Show Posts

Development and Code Review / Rule numbers

« on: March 11, 2021, 10:22:29 pm »

Hi All,

I have my Opnsense box feeding into Splunk via syslog, but was annoyed by the lack of rule labels outside of the webgui. The script below will parse the /tmp/rules.debug file and pfctl output to generate a csv with rule number, rule action (pass/block), and the rule description. Mapping this to the syslog filterlog output, you can see statistics by rule instead of just rule number. The output file is located at /tmp/ruleslist.csv

Code: [Select]

#
#
rm /tmp/ruleslist.csv
#
#Create main rule list
#
input1=$(grep 'pass\|block' /tmp/rules.debug)
while IFS= read -r line || [[ -n $line ]]
do
    enabled=1
        if [ "${line:0:1}" = '#' ]
        then
          enabled=0
        fi
    action=$(echo $line | cut -d " " -f1)
        if [ $enabled -eq 0 ]
        then
          action=$(echo $line | cut -d " " -f2)
        fi
    ruleid=$(echo $line | perl -nle'print $& while m{label \K\"\K\w+}g')
    ruledesc=$(echo $line | perl -nle'print $& while m{(?<!^)\#\s(\:\s)?\K.*}g')
    echo "$enabled,$action,$ruleid,$ruledesc" >> /tmp/ruleslist.tmp
done <<< "$input1"

input2=$(pfctl -vvsr | grep @ )
echo "rulenum,ruleaction,ruledesc" >> /tmp/ruleslist.csv
while IFS= read -r line || [[ -n $line ]]
do
    rulenum2=$(echo $line | perl -nle'print $& while m{\@\K\d+}g')
    ruleid2=$(echo $line | perl -nle'print $& while m{label \K\"\K\w+}g')
        if [ "$ruleid2" != "" ]
        then
                ruleenabled2=$(grep -m 1 "$ruleid2" /tmp/ruleslist.tmp | cut -d "," -f1)
                ruleaction2=$(grep -m 1 "$ruleid2" /tmp/ruleslist.tmp | cut -d "," -f2)
                ruledesc2=$(grep -m 1 "$ruleid2" /tmp/ruleslist.tmp | cut -d "," -f4)
                echo $rulenum2","$ruleaction2","$ruledesc2 >> /tmp/ruleslist.csv
        fi
done <<< "$input2"
rm /tmp/ruleslist.tmp

Messages - snocrash

Development and Code Review / Re: Rule numbers

Development and Code Review / Rule numbers