#!/usr/bin/python
# 
# ulog: An ufw log parser
# $Id: ulog,v 1.3 2008-09-02 19:12:55 ebastos Exp $
# 
# Eri Ramos Bastos - bastos.eri (at) gmail.com
#
# Acknowledges:
# Regex for MAC Addresses: http://xiix.wordpress.com/2008/06/26/python-regex-for-mac-addresses/
#

import re
import sys
from optparse import OptionParser

##############################################################################
#
# Command Line argument parsing
#
##############################################################################
usage = "usage: %prog [-b]"
parser = OptionParser(usage=usage)
parser.add_option("-b", "--broadcasts", dest="broadcast",action="store_true",help="Show messages sent to broadcast address")
parser.add_option("-d", "--debug", dest="debug",action="store_true",help="Debug the log parsing") # Not in use
parser.add_option("-l","--logfile",dest="logfile",help="Other than /var/log/messages")
(options, args) = parser.parse_args()

if options.logfile:
    logfile=options.logfile
else:
    logfile="/var/log/messages"

##############################################################################
#
# Regular expressions for each log line section
#
##############################################################################
date_regex="([A-Z][a-z]{2} {1,2}[1-9]{1,2} [0-9]{2}:[0-9]{2}:[0-9]{2})"
hostname_regex="(.* kernel:)"
ufw_regex="(\[[0-9]*\.[0-9]*\] \[UFW .*\]:)"
NIC_regex="(IN=.* OUT=.* MAC=([a-fA-F0-9]{2}[:|\-]?){14})"
IP_regex="(SRC=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} DST=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})"


##############################################################################
#
# Print a header
#
##############################################################################
print "SOURCE\t\t->\tDESTINATION\t\t[PROTOCOL/PORT]\t\tWHEN"
print "="*90


##############################################################################
#
# Log parsing
#
##############################################################################

for line in open(logfile):
    if "UFW" in line:
        info=re.search("%s %s %s %s %s (.*)" % (date_regex, hostname_regex, ufw_regex, NIC_regex, IP_regex), line) 
        try:
            test = info.group(0)
        except:
            continue # Some lines are only informational
        else:
            date=info.group(1)
            hostname=info.group(2).split("kernel:")[0] # Not in use
            input_nic=info.group(4).split("=")[1].split(" ")[0] # Not in use
            output_nic=info.group(4).split("=")[2].split(" ")[0] # Not in use
            src_ip=info.group(6).split("=")[1].split(" ")[0]
            dst_ip=info.group(6).split("=")[2].split(" ")[0]
            ip_proto=info.group(7).split("PROTO=")[1].split(" ")[0]
            try:
                dst_port=info.group(7).split("DPT=")[1].split(" ")[0]
            except:
                dst_port=" "
        if not options.broadcast:
            if dst_ip == "255.255.255.255":
                continue
        try: # Will exit silent on broken pipe errors
            if dst_port == " ": # Protocol may not have the port option
                print "%s\t->\t%s\t\t[%s]\t\t\t%s" % (src_ip, dst_ip, ip_proto, date)
            else:
                print "%s\t->\t%s\t\t[%s/%s]\t\t%s" % (src_ip, dst_ip, ip_proto, dst_port, date)
        except:
            sys.exit(1)