# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. winroute = { plugin_version = "2.0.1" # Initial creation - 1.0 # 2011-07-27 - 1.0.1 - MSG - Edited info lines. # 2013-03-01 - 2.0 - GMF - Cleaned up. # 2014-01-21 - 2.0.1 - GMF - Added support for a slight variant info.1.manufacturer = "Kerio" info.1.device = "Winroute Firewall" info.1.version.1 = "" info.2.manufacturer = "Kerio" info.2.device = "Control Firewall" info.2.version.1 = "" # The name of the log format log.format.format_label = "Kerio Winroute Firewall Log Format" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "proxy_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^\\[[0-9][0-9]/[A-Z][a-z][a-z]/[0-9][0-9][0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]\\] [A-Z]+ \"[^\"]*\" packet " log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" action = "" rule = "" direction = "" proto = "" len = "" src = "" src_port = "" dst = "" dst_port = "" udplen = "" tcplen = "" flags = "" seq = "" ack = "" win = "" } # log.fields # # Log Parsing Filters log.parsing_filters.parse = ` # [21/Feb/2013 00:48:15] DENY "Block Traffic" packet to Local Area Connection TCP 123.234.123.234:54330 -> 77.88.21.11:80 v.remainder = ""; if (matches_regular_expression(current_log_line(), '^\\[([0-9][0-9]/[A-Z][a-z][a-z]/[0-9][0-9][0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9])\\] ([A-Z]*) \"([^\"]*)\" (packet [frtom]+ +Local Area Connection +) (.*)$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); set_collected_field('', 'action', $3); set_collected_field('', 'rule', $4); set_collected_field('', 'direction', $5); v.remainder = $6; ); else if (matches_regular_expression(current_log_line(), '^\\[([0-9][0-9]/[A-Z][a-z][a-z]/[0-9][0-9][0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9])\\] ([A-Z]*) \"([^\"]*)\" (packet [frtom]+ [A-Za-z]+)(,.*)$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); set_collected_field('', 'action', $3); set_collected_field('', 'rule', $4); set_collected_field('', 'direction', $5); v.remainder = $6; ); # Parse out the date and time else if (matches_regular_expression(current_log_line(), '^\\[([0-9][0-9]/[A-Z][a-z][a-z]/[0-9][0-9][0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9])\\] ([A-Z]*) \"([^\"]*)\" (packet [frtom]+ [^,]+) (.*)$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); set_collected_field('', 'action', $3); set_collected_field('', 'rule', $4); set_collected_field('', 'direction', $5); v.remainder = $6; ); if (matches_regular_expression(v.remainder, '^, proto:([^,]*), len:([0-9]+), ip/port:([0-9.]*):([0-9]+) -> ([0-9.]*):([0-9]+),')) then ( set_collected_field('', 'proto', $1); set_collected_field('', 'len', $2); set_collected_field('', 'src', $3); set_collected_field('', 'src_port', $4); set_collected_field('', 'dst', $5); set_collected_field('', 'dst_port', $6); ); #[18/Dec/2013 00:00:11] PERMIT "VPN access - Cisco" packet from Internet, proto:ICMP, len:60, 192.168.225.16 -> 192.168.65.2, type:8 code:0 else if (matches_regular_expression(v.remainder, '^, proto:([^,]*), len:([0-9]+), ([0-9.a-f:]+) -> ([0-9.a-f:]+), type:([0-9]+) code:([0-9]+)')) then ( set_collected_field('', 'proto', $1); set_collected_field('', 'len', $2); set_collected_field('', 'src', $3); set_collected_field('', 'dst', $4); ); # [21/Feb/2013 00:48:15] DENY "Block Traffic" packet to Local Area Connection TCP 123.234.123.234:54330 -> 77.88.21.11:80 else if (matches_regular_expression(v.remainder, '^([A-Z]+) +([0-9.]+):([0-9]+) +-> +([0-9.]+):([0-9]+)')) then ( set_collected_field('', 'proto', $1); set_collected_field('', 'src', $2); set_collected_field('', 'src_port', $3); set_collected_field('', 'dst', $4); set_collected_field('', 'dst_port', $5); ); # Parse UDP information else if (matches_regular_expression(v.remainder, 'proto:UDP,.*udplen:([0-9]+)')) then ( set_collected_field('', 'udplen', $1); ); # Parse TCP information else if (matches_regular_expression(v.remainder, 'proto:TCP,.*flags:([^,]*), seq:([^ ]*) ack:([^ ]*), win:([^ ]*), tcplen:([^ ]*)')) then ( set_collected_field('', 'flags', $1); set_collected_field('', 'sql', $2); set_collected_field('', 'ack', $3); set_collected_field('', 'win', $4); set_collected_field('', 'tcplen', $5); ); accept_collected_entry('', false); ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" action = "" rule = "" direction = "" proto = "" src = "" src_port = "" dst = "" dst_port = "" flags = "" seq = "" ack = "" win = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'accesses = 1;' } # mark_entry } # log.filters database.numerical_fields = { accesses = { default = true requires_log_field = false entries_field = true } # accesses visitors = { requires_log_field = true log_field = "src" type = "unique" } # visitors len = { requires_log_field = true type = "int" integer_bits = 64 display_format_type = "bandwidth" } # len udplen = { requires_log_field = true type = "int" integer_bits = 64 display_format_type = "bandwidth" } # udplen tcplen = { requires_log_field = true type = "int" display_format_type = "integer" } # tcplen } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" actions_group = { action = true rule = true } source_group = { src = true src_port = true direction = true } destination_group = { dst = true dst_port = true } other_group = { proto = true flags = true seq = true ack = true win = true } } # report_groups } # create_profile_wizard_options } # winroute