)); printf(_("First entry: %s\n"), stime); strftime(stime, TIMESIZE, _("%b %d %H:%M:%S"), localtime(&last)); printf(_("Last entry : %s\n"), stime); output_timediff(first, last, stime); printf(_("Difference : %s\n"), stime); } free(opt.line); } fwlogwatch-1.2/utils.h0000644000076400001440000000154411453062534013374 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: utils.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _UTILS_H #define _UTILS_H char *xstrncpy(char *dest, const char *src, size_t n); void *xmalloc(int size); void log_exit(unsigned char returncode); void run_command(char *buf); void free_conn_data(void); void free_dns_cache(void); void free_whois(void); void free_hosts(void); void free_exclude_data(void); void init_line(void); void mode_error(void); void build_time(char *smonth, int day, int hour, int minute, int second); unsigned char convert_ip(char *ip, struct in_addr *addr); unsigned long int parse_cidr(char *input); void add_known_host(char *ip); void add_exclude_hpb(char *input, unsigned char mode); void add_input_file(char *name); void free_input_file(void); void generate_email_header(FILE * fd); void fdprintf(int fd, char *format, ...); #endif fwlogwatch-1.2/cisco_pix.h0000644000076400001440000000032011453062534014203 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: cisco_pix.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _CISCO_PIX_H #define _CISCO_PIX_H unsigned char flex_cisco_pix(char *input, int linenum); #endif fwlogwatch-1.2/main.h0000644000076400001440000002134411454321551013156 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: main.h 710 2010-10-10 11:28:41Z bw $ */ #ifndef _MAIN_H #define _MAIN_H #define PACKAGE "fwlogwatch" #define VERSION "1.2 2010/10/10" #define COPYRIGHT "Boris Wesslowski" /* Paths */ #define INSTALL_DIR "/usr/local" #define CONF_DIR "/etc" #define LOCALE_DIR "/usr" /* i18n */ #ifdef HAVE_GETTEXT #include #define _(String) gettext(String) #define LOCALEDIR LOCALE_DIR "/share/locale" #else #define _(String) String #endif /* Data sizes */ #define BUFSIZE 1024 #define BUFSIZE_S "1024" #define FILESIZE 256 #define TIMESIZE 64 #define HOSTLEN 256 #define SHOSTLEN 32 #define SHOSTLEN_S "32" #define IPLEN 16 #define IP6LEN 40 #define EMAILSIZE 80 #define COLORSIZE 8 #define MAXSORTSIZE 24 #define USERSIZE 16 #define PASSWORDSIZE 76 #define WHOISCMDLEN 32 #define WHOISDESCLEN 64 #define WHOISROUTELEN 20 #define TITLESIZE 64 #define CSSSIZE 64 #ifndef SHORT_NAMES #define SHORTLEN 128 #define SHORTLEN_S "128" #else #define SHORTLEN 10 #define SHORTLEN_S "10" #endif /* Files */ #ifndef SOLARIS #define INFILE "/var/log/messages" #else #define INFILE "/var/adm/messages" #endif #define RCFILE CONF_DIR "/fwlogwatch.config" enum { MAY_NOT_EXIST, MUST_EXIST }; enum { NO, YES }; enum { HASH_IGNORE, HASH_ENDS_INPUT }; /* Modes */ enum { LOG_SUMMARY, REALTIME_RESPONSE, SHOW_LOG_TIMES }; /* Parser */ #define PARSER_IPCHAINS 1 #define PARSER_NETFILTER 2 #define PARSER_CISCO_IOS 4 #define PARSER_IPFILTER 8 #define PARSER_CISCO_PIX 16 #define PARSER_SNORT 64 #define PARSER_NETSCREEN 128 #define PARSER_LANCOM 256 #define PARSER_IPFW 512 enum { PARSE_OK, PARSE_ERROR, PARSE_NO_HIT, PARSE_WRONG_FORMAT, PARSE_TOO_OLD, PARSE_EXCLUDED }; enum { IN_ADDR_OK, IN_ADDR_ERROR }; /* TCP flags */ #define TCP_SYN 1 #define TCP_ACK 2 #define TCP_FIN 4 #define TCP_RST 8 #define TCP_PSH 16 #define TCP_URG 32 /* ipchains support */ #define IPCHAINS_DATE 1 #define IPCHAINS_DATA 2 #define IPCHAINS_IPS 4 /* netfilter support */ #define NF_DATE 1 #define NF_IN 2 #define NF_SRC 4 #define NF_DST 8 #define NF_PROTO 16 #define NF_SPT 32 #define NF_DPT 64 #define NF_TYPE 128 #define NF_CODE 256 enum { NF_OPT_NOPREFIX, NF_OPT_PREFIX, NF_OPT_PREFIX_KTIME, NF_OPT_SRC, NF_OPT_DST }; /* cisco ios support */ #define CISCO_IOS_DATE 1 #define CISCO_IOS_SRC 2 #define CISCO_IOS_DST 4 #define CISCO_IOS_PROTO 8 #define CISCO_IOS_COUNT 16 enum { CI_OPT_NONE, CI_OPT_HOST, CI_OPT_MSEC, CI_OPT_PORT, CI_OPT_MISSING, CI_OPT_TYPE }; /* cisco pix support */ #define CISCO_PIX_DATE 1 #define CISCO_PIX_SRC 2 #define CISCO_PIX_DST 4 #define CISCO_PIX_NO_HIT 8 enum { CP_OPT_NONE, CP_OPT_HOST, CP_OPT_TCP, CP_OPT_TCP_S, CP_OPT_TCP_S2, CP_OPT_TCP_N, CP_OPT_TCP_N2, CP_OPT_UDP, CP_OPT_UDP_S, CP_OPT_UDP_S2, CP_OPT_UDP_N, CP_OPT_UDP_N2, CP_OPT_UDP_NOPORT, CP_OPT_ICMP, CP_OPT_ICMP_S, CP_OPT_ICMP_S2, CP_OPT_ICMP_N2, CP_OPT_DST, CP_OPT_DST_S, CP_OPT_DST_S2, CP_OPT_DST_N, CP_OPT_DST_N2, CP_OPT_DST_I }; /* ipfilter support */ #define IPF_DATE 1 #define IPF_DATA 2 #define IPF_PROTO 4 #define IPF_SRC_IP 8 #define IPF_DST_IP 16 #define IPF_SRC_PORT 32 #define IPF_DST_PORT 64 #define IPF_NO_HIT 128 #define IPF_OPT_NONE 1 #define IPF_OPT_COUNT 2 #define IPF_OPT_SRC 4 #define IPF_OPT_DST 8 #define IPF_OPT_RES 16 #define IPF_OPT_PORT 32 #define IPF_OPT_RPORT 64 /* ipfw support */ #define IPFW_DATE 1 #define IPFW_CHAIN 2 #define IPFW_BRANCH 4 #define IPFW_PROTO 8 #define IPFW_IPS 16 #define IPFW_PORTS 32 #define IPFW_IF 64 enum { IPFW_OPT_NONE, IPFW_OPT_ICMP, IPFW_OPT_PORTS }; /* snort support */ #define SNORT_DATE 1 #define SNORT_CHAIN 2 #define SNORT_BRANCH 4 #define SNORT_PROTO 8 #define SNORT_SRC 16 #define SNORT_DST 32 #define SNORT_NO_HIT 64 #define SNORT_OPT_SRC 1 #define SNORT_OPT_DST 2 #define SNORT_OPT_PORT 4 /* netscreen support */ #define NS_DATE 1 #define NS_SRC 2 #define NS_DST 4 #define NS_SPORT 8 #define NS_DPORT 16 #define NS_BN 32 #define NS_PROTO 64 #define NS_NO_HIT 128 enum { NETSCREEN_OPT_SRC, NETSCREEN_OPT_DST }; /* Sorting */ enum { SORT_COUNT, SORT_START_TIME, SORT_END_TIME, SORT_DELTA_TIME, SORT_CHAINLABEL, SORT_PROTOCOL, SORT_DATALEN, SORT_SOURCEHOST, SORT_SOURCEPORT, SORT_DESTHOST, SORT_DESTPORT }; enum { ORDER_ASCENDING, ORDER_DESCENDING }; /* WHOIS lookup */ #define RADB "whois.radb.net" #define WHOIS 43 /* HTML output */ #define TEXTCOLOR "black" #define BGCOLOR "white" #define ROWCOLOR1 "#EEEEEE" #define ROWCOLOR2 "#DDDDDD" /* Log summary mode */ #define SUMMARY_TITLE _("fwlogwatch summary") #define SORTORDER "cd" #define P_SENDMAIL "/usr/sbin/sendmail" /* Realtime response mode */ #define ALERT 5 #define FORGET 86400 #define FWLW_NOTIFY INSTALL_DIR "/sbin/fwlw_notify" #define FWLW_RESPOND INSTALL_DIR "/sbin/fwlw_respond" #define STATUS_TITLE _("fwlogwatch status") #ifndef HAVE_IPV6 #define LISTENIF "127.0.0.1" #else #define LISTENIF "::1" #endif #define LISTENPORT 888 #define DEFAULT_USER "admin" #define DEFAULT_PASSWORD "2fi4nEVVz0IXo" /* fwlogwat[ch] DES only supports 8 characters */ #define OPT_LOG 1 #define OPT_NOTIFY 2 #define OPT_RESPOND 4 #define EX_NOTIFY 1 #define EX_RESPOND_ADD 2 #define EX_RESPOND_REMOVE 3 #define RESP_REMOVE_OPC 1 #define RESP_REMOVE_OHS 2 enum { FW_START, FW_STOP }; enum { NO_NET_OPTS_PC, NET_OPTS_PC, NO_SORTING, SORTING, SORT_PC, SORT_HS }; enum { STATUS_OFF, STATUS_OK, FD_ERROR }; enum { HEADER_COMPLETE, HEADER_CONTINUES }; /* Data structures */ #include #include struct log_line { time_t time; char hostname[SHOSTLEN]; char chainlabel[SHORTLEN]; char branchname[SHORTLEN]; char interface[SHORTLEN]; int protocol; unsigned long int datalen; struct in_addr shost; int sport; struct in_addr dhost; int dport; unsigned char flags; int count; }; struct conn_data { int count; time_t start_time; time_t end_time; char *hostname; char *chainlabel; char *branchname; char *interface; int protocol; unsigned long int datalen; struct in_addr shost; int sport; struct in_addr dhost; int dport; unsigned char flags; int id; struct conn_data *next; }; struct input_file { char *name; struct input_file *next; }; struct dns_cache { struct in_addr ip; char *fqdn; struct dns_cache *next; }; struct whois_entry { char *ip_route; int as_number; char *ip_descr; char *as_descr; struct whois_entry *next; }; struct known_hosts { time_t time; int count; struct in_addr shost; struct in_addr netmask; struct in_addr dhost; int protocol; int sport; int dport; int id; struct known_hosts *next; }; struct parser_options { unsigned char mode; unsigned long int value; struct in_addr netmask; char *svalue; struct parser_options *next; }; #define PARSER_MODE_DEFAULT 0 #define PARSER_MODE_NOT 1 #define PARSER_MODE_HOST 2 #define PARSER_MODE_PORT 4 #define PARSER_MODE_SRC 8 #define PARSER_MODE_CHAIN 16 #define PARSER_MODE_BRANCH 32 enum { P_MATCH_NONE, P_MATCH_EXC, P_MATCH_INC }; struct options { unsigned char mode; FILE *inputfd; unsigned char std_in; unsigned char verbose; unsigned char resolve; unsigned char sresolve; unsigned char whois_lookup; int whois_sock; int filecount; char rcfile[FILESIZE]; struct log_line *line; char format_sel[SHORTLEN]; unsigned int format; unsigned int parser; unsigned char repeated; int orig_count; unsigned char src_ip; unsigned char dst_ip; unsigned char proto; unsigned char src_port; unsigned char dst_port; unsigned char opts; unsigned char datalen; unsigned char stimes; unsigned char etimes; unsigned char duration; char sort_order[MAXSORTSIZE]; unsigned char sortfield; unsigned char sortmode; unsigned char html; unsigned char use_out; char outputfile[FILESIZE]; char title[TITLESIZE]; char stylesheet[CSSSIZE]; char textcol[COLORSIZE]; char bgcol[COLORSIZE]; char rowcol1[COLORSIZE]; char rowcol2[COLORSIZE]; unsigned char loghost; char hostname[SHOSTLEN]; unsigned char chains; char chainlabel[SHORTLEN]; unsigned char branches; char branchname[SHORTLEN]; unsigned char ifs; char interface[SHORTLEN]; time_t now; int recent; int threshold; int least; int max; char sender[EMAILSIZE]; char recipient[EMAILSIZE]; char cc[EMAILSIZE]; unsigned char response; unsigned char ipchains_check; char pidfile[FILESIZE]; char notify_script[FILESIZE]; char respond_script[FILESIZE]; char run_as[USERSIZE]; unsigned char status; unsigned char stateful_start; int sock; char listenif[IP6LEN]; int listenport; char listento[IPLEN]; char user[USERSIZE]; char password[PASSWORDSIZE]; int refresh; unsigned char webpage; int global_id; }; #endif fwlogwatch-1.2/cisco_pix.l0000644000076400001440000003531111453062534014217 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: cisco_pix.l 706 2010-10-06 12:02:36Z bw $ */ %option prefix="cisco_pix" %option outfile="cisco_pix.c" %option noyywrap %{ #define YY_NO_INPUT #include #include #include #include #include "main.h" #include "utils.h" extern struct options opt; void cisco_pix_parse_date(char *input, unsigned char mode); void cisco_pix_parse_src(char *input, unsigned char mode); void cisco_pix_parse_dst(char *input, unsigned char mode); void cisco_pix_parse_group(char *input); %} MONTH "Jan"|"Feb"|"Mar"|"Apr"|"May"|"Jun"|"Jul"|"Aug"|"Sep"|"Oct"|"Nov"|"Dec" STRING [a-zA-Z][a-zA-Z0-9._-]* LOGHOST [0-9.a-zA-Z()_:-]* DIGIT [0-9] NUMBER {DIGIT}+ OCTET {DIGIT}{1,3} PORT {DIGIT}{1,5} HEXDIGIT [0-9a-fA-F] HEXNUMBER "0x"{HEXDIGIT}+ IP {OCTET}"."{OCTET}"."{OCTET}"."{OCTET} IPPORT {IP}"/"{PORT} ZONEIP {STRING}":"{IP} ZONENAME {STRING}":"{STRING} ZONEIPPORT {STRING}":"{IP}"/"{PORT} ZONEIPPORT2 {STRING}"/"{IP}"("{PORT}")" ZONENAMEPORT {STRING}":"{STRING}"/"{PORT} ZONENAMEPORT2 {STRING}"/"{STRING}"("{PORT}")" SYSID ("%PIX"|"%FWSM"|"%ASA")"-"[1-7]"-"[0-9]{6}":" %% {MONTH}[ ]{1,2}{DIGIT}{1,2}[ ]{DIGIT}{2}:{DIGIT}{2}:{DIGIT}{2}[ ]{LOGHOST} cisco_pix_parse_date(cisco_pixtext, CP_OPT_HOST); {SYSID} /* ignore */ {MONTH}[ ]{1,2}{DIGIT}{1,2}[ ]{DIGIT}{4}[ ]{DIGIT}{2}:{DIGIT}{2}:{DIGIT}{2}(":")? cisco_pix_parse_date(cisco_pixtext, CP_OPT_NONE); {LOGHOST}[ ]+": " /* ignore */ " Inbound TCP connection denied from "{IPPORT} cisco_pix_parse_src(cisco_pixtext+36, CP_OPT_TCP); " Deny TCP (no connection) from "{IPPORT} cisco_pix_parse_src(cisco_pixtext+31, CP_OPT_TCP); " Deny inbound UDP from "{IPPORT} cisco_pix_parse_src(cisco_pixtext+23, CP_OPT_UDP); " Deny udp src "{ZONEIPPORT} cisco_pix_parse_src(cisco_pixtext+14, CP_OPT_UDP_S); " Deny udp src "{ZONENAMEPORT} cisco_pix_parse_src(cisco_pixtext+14, CP_OPT_UDP_N); " Deny tcp src "{ZONEIPPORT} cisco_pix_parse_src(cisco_pixtext+14, CP_OPT_TCP_S); " Deny tcp src "{ZONENAMEPORT} cisco_pix_parse_src(cisco_pixtext+14, CP_OPT_TCP_N); " Deny icmp src "{ZONEIP} cisco_pix_parse_src(cisco_pixtext+15, CP_OPT_ICMP_S); " Deny inbound icmp src "{ZONEIP} cisco_pix_parse_src(cisco_pixtext+23, CP_OPT_ICMP_S); " Deny inbound tcp src "{ZONEIPPORT} cisco_pix_parse_src(cisco_pixtext+22, CP_OPT_TCP_S); " Deny inbound (No xlate) tcp src "{ZONEIPPORT} cisco_pix_parse_src(cisco_pixtext+33, CP_OPT_TCP_S); " Deny inbound (No xlate) udp src "{ZONEIPPORT} cisco_pix_parse_src(cisco_pixtext+33, CP_OPT_UDP_S); " Deny inbound (No xlate) icmp src "{ZONEIP} cisco_pix_parse_src(cisco_pixtext+34, CP_OPT_ICMP_S); " Deny UDP reverse path check from "{IP} cisco_pix_parse_src(cisco_pixtext+34, CP_OPT_UDP_NOPORT); {IP}" attempted to ping " cisco_pix_parse_src(cisco_pixtext, CP_OPT_ICMP); "to "{IPPORT} cisco_pix_parse_dst(cisco_pixtext+3, CP_OPT_DST); "to "{IP} cisco_pix_parse_dst(cisco_pixtext+3, CP_OPT_NONE); "dst "{ZONEIPPORT} cisco_pix_parse_dst(cisco_pixtext+4, CP_OPT_DST_S); "dst "{ZONENAMEPORT} cisco_pix_parse_dst(cisco_pixtext+4, CP_OPT_DST_N); "dst "{ZONEIP}" (type "{PORT}", code "{PORT}")" cisco_pix_parse_dst(cisco_pixtext+4, CP_OPT_DST_I); {IP} cisco_pix_parse_dst(cisco_pixtext, CP_OPT_NONE); "flags" /* ignore */ "URG" opt.line->flags = opt.line->flags | TCP_URG; "ACK" opt.line->flags = opt.line->flags | TCP_ACK; "PSH" opt.line->flags = opt.line->flags | TCP_PSH; "RST" opt.line->flags = opt.line->flags | TCP_RST; "SYN" opt.line->flags = opt.line->flags | TCP_SYN; "FIN" opt.line->flags = opt.line->flags | TCP_FIN; "on interface "{STRING} xstrncpy(opt.line->interface, cisco_pixtext+13, SHORTLEN); "by access-group \""{STRING}"\"" cisco_pix_parse_group(cisco_pixtext+17); "due to DNS "("Query"|"Response") /* ignore */ "("{IP}")" /* ignore */ " access-list "{STRING} xstrncpy(opt.line->chainlabel, cisco_pixtext+13, SHORTLEN); " permitted tcp "{ZONEIPPORT2} cisco_pix_parse_src(cisco_pixtext+15, CP_OPT_TCP_S2); " permitted udp "{ZONEIPPORT2} cisco_pix_parse_src(cisco_pixtext+15, CP_OPT_UDP_S2); " permitted icmp "{ZONEIPPORT2} cisco_pix_parse_src(cisco_pixtext+16, CP_OPT_ICMP_S2); " permitted tcp "{ZONENAMEPORT2} cisco_pix_parse_src(cisco_pixtext+15, CP_OPT_TCP_N2); " permitted udp "{ZONENAMEPORT2} cisco_pix_parse_src(cisco_pixtext+15, CP_OPT_UDP_N2); " permitted icmp "{ZONENAMEPORT2} cisco_pix_parse_src(cisco_pixtext+16, CP_OPT_ICMP_N2); " -> "{ZONEIPPORT2} cisco_pix_parse_dst(cisco_pixtext+4, CP_OPT_DST_S2); " -> "{ZONENAMEPORT2} cisco_pix_parse_dst(cisco_pixtext+4, CP_OPT_DST_N2); "hit-cnt "{NUMBER} /* ignore */ " first hit" /* ignore */ " "{NUMBER}"-second interval" /* ignore */ " Built dynamic "("TCP"|"UDP"|"ICMP")" translation from "{ZONEIPPORT}" to "{ZONEIPPORT} opt.parser=opt.parser|CISCO_PIX_NO_HIT; " Built "("inbound"|"outbound")" "("TCP"|"UDP")" connection "{NUMBER}" for "{ZONEIPPORT}" ("{IPPORT}") to "{ZONEIPPORT}" ("{IPPORT}")" opt.parser=opt.parser|CISCO_PIX_NO_HIT; " Built static translation from "{ZONEIP}" to "{ZONEIP} opt.parser=opt.parser|CISCO_PIX_NO_HIT; " Built local-host "{ZONEIP} opt.parser=opt.parser|CISCO_PIX_NO_HIT; " Teardown dynamic "("TCP"|"UDP"|"ICMP")" translation from "{ZONEIPPORT}" to "{ZONEIPPORT}" duration "[0-9:]+ opt.parser=opt.parser|CISCO_PIX_NO_HIT; " Teardown "("TCP"|"UDP")" connection "{NUMBER}" for "{ZONEIPPORT}" to "{ZONEIPPORT}" duration "[0-9:]+" bytes "{NUMBER}(" TCP "("Reset-"("I"|"O")|"FINs")|" "("SYN"|"FIN")" Timeout")? opt.parser=opt.parser|CISCO_PIX_NO_HIT; " No translation group found for icmp src "({ZONEIP}|{ZONENAME})" dst "({ZONEIP}|{ZONENAME})" (type "{PORT}", code "{PORT}")" opt.parser=opt.parser|CISCO_PIX_NO_HIT; " Teardown local-host "{ZONEIP}" duration "[0-9:]+ opt.parser=opt.parser|CISCO_PIX_NO_HIT; {IP}" Accessed URL ".+ opt.parser=opt.parser|CISCO_PIX_NO_HIT; " IGRP request discarded from "{IP}" to "{ZONEIP} opt.parser=opt.parser|CISCO_PIX_NO_HIT; {NUMBER}" in use, "{NUMBER}" most used" opt.parser=opt.parser|CISCO_PIX_NO_HIT; "["{HEXNUMBER}", "{HEXNUMBER}"]" /* ignore */ [ ]+ /* ignore whitespace */ [\n] /* ignore */ {STRING} if(opt.verbose) fprintf(stderr, "Unrecognized token: %s\n", cisco_pixtext); . if(opt.verbose) fprintf(stderr, "Unrecognized character: %s\n", cisco_pixtext); %% void cisco_pix_parse_date(char *input, unsigned char mode) { int retval, day, hour, minute, second; char smonth[4]; #ifdef IRIX char tmp[SHOSTLEN]; #endif #ifdef LOGDOTS char *remove_dot; #endif if (mode == CP_OPT_HOST) { retval = sscanf(input, "%3s %2d %2d:%2d:%2d %32s", smonth, &day, &hour, &minute, &second, #ifndef IRIX opt.line->hostname); #else tmp); if (retval != 6) return; if (tmp[2] == ':') xstrncpy(opt.line->hostname, tmp + 3, SHOSTLEN); #endif #ifdef LOGDOTS remove_dot = strstr(opt.line->hostname, "."); if (remove_dot != NULL) *remove_dot = '\0'; #endif } else if (mode == CP_OPT_NONE) { int year; retval = sscanf(input, "%3s %2d %4d %2d:%2d:%2d", smonth, &day, &year, &hour, &minute, &second); if (retval != 6) return; } build_time(smonth, day, hour, minute, second); opt.parser = opt.parser | CISCO_PIX_DATE; } void cisco_pix_parse_src(char *input, unsigned char mode) { char ip[IPLEN], resolved = 0; int shost1, shost2, shost3, shost4; int retval; if ((mode == CP_OPT_TCP) || (mode == CP_OPT_UDP)) { retval = sscanf(input, "%3d.%3d.%3d.%3d/%5d", &shost1, &shost2, &shost3, &shost4, &opt.line->sport); if (mode == CP_OPT_TCP) opt.line->protocol = 6; else opt.line->protocol = 17; if (retval != 5) return; } else if ((mode == CP_OPT_TCP_S) || (mode == CP_OPT_UDP_S)) { char buf[BUFSIZE], *pnt; pnt = strstr(input, ":"); *pnt = ' '; retval = sscanf(input, "%" BUFSIZE_S "s %3d.%3d.%3d.%3d/%5d", buf, &shost1, &shost2, &shost3, &shost4, &opt.line->sport); if (mode == CP_OPT_TCP_S) opt.line->protocol = 6; else opt.line->protocol = 17; if (retval != 6) return; } else if ((mode == CP_OPT_TCP_S2) || (mode == CP_OPT_UDP_S2) || (mode == CP_OPT_ICMP_S2)) { char buf[BUFSIZE], *pnt; xstrncpy(opt.line->branchname, "permitted", SHORTLEN); pnt = strstr(input, "/"); *pnt = ' '; retval = sscanf(input, "%" BUFSIZE_S "s %3d.%3d.%3d.%3d(%5d)", buf, &shost1, &shost2, &shost3, &shost4, &opt.line->sport); if (mode == CP_OPT_TCP_S2) opt.line->protocol = 6; else if (mode == CP_OPT_UDP_S2) opt.line->protocol = 17; else opt.line->protocol = 1; if (retval != 6) return; } else if ((mode == CP_OPT_TCP_N) || (mode == CP_OPT_UDP_N)) { char buf[BUFSIZE], *pnt; struct hostent *he; pnt = strstr(input, ":"); *pnt = ' '; pnt = strstr(input, "/"); *pnt = ' '; retval = sscanf(input, "%*s %" BUFSIZE_S "s %5d", buf, &opt.line->sport); if (mode == CP_OPT_TCP_N) opt.line->protocol = 6; else opt.line->protocol = 17; if (retval != 2) return; he = gethostbyname(buf); if (he != NULL) { opt.line->shost.s_addr = ((struct in_addr *) he->h_addr_list[0])->s_addr; resolved = 1; } else { if (opt.verbose) fprintf(stderr, "cisco_pix host '%s' could not be resolved, ignoring.\n", buf); return; } } else if ((mode == CP_OPT_TCP_N2) || (mode == CP_OPT_UDP_N2) || (mode == CP_OPT_ICMP_N2)) { char buf[BUFSIZE], *pnt; struct hostent *he; xstrncpy(opt.line->branchname, "permitted", SHORTLEN); pnt = strstr(input, "/"); *pnt = ' '; pnt = strstr(input, "("); *pnt = ' '; pnt = strstr(input, ")"); *pnt = 0; retval = sscanf(input, "%*s %" BUFSIZE_S "s %5d", buf, &opt.line->sport); if (mode == CP_OPT_TCP_N2) opt.line->protocol = 6; else if (mode == CP_OPT_UDP_N2) opt.line->protocol = 17; else opt.line->protocol = 1; if (retval != 2) return; he = gethostbyname(buf); if (he != NULL) { opt.line->shost.s_addr = ((struct in_addr *) he->h_addr_list[0])->s_addr; resolved = 1; } else { if (opt.verbose) fprintf(stderr, "cisco_pix host '%s' could not be resolved, ignoring.\n", buf); return; } } else if (mode == CP_OPT_ICMP_S) { char buf[BUFSIZE], *pnt; pnt = strstr(input, ":"); *pnt = ' '; retval = sscanf(input, "%" BUFSIZE_S "s %3d.%3d.%3d.%3d", buf, &shost1, &shost2, &shost3, &shost4); opt.line->protocol = 1; if (retval != 5) return; } else if (mode == CP_OPT_ICMP) { retval = sscanf(input, "%3d.%3d.%3d.%3d attempted to ping", &shost1, &shost2, &shost3, &shost4); opt.line->protocol = 1; if (retval != 4) return; } else if (mode == CP_OPT_UDP_NOPORT) { retval = sscanf(input, "%3d.%3d.%3d.%3d", &shost1, &shost2, &shost3, &shost4); opt.line->protocol = 17; if (retval != 4) return; } if (resolved == 0) { snprintf(ip, IPLEN, "%d.%d.%d.%d", shost1, shost2, shost3, shost4); if (convert_ip(ip, &opt.line->shost) == IN_ADDR_ERROR) return; } opt.parser = opt.parser | CISCO_PIX_SRC; } void cisco_pix_parse_dst(char *input, unsigned char mode) { char ip[IPLEN], resolved = 0; int dhost1, dhost2, dhost3, dhost4; int retval; if (mode == CP_OPT_DST) { retval = sscanf(input, "%3d.%3d.%3d.%3d/%5d", &dhost1, &dhost2, &dhost3, &dhost4, &opt.line->dport); if (retval != 5) return; } else if (mode == CP_OPT_DST_S) { char buf[BUFSIZE], *pnt; pnt = strstr(input, ":"); *pnt = ' '; retval = sscanf(input, "%" BUFSIZE_S "s %3d.%3d.%3d.%3d/%5d", buf, &dhost1, &dhost2, &dhost3, &dhost4, &opt.line->dport); if (retval != 6) return; } else if (mode == CP_OPT_DST_S2) { char buf[BUFSIZE], *pnt; pnt = strstr(input, "/"); *pnt = ' '; retval = sscanf(input, "%" BUFSIZE_S "s %3d.%3d.%3d.%3d(%5d)", buf, &dhost1, &dhost2, &dhost3, &dhost4, &opt.line->dport); if (retval != 6) return; } else if (mode == CP_OPT_DST_N) { char buf[BUFSIZE], *pnt; struct hostent *he; pnt = strstr(input, ":"); *pnt = ' '; pnt = strstr(input, "/"); *pnt = ' '; retval = sscanf(input, "%*s %" BUFSIZE_S "s %5d", buf, &opt.line->dport); if (retval != 2) return; he = gethostbyname(buf); if (he != NULL) { opt.line->dhost.s_addr = ((struct in_addr *) he->h_addr_list[0])->s_addr; resolved = 1; } else { if (opt.verbose) fprintf(stderr, "cisco_pix host '%s' could not be resolved, ignoring.\n", buf); return; } } else if (mode == CP_OPT_DST_N2) { char buf[BUFSIZE], *pnt; struct hostent *he; pnt = strstr(input, "/"); *pnt = ' '; pnt = strstr(input, "("); *pnt = ' '; pnt = strstr(input, ")"); *pnt = 0; retval = sscanf(input, "%*s %" BUFSIZE_S "s %5d", buf, &opt.line->dport); if (retval != 2) return; he = gethostbyname(buf); if (he != NULL) { opt.line->dhost.s_addr = ((struct in_addr *) he->h_addr_list[0])->s_addr; resolved = 1; } else { if (opt.verbose) fprintf(stderr, "cisco_pix host '%s' could not be resolved, ignoring.\n", buf); return; } } else if (mode == CP_OPT_DST_I) { char buf[BUFSIZE], *pnt; pnt = strstr(input, ":"); *pnt = ' '; retval = sscanf(input, "%" BUFSIZE_S "s %3d.%3d.%3d.%3d (type %5d, code %5d)", buf, &dhost1, &dhost2, &dhost3, &dhost4, &opt.line->sport, &opt.line->dport); if (retval != 7) return; } else if (mode == CP_OPT_NONE) { retval = sscanf(input, "%3d.%3d.%3d.%3d", &dhost1, &dhost2, &dhost3, &dhost4); if (retval != 4) return; } if (resolved == 0) { snprintf(ip, IPLEN, "%d.%d.%d.%d", dhost1, dhost2, dhost3, dhost4); if (convert_ip(ip, &opt.line->dhost) == IN_ADDR_ERROR) return; } opt.parser = opt.parser | CISCO_PIX_DST; } void cisco_pix_parse_group(char *input) { char *pnt; pnt = strstr(input, "\""); *pnt = '\0'; xstrncpy(opt.line->chainlabel, input, SHORTLEN); } unsigned char flex_cisco_pix(char *input, int linenum) { opt.parser = 0; init_line(); xstrncpy(opt.line->interface, "-", SHORTLEN); xstrncpy(opt.line->chainlabel, "-", SHORTLEN); xstrncpy(opt.line->branchname, "Deny", SHORTLEN); opt.line->count = 1; cisco_pix_scan_string(input); cisco_pixlex(); cisco_pix_delete_buffer(YY_CURRENT_BUFFER); if (opt.parser & CISCO_PIX_NO_HIT) return PARSE_NO_HIT; if (opt.parser == (CISCO_PIX_DATE | CISCO_PIX_SRC | CISCO_PIX_DST)) { return PARSE_OK; } else { if (opt.verbose) fprintf(stderr, "cisco_pix parse error in line %d, ignoring.\n", linenum); if (opt.verbose == 2) fprintf(stderr, "input was: \"%s\"\n", input); return PARSE_WRONG_FORMAT; } } fwlogwatch-1.2/compare.c0000644000076400001440000002340411453062534013654 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: compare.c 706 2010-10-06 12:02:36Z bw $ */ #include #include #include #include #include #include #include "compare.h" #include "output.h" #include "response.h" #include "utils.h" struct conn_data *first = NULL; extern struct known_hosts *first_host; extern struct options opt; void add_entry() { struct conn_data *data; data = xmalloc(sizeof(struct conn_data)); data->count = opt.line->count; data->start_time = opt.line->time; if (opt.mode != REALTIME_RESPONSE) { data->end_time = 0; } else { data->end_time = opt.line->time; } data->hostname = xmalloc(strlen(opt.line->hostname) + 1); xstrncpy(data->hostname, opt.line->hostname, strlen(opt.line->hostname) + 1); data->chainlabel = xmalloc(strlen(opt.line->chainlabel) + 1); xstrncpy(data->chainlabel, opt.line->chainlabel, strlen(opt.line->chainlabel) + 1); data->branchname = xmalloc(strlen(opt.line->branchname) + 1); xstrncpy(data->branchname, opt.line->branchname, strlen(opt.line->branchname) + 1); data->interface = xmalloc(strlen(opt.line->interface) + 1); xstrncpy(data->interface, opt.line->interface, strlen(opt.line->interface) + 1); data->protocol = opt.line->protocol; data->datalen = opt.line->datalen; data->shost = opt.line->shost; data->sport = opt.line->sport; data->dhost = opt.line->dhost; data->dport = opt.line->dport; data->flags = opt.line->flags; data->id = opt.global_id++; data->next = first; first = data; } unsigned char compare(struct conn_data *op1, struct conn_data *op2) { unsigned char cond = 0; switch (opt.sortfield) { case SORT_COUNT: if (opt.sortmode == ORDER_ASCENDING) { if (op1->count > op2->count) cond++; } else { if (op1->count < op2->count) cond++; } break; case SORT_START_TIME: if (opt.sortmode == ORDER_ASCENDING) { if (op1->start_time > op2->start_time) cond++; } else { if (op1->start_time < op2->start_time) cond++; } break; case SORT_END_TIME: if (opt.sortmode == ORDER_ASCENDING) { if (op1->end_time > op2->end_time) cond++; } else { if (op1->end_time < op2->end_time) cond++; } break; case SORT_DELTA_TIME: if (opt.sortmode == ORDER_ASCENDING) { if ((op1->end_time - op1->start_time) > (op2->end_time - op2->start_time)) cond++; } else { if ((op1->end_time - op1->start_time) < (op2->end_time - op2->start_time)) cond++; } break; case SORT_CHAINLABEL: if (opt.sortmode == ORDER_ASCENDING) { if (strncmp(op1->chainlabel, op2->chainlabel, SHORTLEN) > 0) cond++; } else { if (strncmp(op1->chainlabel, op2->chainlabel, SHORTLEN) < 0) cond++; } break; case SORT_PROTOCOL: if (opt.sortmode == ORDER_ASCENDING) { if (op1->protocol > op2->protocol) cond++; } else { if (op1->protocol < op2->protocol) cond++; } break; case SORT_DATALEN: if (opt.sortmode == ORDER_ASCENDING) { if (op1->datalen > op2->datalen) cond++; } else { if (op1->datalen < op2->datalen) cond++; } break; case SORT_SOURCEHOST: if (opt.sortmode == ORDER_ASCENDING) { if (ntohl(op1->shost.s_addr) > ntohl(op2->shost.s_addr)) cond++; } else { if (ntohl(op1->shost.s_addr) < ntohl(op2->shost.s_addr)) cond++; } break; case SORT_SOURCEPORT: if (opt.sortmode == ORDER_ASCENDING) { if (op1->sport > op2->sport) cond++; } else { if (op1->sport < op2->sport) cond++; } break; case SORT_DESTHOST: if (opt.sortmode == ORDER_ASCENDING) { if (ntohl(op1->dhost.s_addr) > ntohl(op2->dhost.s_addr)) cond++; } else { if (ntohl(op1->dhost.s_addr) < ntohl(op2->dhost.s_addr)) cond++; } break; case SORT_DESTPORT: if (opt.sortmode == ORDER_ASCENDING) { if (op1->dport > op2->dport) cond++; } else { if (op1->dport < op2->dport) cond++; } break; default: fprintf(stderr, _("conn_sort_up: wrong mode\n")); } return cond; } struct conn_data *fwlw_pc_mergesort(struct conn_data *list) { struct conn_data *p, *q, *e, *tail; int size, merges, psize, qsize, i; if (list != NULL) { size = 1; while (1) { p = list; list = tail = NULL; merges = 0; while (p != NULL) { merges++; q = p; psize = 0; for (i = 0; i < size; i++) { psize++; q = q->next; if (q == NULL) break; } qsize = size; while (psize > 0 || ((qsize > 0) && (q != NULL))) { if (psize == 0) { e = q; q = q->next; qsize--; } else if (qsize == 0 || (q == NULL)) { e = p; p = p->next; psize--; } else if (compare(p, q) <= 0) { e = p; p = p->next; psize--; } else { e = q; q = q->next; qsize--; } if (tail != NULL) { tail->next = e; } else { list = e; } tail = e; } p = q; } tail->next = NULL; if (merges <= 1) return list; size *= 2; } } else { return NULL; } } void sort_data(unsigned char mode) { unsigned char i = 0, error; while ((i < MAXSORTSIZE) && (opt.sort_order[i] != '\0')) { error = 0; switch (opt.sort_order[i]) { case 'c': opt.sortfield = SORT_COUNT; break; case 't': opt.sortfield = SORT_START_TIME; break; case 'e': opt.sortfield = SORT_END_TIME; break; case 'z': opt.sortfield = SORT_DELTA_TIME; break; case 'n': opt.sortfield = SORT_CHAINLABEL; break; case 'p': opt.sortfield = SORT_PROTOCOL; break; case 'b': opt.sortfield = SORT_DATALEN; break; case 'S': opt.sortfield = SORT_SOURCEHOST; break; case 's': opt.sortfield = SORT_SOURCEPORT; break; case 'D': opt.sortfield = SORT_DESTHOST; break; case 'd': opt.sortfield = SORT_DESTPORT; break; default: fprintf(stderr, _("Error in sort string: '%c', order expected, ignoring.\n"), opt.sort_order[i]); error = 1; } i++; if (opt.sort_order[i] != '\0') { switch (opt.sort_order[i]) { case 'a': opt.sortmode = ORDER_ASCENDING; break; case 'd': opt.sortmode = ORDER_DESCENDING; break; default: fprintf(stderr, _("Error in sort string: '%c', direction expected, ignoring.\n"), opt.sort_order[i]); error = 1; } } else { fprintf(stderr, _("Error in sort string, direction expected, ignoring.\n")); error = 1; } i++; if (error == 0) { if (mode == SORT_PC) { first = fwlw_pc_mergesort(first); } else { first_host = fwlw_hs_mergesort(first_host); } if (opt.verbose == 2) fprintf(stderr, "."); } } } void build_list() { struct conn_data *this; char stime[TIMESIZE]; if (opt.loghost == 0) { if (opt.hostname[0] != '\0') { if (strcmp(opt.hostname, opt.line->hostname) != 0) { opt.loghost = 1; } } else { xstrncpy(opt.hostname, opt.line->hostname, SHOSTLEN); } } if (opt.chains == 0) { if (opt.chainlabel[0] != '\0') { if (strncmp(opt.chainlabel, opt.line->chainlabel, SHORTLEN) != 0) { opt.chains = 1; } } else { xstrncpy(opt.chainlabel, opt.line->chainlabel, SHORTLEN); } } if (opt.branches == 0) { if (opt.branchname[0] != '\0') { if (strncmp(opt.branchname, opt.line->branchname, SHORTLEN) != 0) { opt.branches = 1; } } else { xstrncpy(opt.branchname, opt.line->branchname, SHORTLEN); } } if (opt.ifs == 0) { if (opt.interface[0] != '\0') { if (strncmp(opt.interface, opt.line->interface, SHORTLEN) != 0) { opt.ifs = 1; } } else { xstrncpy(opt.interface, opt.line->interface, SHORTLEN); } } this = first; while (this != NULL) { if ((opt.dst_ip) && (this->dhost.s_addr != opt.line->dhost.s_addr)) { goto no_match; } if ((opt.src_ip) && (this->shost.s_addr != opt.line->shost.s_addr)) { goto no_match; } if ((opt.dst_port) && (this->dport != opt.line->dport)) { goto no_match; } if ((opt.src_port) && (this->sport != opt.line->sport)) { goto no_match; } if ((opt.proto) && (this->protocol != opt.line->protocol)) { goto no_match; } if ((opt.opts) && (this->flags != opt.line->flags)) { goto no_match; } if (strcmp(this->interface, opt.line->interface) != 0) { goto no_match; } if (strcmp(this->branchname, opt.line->branchname) != 0) { goto no_match; } if (strcmp(this->chainlabel, opt.line->chainlabel) != 0) { goto no_match; } if (strcmp(this->hostname, opt.line->hostname) != 0) { goto no_match; } this->datalen = this->datalen + opt.line->datalen; if (opt.line->time >= this->end_time) { this->end_time = opt.line->time; } else { if (opt.verbose) { strftime(stime, TIMESIZE, _("%b %d %H:%M:%S"), localtime(&this->end_time)); fprintf(stderr, _("Timewarp in log file (%s"), stime); strftime(stime, TIMESIZE, _("%b %d %H:%M:%S"), localtime(&opt.line->time)); fprintf(stderr, " < %s).\n", stime); } } this->count += opt.line->count; return; no_match:this = this->next; } add_entry(); } int list_stats() { struct conn_data *this; int count = 0; this = first; while (this != NULL) { ++count; this = this->next; } return count; } void show_list(FILE * fd) { struct conn_data *this; int max = 0; this = first; while ((this != NULL) && (opt.max == 0 || max < opt.max)) { if (this->count >= opt.least && this->count > opt.threshold) { if (opt.html) { output_html_entry(this, fd); if (opt.html == 1) { opt.html = 2; } else { opt.html = 1; } } else { output_text_entry(this, fd); } } if (opt.max != 0) max++; this = this->next; } } fwlogwatch-1.2/rcfile.h0000644000076400001440000000032211453062534013471 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: rcfile.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _RCFILE_H #define _RCFILE_H unsigned char read_rcfile(char *rcfile, unsigned char must_exist); #endif fwlogwatch-1.2/response.h0000644000076400001440000000074311453062534014072 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: response.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _RESPONSE_H #define _RESPONSE_H #define IP_FW_F_PRN 0x0001 /* from , gcc segfaults if included */ void check_for_ipchains(void); void check_script_perms(char *name); void modify_firewall(unsigned char action); void remove_old(unsigned char mode); void look_for_alert(void); struct known_hosts *fwlw_hs_mergesort(struct known_hosts *list); #endif fwlogwatch-1.2/output.h0000644000076400001440000000104211453062534013565 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: output.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _OUTPUT_H #define _OUTPUT_H #include "main.h" void output_timediff(time_t start, time_t end, char *td); void output_tcp_opts(struct conn_data *input, char *buf); void output_html_entry(struct conn_data *input, FILE * fd); void output_text_entry(struct conn_data *input, FILE * fd); void output_html_table(FILE * fd); void output_html_header(int fd); void output_html_footer(int fd); void output_raw_data(struct conn_data *input); #endif fwlogwatch-1.2/cisco_ios.l0000644000076400001440000001531211453062534014210 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: cisco_ios.l 706 2010-10-06 12:02:36Z bw $ */ %option prefix="cisco_ios" %option outfile="cisco_ios.c" %option noyywrap %{ #define YY_NO_INPUT #include #include #include #include "main.h" #include "utils.h" extern struct options opt; void cisco_ios_parse_date(char *input, unsigned char mode); void cisco_ios_parse_src(char *input, unsigned char mode); void cisco_ios_parse_dst(char *input, unsigned char mode); void cisco_ios_parse_if(char *input); %} MONTH "Jan"|"Feb"|"Mar"|"Apr"|"May"|"Jun"|"Jul"|"Aug"|"Sep"|"Oct"|"Nov"|"Dec" STRING [a-zA-Z][a-zA-Z0-9._-]* LOGHOST [0-9.a-zA-Z()_:-]* DIGIT [0-9] NUMBER {DIGIT}+ OCTET {DIGIT}{1,3} PORT {DIGIT}{1,5} CISCO "%SEC-6-IPACCESSLOG"("P"|"DP"|"RP"|"NP"|"S")":" LIST [a-zA-Z0-9._>-]* TARGET "denied"|"permitted" PROTO "tcp"|"udp"|"icmp"|"igmp"|"gre"|"ospf"|"ipinip"|"pim"|{NUMBER} %% {MONTH}[ ]{1,2}{DIGIT}{1,2}[ ]{DIGIT}{2}:{DIGIT}{2}:{DIGIT}{2}[ ]{LOGHOST} cisco_ios_parse_date(cisco_iostext, CI_OPT_HOST); {NUMBER}":" /* ignore */ {DIGIT}"y"{DIGIT}{1,2}"w:" /* ignore */ {DIGIT}{1,2}"w"{DIGIT}"d:" /* ignore */ {DIGIT}"d"{DIGIT}{2}"h:" /* ignore */ {MONTH}[ ]{1,2}{DIGIT}{1,2}[ ]{DIGIT}{2}:{DIGIT}{2}:{DIGIT}{2}"."{DIGIT}{3}":" cisco_ios_parse_date(cisco_iostext, CI_OPT_MSEC); {MONTH}[ ]{1,2}{DIGIT}{1,2}[ ]{DIGIT}{2}:{DIGIT}{2}:{DIGIT}{2}":" cisco_ios_parse_date(cisco_iostext, CI_OPT_NONE); {CISCO} /* ignore */ "list "{LIST}[ ]{TARGET}[ ]{PROTO}[ ]{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"("{PORT}")" cisco_ios_parse_src(cisco_iostext, CI_OPT_PORT); "list "{LIST}[ ]{TARGET}[ ]{PROTO}[ ]{OCTET}"."{OCTET}"."{OCTET}"."{OCTET} cisco_ios_parse_src(cisco_iostext, CI_OPT_NONE); "list "{LIST}[ ]{TARGET}[ ]{OCTET}"."{OCTET}"."{OCTET}"."{OCTET} cisco_ios_parse_src(cisco_iostext, CI_OPT_MISSING); "-> "{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"("{PORT}")," cisco_ios_parse_dst(cisco_iostext, CI_OPT_PORT); "-> "{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}" ("{NUMBER}"/"{NUMBER}")," cisco_ios_parse_dst(cisco_iostext, CI_OPT_TYPE); "-> "{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}"," cisco_ios_parse_dst(cisco_iostext, CI_OPT_NONE); {NUMBER}" packet"("s")? { opt.line->count = atoi(cisco_iostext); opt.parser=opt.parser|CISCO_IOS_COUNT; } "("[A-Za-z0-9 /\._\*-]*")" cisco_ios_parse_if(cisco_iostext); [ ]+ /* ignore whitespace */ [\n] /* ignore */ {STRING} if(opt.verbose) fprintf(stderr, "Unrecognized token: %s\n", cisco_iostext); . if(opt.verbose) fprintf(stderr, "Unrecognized character: %s\n", cisco_iostext); %% void cisco_ios_parse_date(char *input, unsigned char mode) { int retval, day, hour, minute, second, msec; char smonth[4]; #ifdef IRIX char tmp[SHOSTLEN]; #endif #ifdef LOGDOTS char *remove_dot; #endif if (mode == CI_OPT_HOST) { retval = sscanf(input, "%3s %2d %2d:%2d:%2d %32s", smonth, &day, &hour, &minute, &second, #ifndef IRIX opt.line->hostname); #else tmp); if (retval != 6) return; if (tmp[2] == ':') xstrncpy(opt.line->hostname, tmp + 3, SHOSTLEN); #endif #ifdef LOGDOTS remove_dot = strstr(opt.line->hostname, "."); if (remove_dot != NULL) *remove_dot = '\0'; #endif } else if (mode == CI_OPT_MSEC) { retval = sscanf(input, "%3s %2d %2d:%2d:%2d.%3d:", smonth, &day, &hour, &minute, &second, &msec); if (retval != 6) return; } else if (mode == CI_OPT_NONE) { retval = sscanf(input, "%3s %2d %2d:%2d:%2d:", smonth, &day, &hour, &minute, &second); if (retval != 5) return; } build_time(smonth, day, hour, minute, second); opt.parser = opt.parser | CISCO_IOS_DATE; } void cisco_ios_parse_src(char *input, unsigned char mode) { char proto[8], ip[IPLEN]; int shost1, shost2, shost3, shost4; int retval; if (mode == CI_OPT_PORT) { retval = sscanf(input, "list %" SHORTLEN_S "s %" SHORTLEN_S "s %5s %3d.%3d.%3d.%3d(%5d)", opt.line->chainlabel, opt.line->branchname, proto, &shost1, &shost2, &shost3, &shost4, &opt.line->sport); if (retval != 8) return; } else if (mode == CI_OPT_NONE) { retval = sscanf(input, "list %" SHORTLEN_S "s %" SHORTLEN_S "s %8s %3d.%3d.%3d.%3d", opt.line->chainlabel, opt.line->branchname, proto, &shost1, &shost2, &shost3, &shost4); if (retval != 7) return; } else if (mode == CI_OPT_MISSING) { return; } snprintf(ip, IPLEN, "%d.%d.%d.%d", shost1, shost2, shost3, shost4); if (convert_ip(ip, &opt.line->shost) == IN_ADDR_ERROR) return; opt.parser = opt.parser | CISCO_IOS_SRC; if (strncmp(proto, "tcp", 3) == 0) opt.line->protocol = 6; else if (strncmp(proto, "udp", 3) == 0) opt.line->protocol = 17; else if (strncmp(proto, "icmp", 4) == 0) opt.line->protocol = 1; else if (strncmp(proto, "igmp", 4) == 0) opt.line->protocol = 2; else if (strncmp(proto, "gre", 3) == 0) opt.line->protocol = 47; /* RFC1701/1702 */ else if (strncmp(proto, "ospf", 4) == 0) opt.line->protocol = 89; else if (strncmp(proto, "ipinip", 6) == 0) opt.line->protocol = 4; else if (strncmp(proto, "pim", 3) == 0) opt.line->protocol = 103; else if (isdigit((int) proto[0])) opt.line->protocol = atoi(proto); if (opt.line->protocol != 0) opt.parser = opt.parser | CISCO_IOS_PROTO; } void cisco_ios_parse_dst(char *input, unsigned char mode) { char ip[IPLEN]; int dhost1, dhost2, dhost3, dhost4; int retval; if (mode == CI_OPT_PORT) { retval = sscanf(input, "-> %3d.%3d.%3d.%3d(%5d),", &dhost1, &dhost2, &dhost3, &dhost4, &opt.line->dport); if (retval != 5) return; } else if (mode == CI_OPT_TYPE) { retval = sscanf(input, "-> %3d.%3d.%3d.%3d (%2d/%2d),", &dhost1, &dhost2, &dhost3, &dhost4, &opt.line->sport, &opt.line->dport); if (retval != 6) return; } else if (mode == CI_OPT_NONE) { retval = sscanf(input, "-> %3d.%3d.%3d.%3d,", &dhost1, &dhost2, &dhost3, &dhost4); if (retval != 4) return; } else { return; } snprintf(ip, IPLEN, "%d.%d.%d.%d", dhost1, dhost2, dhost3, dhost4); if (convert_ip(ip, &opt.line->dhost) == IN_ADDR_ERROR) return; opt.parser = opt.parser | CISCO_IOS_DST; } void cisco_ios_parse_if(char *input) { #ifndef SHORT_NAMES xstrncpy(opt.line->interface, input, SHORTLEN); #else xstrncpy(opt.line->interface, "-", SHORTLEN); #endif } unsigned char flex_cisco_ios(char *input, int linenum) { opt.parser = 0; init_line(); cisco_ios_scan_string(input); cisco_ioslex(); cisco_ios_delete_buffer(YY_CURRENT_BUFFER); if (opt.parser == (CISCO_IOS_DATE | CISCO_IOS_SRC | CISCO_IOS_PROTO | CISCO_IOS_DST | CISCO_IOS_COUNT)) { return PARSE_OK; } else { if (opt.verbose) fprintf(stderr, "cisco_ios parse error in line %d, ignoring.\n", linenum); if (opt.verbose == 2) fprintf(stderr, "input was: \"%s\"\n", input); return PARSE_WRONG_FORMAT; } } fwlogwatch-1.2/ipfw.l0000644000076400001440000001021211453062534013175 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: ipfw.l 706 2010-10-06 12:02:36Z bw $ */ %option prefix="ipfw" %option outfile="ipfw.c" %option noyywrap %{ #define YY_NO_INPUT #include #include #include #include "main.h" #include "utils.h" extern struct options opt; void ipfw_parse_start(char *input); void ipfw_parse_proto(char *input, unsigned char mode); void ipfw_parse_ips(char *input, unsigned char mode); %} MONTH "Jan"|"Feb"|"Mar"|"Apr"|"May"|"Jun"|"Jul"|"Aug"|"Sep"|"Oct"|"Nov"|"Dec" STRING [a-zA-Z][a-zA-Z0-9.-]* LOGHOST [0-9.a-zA-Z()_:-]* DIGIT [0-9] NUMBER {DIGIT}+ OCTET {DIGIT}{1,3} PORT {DIGIT}{1,5} PROTO "TCP"|"UDP" %% {MONTH}[ ]{1,2}{DIGIT}{1,2}[ ]{DIGIT}{2}:{DIGIT}{2}:{DIGIT}{2}[ ]{LOGHOST} ipfw_parse_start(ipfwtext); " kernel: ipfw: "{NUMBER} { xstrncpy(opt.line->chainlabel, ipfwtext+15, SHORTLEN); opt.parser=opt.parser|IPFW_CHAIN; }; " ipfw: "{NUMBER} { xstrncpy(opt.line->chainlabel, ipfwtext+7, SHORTLEN); opt.parser=opt.parser|IPFW_CHAIN; }; "Deny" { xstrncpy(opt.line->branchname, ipfwtext, SHORTLEN); opt.parser=opt.parser|IPFW_BRANCH; }; "Count" { xstrncpy(opt.line->branchname, ipfwtext, SHORTLEN); opt.parser=opt.parser|IPFW_BRANCH; }; "Accept" { xstrncpy(opt.line->branchname, ipfwtext, SHORTLEN); opt.parser=opt.parser|IPFW_BRANCH; }; {PROTO} ipfw_parse_proto(ipfwtext, IPFW_OPT_NONE); "ICMP:"{NUMBER}"."{NUMBER} ipfw_parse_proto(ipfwtext+5, IPFW_OPT_ICMP); {OCTET}"."{OCTET}"."{OCTET}"."{OCTET}[ ]{OCTET}"."{OCTET}"."{OCTET}"."{OCTET} ipfw_parse_ips(ipfwtext, IPFW_OPT_NONE); {OCTET}"."{OCTET}"."{OCTET}"."{OCTET}":"{PORT}[ ]{OCTET}"."{OCTET}"."{OCTET}"."{OCTET}":"{PORT} ipfw_parse_ips(ipfwtext, IPFW_OPT_PORTS); "in via "{STRING} { xstrncpy(opt.line->interface, ipfwtext+7, SHORTLEN); opt.parser=opt.parser|IPFW_IF; } [ ] /* ignore whitespace */ [\n] return 0; {STRING} if(opt.verbose) fprintf(stderr, "Unrecognized token: %s\n", ipfwtext); . if(opt.verbose) fprintf(stderr, "Unrecognized character: %s\n", ipfwtext); %% void ipfw_parse_start(char *input) { int retval, day, hour, minute, second; char smonth[4]; retval = sscanf(input, "%3s %2d %2d:%2d:%2d %32s", smonth, &day, &hour, &minute, &second, opt.line->hostname); if (retval != 6) { return; } build_time(smonth, day, hour, minute, second); opt.parser = opt.parser | IPFW_DATE; } void ipfw_parse_proto(char *input, unsigned char mode) { int retval; char *pnt; if (mode == IPFW_OPT_NONE) { if (strncmp(input, "TCP", 3) == 0) opt.line->protocol = 6; if (strncmp(input, "UDP", 3) == 0) opt.line->protocol = 17; } else if (mode == IPFW_OPT_ICMP) { opt.line->protocol = 1; pnt = strstr(input, "."); *pnt = ' '; retval = sscanf(input, "%2d %2d", &opt.line->sport, &opt.line->dport); if (retval != 2) { return; } opt.parser = opt.parser | IPFW_PORTS; } if (opt.line->protocol != 0) { opt.parser = opt.parser | IPFW_PROTO; } } void ipfw_parse_ips(char *input, unsigned char mode) { int retval; char src[16], dst[16], *pnt; if (mode == IPFW_OPT_PORTS) { pnt = strstr(input, ":"); *pnt = ' '; pnt = strstr(input, ":"); *pnt = ' '; retval = sscanf(input, "%16s %5d %16s %5d", src, &opt.line->sport, dst, &opt.line->dport); if (retval != 4) { return; } opt.parser = opt.parser | IPFW_PORTS; } else if (mode == IPFW_OPT_NONE) { retval = sscanf(input, "%16s %16s", src, dst); if (retval != 2) { return; } } if (convert_ip(src, &opt.line->shost) == IN_ADDR_ERROR) return; if (convert_ip(dst, &opt.line->dhost) == IN_ADDR_ERROR) return; opt.parser = opt.parser | IPFW_IPS; } unsigned char flex_ipfw(char *input, int linenum) { opt.parser = 0; init_line(); ipfw_scan_string(input); ipfwlex(); ipfw_delete_buffer(YY_CURRENT_BUFFER); opt.line->count = 1; if (opt.parser == (IPFW_DATE | IPFW_CHAIN | IPFW_BRANCH | IPFW_PROTO | IPFW_IPS | IPFW_PORTS | IPFW_IF)) { return PARSE_OK; } if (opt.verbose) fprintf(stderr, "ipfw parse error in line %d, ignoring.\n", linenum); if (opt.verbose == 2) fprintf(stderr, "input was: \"%s\"\n", input); return PARSE_WRONG_FORMAT; } fwlogwatch-1.2/fwlogwatch.80000644000076400001440000002533411454321551014322 0ustar bwusers.\" Copyright (C) 2000-2010 Boris Wesslowski .\" $Id: fwlogwatch.8 710 2010-10-10 11:28:41Z bw $ .TH FWLOGWATCH 8 "25 April 2004" IS .SH NAME fwlogwatch \- a firewall log analyzer and realtime response agent .SH SYNOPSIS .B fwlogwatch .RI [ options ]\ [ input_files ] .SH DESCRIPTION .B fwlogwatch produces Linux ipchains, Linux netfilter/iptables, Solaris/BSD/Irix/HP-UX ipfilter, ipfw, Cisco IOS, Cisco PIX/ASA, NetScreen, Elsa Lancom router and Snort IDS log summary reports in plain text and HTML form and has a lot of options to analyze and display relevant patterns. It also can run as daemon (with web interface) doing realtime log monitoring and reporting anomalies or starting attack countermeasures. .SH "GENERAL OPTIONS" These options are independent from the main modes of operation. .IP \-h Show the available options. .IP \-L Show time of the first and the last log entry. The input file(s) can be compressed or plain log file(s). Summary mode will show the time of the first and last packet log entry, this log times mode will show the time of the first and last entry overall. .IP \-V Show version and copyright information and the options used to compile fwlogwatch. .SH "GLOBAL OPTIONS" The global options for all modes are: .IP \-b Show the amount of data in bytes this entry represents, this is the sum of total packet lengths of packets matching this rule (obviously only available for log formats that contain this information). .IP \-c\ \fIconfig\fR Use the alternate configuration file .IR config instead of the default configuration file .B /etc/fwlogwatch.config (which does not need to exist). Only options not specified in the files can be overridden by command line options. .IP \-D Do not differentiate destination IP addresses. Useful for finding scans in whole subnets. .IP \-d Differentiate destination ports. .IP \-E\ \fIformat\fR Specific hosts, ports, chains and branches (targets) can be selected or excluded, selections an exclusions can be added and combined. The .I format is composed of one of the functions .I i include or .I e exclude, then one of the parameters .I h host, .I p port, .I c chain or .I b branch. In case of a host or port a third parameter for .I s source or .I d destination is needed. Finally, the object is directly appended, in case of a host this is an IP address (networks can be specified in CIDR format), port is a number and chain and branch are strings. To show entries with destination port 25 you would use .B -Eipd25 and to exclude entries which have the class C network 192.168.1.0 as source or belong to the chain INPUT: .B -Eehs192.168.1.0/24 -EecINPUT .IP \-M\ \fInumber\fR If you only want to see a fixed maximum amount of entries (e.g. the "top 20") this option will trim the output for you. .IP \-m\ \fIcount\fR When analyzing large amounts of data you usually aren't interested in entries that have a small count. You can hide entries below a certain threshold with this option. .IP \-N Enable service lookups. Port numbers will be looked up in /etc/services. .IP \-n Enable DNS lookups. Host names will be resolved (reverse and forward lookup with a warning if they don't match). This makes summary generation very slow if a lot of different hosts appear in the log file. Resolved host names are cached. .IP \-O\ \fIorder\fR This is the sort order of the summary and packet cache. Since entries often are equal in certain fields you can sort by several fields one after another (the sort algorithm is stable, so equal entries will remain sorted in the order they were sorted before). The sort string can be composed of up to 11 fields of the form .B ab where .B a is the sort criteria: .I c count, .I t start time, .I e end time, .I z duration, .I n target name, .I p protocol, .I b byte count (sum of total packet lengths), .I S source host, .I s source port, .I D destination host and .I d destination port. .B b is the direction: .I a ascending and .I d descending. Sorting is done in the order specified, so the last option is the primary criteria. The default in summary mode is .I tacd (start with the highest count, if two counts match list the one earlier in time first) of which .I ta is built in, so if you specify an empty sort string or everything else is equal entries will be sorted ascending by time. The realtime response mode default is .I cd ( .I ta is not built in). .IP \-P\ \fIformat\fR Only use certain parsers, where the log .I format can be one or a combination of: .I i ipchains, .I n netfilter, .I f ipfilter, .I b ipfw, .I c Cisco IOS, .I p Cisco PIX/ASA, .I e NetScreen, .I l Elsa Lancom and .I s Snort. The default is to use all parsers except the ones for NetScreen, Elsa Lancom and Snort logs. .IP \-p Differentiate protocols. This is activated automatically if you differentiate source and/or destination ports. .IP \-s Differentiate source ports. .IP \-U\ \fItitle\fR Set .I title as title of the report and status page. .IP \-v Be verbose. You can specify it twice for more information. In very verbose mode while parsing the log file you will see "." for relevant packet filter log entries, "r" for 'last message repeated' entries concerning packet filter logs, "o" for packet filter log entries that are too old and "_" for entries that are not packet filter logs. .IP \-y Differentiate TCP options. All packets with a SYN are listed separately, other TCP flags are shown in full format if they are available (ipchains does not log them, netfilter and ipfilter do, Cisco IOS doesn't even log SYNs). .SH "LOG SUMMARY MODE" This are additional options that are only available in log summary mode: .IP \-e Show timestamp of last packet logged. End times are only available if there is more than one packet log entry with unique characteristics. .IP \-l\ \fItime\fR Process recent events only. See .B TIME FORMAT below for the time options. .IP \-o\ \fIfile\fR Specify an output file. .IP \-S Do not differentiate source IP addresses. .IP \-T\ \fIemail\fR The summary will be sent by email to this address. If HTML output is selected the report will be embedded as attachment so HTML-aware mail clients can show it directly. .IP \-t Show timestamp of first packet logged. .IP \-W Look up information about the source addresses in the whois database. This is slow, please don't stress the registry with too many queries. .IP \-w Produce output in HTML format. .IP \-z Show time interval between start and end time of packet log entries. This is only available if there is more than one packet log entry with unique characteristics. .SH "REALTIME RESPONSE MODE" .IP \-R Enter realtime response mode. This means: detach and run as daemon until the TERM signal (kill) is received. The HUP signal forces a reload of the configuration file, the USR1 signal forces fwlogwatch to reopen and read the input file from the beginning (useful e.g. for log rotation). All output can be followed in the system log. .IP \-a\ \fIcount\fR Alert threshold. Notify or start countermeasures if this limit is reached. Defaults to 5. .IP \-l\ \fItime\fR Forget events that happened this long ago (defaults to 1 day). See .B TIME FORMAT below for the time options. .IP \-k\ \fIIP/net\fR This option defines a host or network in CIDR notation that will never be blocked or other actions taken against. To specify more than one, use the -k parameter again for each IP address or network you want to add. .IP \-A The notification script is invoked when the threshold is reached. A few examples of possible notifications are included in fwlw_notify, you can add your own ones as you see fit. .IP \-B The response script is invoked when the threshold is reached. Using the example script fwlw_respond this will block the attacking host with a new firewall rule. A new chain for .B fwlogwatch actions is inserted in the input chain and block rules added as needed. The chain and its content is removed if .B fwlogwatch is terminated normally. The example scripts contain actions for ipchains and netfilter, you can modify them or add others as you like. .IP \-X\ \fIport\fR Activate the internal web server to monitor and control the current status of the daemon. It listens on the specified .I port and by default only allows connections from localhost. The default user name is .B admin and the default password is .B fwlogwat (since DES can only encrypt 8 characters). All options related to the status web server can be changed in the configuration file. .SH "INPUT FILES" You can specify one or more input files (if none is given it defaults to .B /var/log/messages ). Relevant entries are automatically detected so combined log files (e.g. from a log host) are no problem. Compressed files are supported (except in realtime response mode where they don't make sense anyway). The '-' sign may be used for reading from standard input (stdin). In realtime response mode the file needs to be specified with an absolute path since the daemon uses the file system root (/) as working directory. .SH "TIME FORMAT" Time is specified as .B nx where .B n is a natural number and .B x is one of the following: .I s for seconds (this is the default), .I m for minutes, .I h for hours, .I d for days, .I w for weeks, .I M for months and .I y for years. .SH FILES .IP \fB/etc/fwlogwatch.config\fR Default configuration file. .IP \fB/var/log/messages\fR Default input log file. .IP \fB/var/run/fwlogwatch.pid\fR Default PID file generated by the daemon in realtime response mode if configured to do so. .SH "FEATURES ONLY IN CONFIGURATION FILE" The following features are only available in the configuration file and not on the command line, they are presented and explained in more detail in the sample configuration file. .IP HTML\ colors\ and\ stylesheet The colors of the HTML output and status page can be customized, an external cascading stylesheet can be referenced. .IP Realtime\ response\ options Verification of ipchains rules, PID file handling, the user .B fwlogwatch should run as, the location of the notification and response scripts, which address the status web server listens on, which host can connect, the refresh interval of the status page and the admin name and password can be configured. .SH SECURITY Since .B fwlogwatch is a security tool special care was taken to make it secure. You can and should run it with user permissions for most functions, you can make it setgid for a group .B /var/log/messages is in if all you need is to be able to read this file. Only the realtime response mode with activated ipchains rule analysis needs superuser permissions but you might also need them to write the PID file, for actions in the response script and for binding the default status port. However, you can configure fwlogwatch to drop root privileges as soon as possible after allocating these resources (the notification and response scripts will still be executed with user privileges and log rotation might not work). .SH AUTHOR Boris Wesslowski fwlogwatch-1.2/lancom.c0000644000076400001440000000661211453062534013501 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: lancom.c 706 2010-10-06 12:02:36Z bw $ */ #include #include #include #include #include #include "main.h" #include "utils.h" extern struct options opt; unsigned char lancom(char *input, int linenum) { char *sinputs = input, *sinpute; int retval, day, hour, minute, second; char smonth[4]; init_line(); xstrncpy(opt.line->interface, "-", SHORTLEN); /* Read time */ sinpute = sinputs + 15; *sinpute = '\0'; retval = sscanf(sinputs, "%3s %2d %2d:%2d:%2d", smonth, &day, &hour, &minute, &second); build_time(smonth, day, hour, minute, second); /* Read loghost */ sinpute++; sinputs = sinpute; sinpute = strchr(sinputs, ' '); *sinpute = '\0'; xstrncpy(opt.line->hostname, sinputs, sinpute - sinputs + 1); /* Read chainlabel */ sinpute++; sinputs = sinpute; sinpute = strchr(sinputs, ' '); *sinpute = '\0'; xstrncpy(opt.line->chainlabel, sinputs, sinpute - sinputs); /* Skip "Dst:" */ sinpute++; sinputs = sinpute; sinpute = strchr(sinputs, ':'); sinpute++; /* Read dest IP */ sinpute++; sinputs = sinpute; sinpute = strchr(sinputs, ':'); *sinpute = '\0'; if (convert_ip(sinputs, &opt.line->dhost) == IN_ADDR_ERROR) { if (opt.verbose) fprintf(stderr, "lancom parse error while reading dhost in line %d, ignoring.\n", linenum); return PARSE_WRONG_FORMAT; } /* Read dest port */ sinpute++; sinputs = sinpute; sinpute = strchr(sinputs, ' '); retval = sscanf(sinputs, "%5d", &opt.line->dport); if (retval == 0) { if (opt.verbose) fprintf(stderr, "lancom parse error while reading dport in line %d, ignoring.\n", linenum); return PARSE_WRONG_FORMAT; } /* Skip the "Src:" */ sinputs = sinpute; sinpute = strchr(sinputs, ':'); sinpute++; /* Read source IP */ sinpute++; sinputs = sinpute; sinpute = strchr(sinputs, ':'); *sinpute = '\0'; if (convert_ip(sinputs, &opt.line->shost) == IN_ADDR_ERROR) { if (opt.verbose) fprintf(stderr, "lancom parse error while reading shost in line %d, ignoring.\n", linenum); return PARSE_WRONG_FORMAT; } /* Read source port */ sinpute++; sinputs = sinpute; sinpute = strchr(sinputs, ' '); *sinpute = '\0'; retval = sscanf(sinputs, "%5d", &opt.line->sport); if (retval == 0) { if (opt.verbose) fprintf(stderr, "lancom parse error while reading sport in line %d, ignoring.\n", linenum); return PARSE_WRONG_FORMAT; } /* Read protocol */ sinpute++; sinputs = sinpute; sinpute = strchr(sinputs, '('); if (sinpute == NULL) { if (opt.verbose) fprintf(stderr, "lancom parse error while looking for protocol in line %d, ignoring.\n", linenum); return PARSE_WRONG_FORMAT; } sinpute++; sinputs = sinpute; sinpute = strchr(sinputs, ')'); *sinpute = '\0'; if (strncmp(sinputs, "TCP", 3) == 0) opt.line->protocol = 6; else if (strncmp(sinputs, "UDP", 3) == 0) opt.line->protocol = 17; else { if (opt.verbose) fprintf(stderr, "lancom parse error while reading proto in line %d, ignoring.\n", linenum); return PARSE_WRONG_FORMAT; } /* Read branch name */ sinpute++; sinpute++; sinpute++; sinputs = sinpute; sinpute = strchr(sinputs, '\0'); xstrncpy(opt.line->branchname, sinputs, sinpute - sinputs); /* Set rest */ opt.line->flags = 0; opt.line->count = 1; return PARSE_OK; } fwlogwatch-1.2/resolve.h0000644000076400001440000000057011453062534013711 0ustar bwusers/* Copyright (C) 2000-2010 Boris Wesslowski */ /* $Id: resolve.h 706 2010-10-06 12:02:36Z bw $ */ #ifndef _RESOLVE_H #define _RESOLVE_H char *resolve_protocol(int proto); char *resolve_service(int port, char *proto); char *resolve_hostname(struct in_addr ip); #ifdef HAVE_ADNS enum { RES_ADNS_PC, RES_ADNS_HS }; void adns_preresolve(unsigned char mode); #endif #endif