1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
{
"$schema": "https://lnav.org/schemas/format-v1.schema.json",
"unifi_iptables_log": {
"title": "UniFi iptables log",
"description": "The UniFi gateway iptables logger format (for /var/log/iptables).",
"url": "https://www.halolinux.us/firewalls/firewall-log-messages-what-do-they-mean.html",
"regex": {
"kernel-udp": {
"pattern": "^(?<timestamp>[A-Z][a-z]{2}\\s+\\d+\\s+\\d+:\\d+:\\d+) (?<host>[^\\s]+)\\s(?:\\[(?<rule_name>[^\\]]+)\\]\\s*)?(?:ALIEN BLOCK: )?DESCR=\"(?<DESCR>.*?)\"?\\sIN=(?<IP_IN>(?:\\d|\\w)*) OUT=(?<IP_OUT>(?:\\d|\\w)*) MAC=(?:(?<MAC>(?:[0-9a-f]{2}:){5}[0-9a-f]{2})(?::(?<MAC_SRC>[^\\s]+)))? SRC=(?<SRC>(?:[\\d\\.])+) DST=(?<DST>(?:[\\d\\.])+) LEN=(?<LEN>(?:\\d+)) TOS=(?<TOS>(?:[0-9A-F])+) PREC=(?<PREC>0x(?:[0-9A-F])+) TTL=(?<TTL>\\d+) ID=(?<ID>\\d+) ((?<DF>(?:DF)) )?PROTO=(?<PROTO>UDP) SPT=(?<SPT>\\d+) DPT=(?<DPT>\\d+) LEN=(?<LEN_UDP>\\d+)\\s*(?<body>.*)$"
},
"kernel-tcp": {
"pattern": "^(?<timestamp>[A-Z][a-z]{2}\\s+\\d+\\s+\\d+:\\d+:\\d+) (?<host>[^\\s]+)\\s(?:\\[(?<rule_name>[^\\]]+)\\]\\s*)?(?:ALIEN BLOCK: )?DESCR=\"(?<DESCR>.*?)\"?\\sIN=(?<IP_IN>(?:\\d|\\w)*) OUT=(?<IP_OUT>(?:\\d|\\w)*) MAC=(?:(?<MAC>(?:[0-9a-f]{2}:){5}[0-9a-f]{2})(?::(?<MAC_SRC>[^\\s]+))) SRC=(?<SRC>(?:[\\d\\.])+) DST=(?<DST>(?:[\\d\\.])+) LEN=(?<LEN>(?:\\d+)) TOS=(?<TOS>(?:[0-9A-F])+) PREC=(?<PREC>0x(?:[0-9A-F])+) TTL=(?<TTL>\\d+) ID=(?<ID>\\d+) ((?<DF>(?:DF)) )?PROTO=(?<PROTO>TCP) SPT=(?<SPT>\\d+) DPT=(?<DPT>\\d+) SEQ=(?<SEQ>\\d+) ACK=(?<ACK>\\d+) WINDOW=(?<WINDOW>\\d+) (?<body>.*)$"
},
"kernel-other-proto": {
"pattern": "^(?<timestamp>[A-Z][a-z]{2}\\s+\\d+\\s+\\d+:\\d+:\\d+) (?<host>[^\\s]+)\\s(?:\\[(?<rule_name>[^\\]]+)\\]\\s*)?(?:ALIEN BLOCK: )?DESCR=\"(?<DESCR>.*?)\"?\\sIN=(?<IP_IN>(?:\\d|\\w)*) OUT=(?<IP_OUT>(?:\\d|\\w)*) MAC=(?:(?<MAC>(?:[0-9a-f]{2}:){5}[0-9a-f]{2})(?::(?<MAC_SRC>[^\\s]+)))? SRC=(?<SRC>(?:[\\d\\.])+) DST=(?<DST>(?:[\\d\\.])+) LEN=(?<LEN>(?:\\d+)) TOS=(?<TOS>(?:[0-9A-F])+) PREC=(?<PREC>0x(?:[0-9A-F])+) TTL=(?<TTL>\\d+) ID=(?<ID>\\d+) ((?<DF>(?:DF)) )?PROTO=(?<PROTO>(?!TCP|UDP)(?:\\w+))(?<body>.*)$"
}
},
"opid-field": "SEQ",
"multiline": false,
"timestamp-format": [
"%b %d %H:%M:%S"
],
"value": {
"host" : {
"kind": "string",
"identifier": true,
"hidden": true
},
"rule_name" : {
"kind": "string",
"identifier": true
},
"DESCR" : {
"kind": "string",
"identifier": false
},
"dhcp_op" : {
"kind": "string",
"identifier": true
},
"dhcp_mac" : {
"kind": "string",
"identifier": true
},
"dhcp_iface" : {
"kind": "string"
},
"dhcp_ip" : {
"kind": "string",
"collate": "ipaddress",
"identifier": true
},
"SEQ" : {
"kind": "integer",
"identifier": true
},
"IP_IN" : {
"kind": "string",
"identifier": false
},
"IP_OUT" : {
"kind": "string",
"identifier": false
},
"MAC" : {
"kind": "string",
"identifier": true,
"hidden": true
},
"MAC_SRC" : {
"kind": "string",
"identifier": false,
"hidden": true
},
"SRC" : {
"kind": "string",
"collate": "ipaddress",
"identifier": true
},
"SPT" : {
"kind": "integer",
"identifier": true
},
"DST" : {
"kind": "string",
"collate": "ipaddress",
"identifier": true
},
"DPT" : {
"kind": "integer",
"identifier": true
},
"LEN" : {
"kind": "integer"
},
"TOS" : {
"kind": "string",
"hidden": true
},
"PREC" : {
"kind": "string",
"hidden": true
},
"TTL" : {
"kind": "integer",
"hidden": true
},
"PROTO" : {
"kind": "string",
"identifier": true
},
"LEN_UDP" : {
"kind": "integer"
},
"WINDOW" : {
"kind": "integer",
"hidden": true
},
"RES" : {
"kind": "string",
"hidden": true
},
"SYN" : {
"kind": "string",
"hidden": true
},
"URGP" : {
"kind": "integer",
"hidden": true
},
"body" : {
"kind": "string"
}
},
"highlights": {
"rule_name": {
"pattern": "(\\[.*-[DR]-.*\\])",
"color": "Red",
"underline": true
}
},
"sample": [
{
"line": "Apr 7 21:49:03 UDM-Pro [WAN_IN-RET-3006] DESCR=\"[WAN_IN] PortForward Allow [HTTPS (cli IN=eth8 OUT=br96 MAC=24:5a:4c:a2:b1:09:48:2c:d0:ab:93:3f:08:00 SRC=194.230.158.35 DST=192.168.96.10 LEN=60 TOS=00 PREC=0x00 TTL=49 ID=51880 DF PROTO=TCP SPT=38618 DPT=10443 SEQ=2560518888 ACK=0 WINDOW=65535 SYN URGP=0 MARK=0"
},
{
"line": "Apr 7 23:24:35 UDM-Pro [PREROUTING-DNAT-13] DESCR=\"PortForward DNAT [HTTPS (client-cer IN=eth8 OUT= MAC=24:5a:4c:a2:b1:09:48:2c:d0:ab:93:3f:08:00 SRC=103.203.57.14 DST=192.168.10.2 LEN=40 TOS=00 PREC=0x00 TTL=241 ID=54321 PROTO=TCP SPT=43609 DPT=443 SEQ=3913455798 ACK=0 WINDOW=65535 SYN URGP=0 MARK=0"
},
{
"line": "Apr 7 21:40:58 UDM-Pro [LAN_IN-D-4001] DESCR=\"🛑Drop all InterVLAN traffic\" IN=br96 OUT=tlprt0 MAC=24:5a:4c:a2:b1:0b:24:5e:be:46:df:c8:08:00 SRC=192.168.96.10 DST=192.168.2.1 LEN=40 TOS=00 PREC=0x00 TTL=63 ID=50760 DF PROTO=TCP SPT=8084 DPT=55504 SEQ=1967017102 ACK=3747652110 WINDOW=131 ACK FIN URGP=0 MARK=0"
}
]
}
}
|
