These are the logtypes files.
You can see I added a new category in the logs dictionnary :
options=[]
logtype['options']=options
There are two types of options : printconditions and postprint.
The former allows to choose the data printed according to certain values on
certain axis, and the latter adds line modification like color or width.
Next step on the todo list is to go through the picviz/parsers/ directory and
write more logtypes.
Best regards,
--
Julien Miotte
import pickle
logtype={}
fields={}
options={}
logtype['fields']=fields
logtype['name']="argus"
logtype['options']=options
logtype['premapping']=" $line =~ s/\\\\/\\\\\\\\/g;\n $line =~ s/\\\"|&|<|>/\\\"/g;\n"
logtype['mapping']="\d+-\d+-\d+ (\d+:\d+:\d+).\d+.*(udp|tcp).*(\d+.\d+.\d+.\d+)\.(\d+).*(\d+.\d+.\d+.\d+)\.(\d+).*"
# 0 1 2 3 4 5 6
# fields[Label]=(Position, Description, Type, Variable picviz, Variable perl, Process post mapping, Relative)
fields['Time']=(1,"Time","timeline","time","$time","","false")
fields['Proto']=(2,"Protocol","string","proto","$proto","","false")
fields['SIP']=(3,"Source IP","ipv4","sip","$sip","","true")
fields['DIP']=(4,"Destination IP","ipv4","dip","$dip","","true")
fields['SPort']=(5,"Source Port","integer","sport","$sport","","true")
fields['DPort']=(6,"Destination Port","integer","dport","$dport","","true")
# 0 1 2 3 4 5
# options['usage']=( Usage, Description, PostDeclaration Code, Parser Code, Type, Fields Needed)
options['proto']=("","Colorizes the line in yellow if protocol is tcp, and in blue if not","",8*" "+"if ($opt_proto){\n"+12*" "+"if ($proto =~ m/tcp/){\n"+16*" "+"print \" [color=\\\"yellow\\\"]\";\n"+12*" "+"}\n"+12*" "+"else {\n"+16*" "+"print \" [color=\\\"blue\\\"]\";\n"+12*" "+"}\n"+8*" "+"}\n","postprint","")
o=open("argus.ltp","w")
pickle.dump(logtype,o)
(dp0
S'fields'
p1
(dp2
S'MIME Type'
p3
(I12
S'MIME type : HTML, CSS, ...'
p4
S'string'
p5
S'mt'
p6
S'$mimetype'
p7
S''
p8
S'true'
p9
tp10
sS'HTTP'
p11
(I6
S'HTTP method used : PUT or GET'
p12
g5
S'm'
p13
S'$method'
p14
g8
g9
tp15
sS'URL'
p16
(I4
S'URL requested by the user'
p17
S'enum'
p18
S'u'
p19
S'$url'
p20
S' # URL process\n if ($url =~ m/^http:\\/\\/([\\w\\.-]*)/) {\n
$url=$1;\n }\n if ($url =~ m/^\\w*\\.(\\w*)$/) {\n
$machine="www";\n $domain=$url;\n }\n else {\n
if ($url =~ /\\d$/) {\n $machine="";\n
$domain=$url;\n }\n else {\n if ($url =~
/^\\w*$/) {\n $domain=$url;\n
$machine="";\n }\n else {\n
$url =~ m/^([^\\/\\.]*)\\.(\\S*)/;\n $machine=$1;\n
$domain=$2;\n }\n }\n }\n
$url=$domain;\n'
p21
g9
tp22
sS'IP'
p23
(I3
S'IP address used by the user'
p24
S'ipv4'
p25
S'i'
p26
S'$ipaddr'
p27
S' # IP process\nif ($ipaddr =~ m/(\\d*)\\.(\\d*)\\.(\\d*)\\.(\\d*)/)
{\n $a=$1;\n $b=$2;\n $c=$3;\n
$d=$4;\n $ipaddr="$d.$c.$b.$a";\n }\n'
p28
g9
tp29
sS'Time'
p30
(I1
S'Time when the request was done'
p31
S'timeline'
p32
S't'
p33
S'$time'
p34
S" # Time process\n if ($time =~ m/^\\S* (\\d+):(\\d+):\\d+/) {\n
$int_time=int($1)*60+int($2);\n $time=$1.':'.$2;\n
}\n"
p35
g9
tp36
sS'Login'
p37
(I2
S'User making the request'
p38
g18
S'n'
p39
S'$name'
p40
S' # Login process\n if ($name =~ m/(\\w*)\\.(\\w*)/) {\n
$first = $1;\n $last = $2;\n }\n else {\n
$last=$name;\n $first="";\n }\n $name="$last
$first";\n'
p41
g9
tp42
sS'Size'
p43
(I7
S'Size of the answer'
p44
S'integer'
p45
S's'
p46
S'$ssize'
p47
g8
g9
tp48
ssS'mapping'
p49
S'^"([^"]*)"([^"]*)"([^"]*)"([^"]*)"([^"]*)"([^"]*)"([^"]*)"([^"]*)"([^"]*)"([^"]*)"([^"]*)"([^"]*)"([^"]*)"([^"]*)"([^"]*)'
p50
sS'options'
p51
(dp52
S'Tmax'
p53
(S'HH:MM'
p54
S"Won't use lines written after the given time."
p55
S'if ($opt_Tmax eq "") {\n $opt_Tmax="23:59";\n}\n$opt_Tmax =~
m/(\\d+):(\\d+)/;\n$max_time=int($1)*60+$2;\n'
p56
S'$int_time <= $max_time'
p57
S'printcondition'
p58
g30
tp59
sS'Tmin'
p60
(g54
S"Won't use lines written before the given time."
p61
S'if ($opt_Tmin eq "") {\n $opt_Tmin="00:00";\n}\n$opt_Tmin =~
m/(\\d+):(\\d+)/;\n$min_time=int($1)*60+$2;\n'
p62
S'$int_time >= $min_time'
p63
g58
g30
tp64
sS'name'
p65
(g39
S'Colorizes every line with the given value on the name axis.'
p66
g8
S' if ($opt_name){\n if($name =~ m/$opt_name/){\n
print " [color=\\"red\\"]";\n }\n }\n'
p67
S'postprint'
p68
g37
tp69
sS'size'
p70
(g46
S'Colorizes every line with the given value on the size axis.'
p71
g8
S' if ($opt_size){\n if($size =~ m/$opt_size/){\n
print " [color=\\"red\\"]";\n }\n }\n'
p72
g68
g43
tp73
ssg65
S'dansGuardian'
p74
sS'premapping'
p75
S' $line=~ s/\\",\\"/\\"/g;\n'
p76
s.import pickle
logtype={}
fields={}
options={}
logtype['fields']=fields
logtype['options']=options
logtype['name']="iptables"
logtype['mapping']="(\w+ \d+ \d+:\d+:\d+) (\w+) (\S+):(.*):.*SRC=(\d+.\d+.\d+.\d+) DST=(\d+.\d+.\d+.\d+) LEN=(\d+).*TTL=(\d+).*SPT=(\d+) DPT=(\d+).*"
# 0 1 2 3 4 5 6
# fields[Label]=(Position, Description, Type, Variable picviz, Variable perl, Process post mapping, Relative)
fields['Time']=(1,"Time","timeline","t","$time",8*" "+"# Time Process\n"+8*" "+"if ($time =~ m/(\w+) (\d+) (\d+:\d+:\d+)/){\n"+12*" "+"$month = $1;\n"+12*" "+"$date = $2;\n"+12*" "+"$hour = $3;\n"+12*" "+"if ($month == \"Jan\") {\n"+16*" "+"$month = \"01\";\n"+12*" "+"}\n"+12*" "+"if ($month == \"Feb\") {\n"+16*" "+"$month = \"02\";\n"+12*" "+"}\n"+12*" "+"if ($month == \"Mar\") {\n"+16*" "+"$month = \"03\";\n"+12*" "+"}\n"+12*" "+"if ($month == \"Apr\") {\n"+16*" "+"$month = \"04\";\n"+12*" "+"}\n"+12*" "+"if ($month == \"May\") {\n"+16*" "+"$month = \"05\";\n"+12*" "+"}\n"+12*" "+"if ($month == \"Jun\") {\n"+16*" "+"$month = \"06\";\n"+12*" "+"}\n"+12*" "+"if ($month == \"Jul\") {\n"+16*" "+"$month = \"07\";\n"+12*" "+"}\n"+12*" "+"if ($month == \"Aug\") {\n"+16*" "+"$month = \"08\";\n"+12*" "+"}\n"+12*" "+"if ($month == \"Sep\") {\n"+16*" "+"$month = \"09\";\n"+12*" "+"}\n"+12*" "+"if ($month == \"Oct\") {\n"+16*" "+"$month = \"10\";\n"+12*" "+"}\n"+12*" "+"if ($month == \"Nov\") {\n"+16*" "+"$month = \"11\";\n"+12*" "+"}\n"+12*" "+"if ($month == \"Dec\") {\n"+16*" "+"$month = \"12\";\n"+12*" "+"}\n"+12*" "+"$time=\"2008-$month-$day $hour\";\n"+8*" "+"}\n","false")
fields['Machine']=(2,"Machine","string","machine","$machine","","true")
fields['Log Type']=(3,"Kernel all the time","string","lgt","$lgt","","true")
fields['Flow']=(4,"Inbound or Outbound","String","flow","$flow","","true")
fields['SIP']=(5,"Source IP","string","sip","$sip","","true")
fields['DIP']=(6,"Destination IP","string","dip","$dip","","true")
fields['Length']=(7,"Length","gold","len","$len","","true")
fields['TTL']=(8,"Time to live","char","ttl","$ttl","","true")
fields['Sport']=(9,"Source port","integer","spt","$stp","","true")
fields['Dport']=(10,"Destination port","integer","dpt","$dpt","","true")
o=open("iptables.ltp","w")
pickle.dump(logtype,o)
import pickle
logtype={}
fields={}
options={}
logtype['fields']=fields
logtype['name']="dansGuardian"
logtype['premapping']=" $line=~ s/\\\",\\\"/\\\"/g;\n"
logtype['mapping']="^\"([^\"]*)\"([^\"]*)\"([^\"]*)\"([^\"]*)\"([^\"]*)\"([^\"]*)\"([^\"]*)\"([^\"]*)\"([^\"]*)\"([^\"]*)\"([^\"]*)\"([^\"]*)\"([^\"]*)\"([^\"]*)\"([^\"]*)"
logtype['options']=options
# 0 1 2 3 4 5 6
# fields[Label]=(Position, Description, Type, Variable picviz, Variable perl, Process post mapping, Relative)
fields['Time']=(1,"Time when the request was done","timeline","t","$time",8*" "+"# Time process\n"+8*" "+"if ($time =~ m/^\S* (\d+):(\d+):\d+/) {\n"+12*" "+"$int_time=int($1)*60+int($2);\n"+12*" "+"$time=$1.\':\'.$2;\n"+8*" "+"}\n","true")
fields['Login']=(2,"User making the request","enum","n","$name",8*" "+"# Login process\n"+8*" "+"if ($name =~ m/(\w*)\.(\w*)/) {\n"+12*" "+"$first = $1;\n"+12*" "+"$last = $2;\n"+8*" "+"}\n"+8*" "+"else {\n"+12*" "+"$last=$name;\n"+12*" "+"$first=\"\";\n"+8*" "+"}\n"+8*" "+"$name=\"$last $first\";\n","true")
fields['IP']=(3,"IP address used by the user","ipv4","i","$ipaddr",8*" "+"# IP process\n"+8*""+"if ($ipaddr =~ m/(\d*)\.(\d*)\.(\d*)\.(\d*)/) {\n"+12*" "+"$a=$1;\n"+12*" "+"$b=$2;\n"+12*" "+"$c=$3;\n"+12*" "+"$d=$4;\n"+12*" "+"$ipaddr=\"$d.$c.$b.$a\";\n"+8*" "+"}\n","true")
fields['URL']=(4,"URL requested by the user","enum","u","$url",8*" "+"# URL process\n"+8*" "+"if ($url =~ m/^http:\/\/([\w\.-]*)/) {\n"+12*" "+"$url=$1;\n"+8*" "+"}\n"+8*" "+"if ($url =~ m/^\w*\.(\w*)$/) {\n"+12*" "+"$machine=\"www\";\n"+12*" "+"$domain=$url;\n"+8*" "+"}\n"+8*" "+"else {\n"+12*" "+"if ($url =~ /\d$/) {\n"+16*" "+"$machine=\"\";\n"+16*" "+"$domain=$url;\n"+12*" "+"}\n"+12*" "+"else {\n"+16*" "+"if ($url =~ /^\w*$/) {\n"+20*" "+"$domain=$url;\n"+20*" "+"$machine=\"\";\n"+16*" "+"}\n"+16*" "+"else {\n"+20*" "+"$url =~ m/^([^\/\.]*)\.(\S*)/;\n"+20*" "+"$machine=$1;\n"+20*" "+"$domain=$2;\n"+16*" "+"}\n"+12*" "+"}\n"+8*" "+"}\n"+8*" "+"$url=$domain;\n","true")
fields['HTTP']=(6,"HTTP method used : PUT or GET","string","m","$method","","true")
fields['Size']=(7,"Size of the answer","integer","s","$ssize","","true")
fields['MIME Type']=(12,"MIME type : HTML, CSS, ...","string","mt","$mimetype","","true")
# options type : printcondition postprint
# 0 1 2 3 4 5
# options['usage']=( Parameter, Description, PostDeclaration Code, Parser Code, Type, Fields Needed)
options['name']=("n","Colorizes every line with the given value on the name axis.","",8*" "+"if ($opt_name){\n"+12*" "+"if($name =~ m/$opt_name/){\n"+16*" "+"print \" [color=\\\"red\\\"]\";\n"+12*" "+"}\n"+8*" "+"}\n","postprint","Login")
options['size']=("s","Colorizes every line with the given value on the size axis.","",8*" "+"if ($opt_size){\n"+12*" "+"if($size =~ m/$opt_size/){\n"+16*" "+"print \" [color=\\\"red\\\"]\";\n"+12*" "+"}\n"+8*" "+"}\n","postprint","Size")
options['Tmax']=("HH:MM","Won't use lines written after the given time.","if ($opt_Tmax eq \"\") {\n"+4*" "+"$opt_Tmax=\"23:59\";\n"+"}\n"+"$opt_Tmax =~ m/(\d+):(\d+)/;\n"+"$max_time=int($1)*60+$2;\n","$int_time <= $max_time","printcondition","Time")
options['Tmin']=("HH:MM","Won't use lines written before the given time.","if ($opt_Tmin eq \"\") {\n"+4*" "+"$opt_Tmin=\"00:00\";\n"+"}\n"+"$opt_Tmin =~ m/(\d+):(\d+)/;\n"+"$min_time=int($1)*60+$2;\n","$int_time >= $min_time","printcondition","Time")
o=open("dansGuardian.ltp","w")
pickle.dump(logtype,o)
(dp0
S'fields'
p1
(dp2
S'SIP'
p3
(I5
S'Source IP'
p4
S'string'
p5
S'sip'
p6
S'$sip'
p7
S''
p8
S'true'
p9
tp10
sS'Log Type'
p11
(I3
S'Kernel all the time'
p12
g5
S'lgt'
p13
S'$lgt'
p14
g8
g9
tp15
sS'TTL'
p16
(I8
S'Time to live'
p17
S'char'
p18
S'ttl'
p19
S'$ttl'
p20
g8
g9
tp21
sS'Flow'
p22
(I4
S'Inbound or Outbound'
p23
S'String'
p24
S'flow'
p25
S'$flow'
p26
g8
g9
tp27
sS'Machine'
p28
(I2
g28
g5
S'machine'
p29
S'$machine'
p30
g8
g9
tp31
sS'Length'
p32
(I7
g32
S'gold'
p33
S'len'
p34
S'$len'
p35
g8
g9
tp36
sS'Time'
p37
(I1
g37
S'timeline'
p38
S't'
p39
S'$time'
p40
S' # Time Process\n if ($time ~= m/(\\w+) (\\d+)
(\\d+:\\d+:\\d+)/){\n $month = $1;\n $date = $2;\n
$hour = $3;\n if ($month == "Jan") {\n $month =
"01";\n }\n if ($month == "Feb") {\n
$month = "02";\n }\n if ($month == "Mar") {\n
$month = "03";\n }\n if ($month == "Apr") {\n
$month = "04";\n }\n if ($month == "May") {\n
$month = "05";\n }\n if ($month == "Jun") {\n
$month = "06";\n }\n if ($month == "Jul") {\n
$month = "07";\n }\n if ($month == "Aug")
{\n $month = "08";\n }\n if ($month ==
"Sep") {\n $month = "09";\n }\n if ($month
== "Oct") {\n $month = "10";\n }\n if
($month == "Nov") {\n $month = "11";\n }\n
if ($month == "Dec") {\n $month = "12";\n }\n
$time="2008-$month-$day $hour";\n }\n'
p41
S'false'
p42
tp43
sS'Dport'
p44
(I10
S'Destination port'
p45
S'integer'
p46
S'dpt'
p47
S'$dpt'
p48
g8
g9
tp49
sS'Sport'
p50
(I9
S'Source port'
p51
g46
S'spt'
p52
S'$stp'
p53
g8
g9
tp54
sS'DIP'
p55
(I6
S'Destination IP'
p56
g5
S'dip'
p57
S'$dip'
p58
g8
g9
tp59
ssS'name'
p60
S'iptables'
p61
sS'mapping'
p62
S'(\\w+ \\d+ \\d+:\\d+:\\d+) (\\w+) (\\S+):(.*):.*SRC=(\\d+.\\d+.\\d+.\\d+)
DST=(\\d+.\\d+.\\d+.\\d+) LEN=(\\d+).*TTL=(\\d+).*SPT=(\\d+) DPT=(\\d+).*'
p63
s.(dp0
S'fields'
p1
(dp2
S'SIP'
p3
(I3
S'Source IP'
p4
S'ipv4'
p5
S'sip'
p6
S'$sip'
p7
S''
p8
S'true'
p9
tp10
sS'Proto'
p11
(I2
S'Protocol'
p12
S'string'
p13
S'proto'
p14
S'$proto'
p15
g8
S'false'
p16
tp17
sS'Time'
p18
(I1
g18
S'timeline'
p19
S'time'
p20
S'$time'
p21
g8
g16
tp22
sS'DPort'
p23
(I6
S'Destination Port'
p24
S'integer'
p25
S'dport'
p26
S'$dport'
p27
g8
g9
tp28
sS'SPort'
p29
(I5
S'Source Port'
p30
g25
S'sport'
p31
S'$sport'
p32
g8
g9
tp33
sS'DIP'
p34
(I4
S'Destination IP'
p35
g5
S'dip'
p36
S'$dip'
p37
g8
g9
tp38
ssS'mapping'
p39
S'\\d+-\\d+-\\d+
(\\d+:\\d+:\\d+).\\d+.*(udp|tcp).*(\\d+.\\d+.\\d+.\\d+)\\.(\\d+).*(\\d+.\\d+.\\d+.\\d+)\\.(\\d+).*'
p40
sS'name'
p41
S'argus'
p42
sS'premapping'
p43
S' $line =~ s/\\\\/\\\\\\\\/g;\n $line =~ s/\\"|&|<|>/\\"/g;\n'
p44
sS'options'
p45
(dp46
S'proto'
p47
(g8
S'Colorizes the line in yellow if protocol is tcp, and in blue if not'
p48
g8
S' if ($opt_proto){\n if ($proto =~ m/tcp/){\n
print " [color=\\"yellow\\"]";\n }\n else {\n
print " [color=\\"blue\\"]";\n }\n }\n'
p49
S'postprint'
p50
g8
tp51
ss._______________________________________________
Picviz mailing list
Picviz@wallinfire.net
http://www.wallinfire.net/cgi-bin/mailman/listinfo/picviz
