Skip to content

ivuk/ufp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
requirements
requirements
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

ufp

The Uncomplicated Firewall (ufw) log parser. Includes Python package for parsing, filtering, and formatting logs, in addition to a CLI front-end.

Usage: ufp.py [-h] [-p] [-s] [-src2dpt] [-dst2dpt] [-src2dst] [-ct] [-r] [-c]
              [-a] [-b] [-i] [-o] [-spt FILTER_SOURCE_PORT]
              [-dpt FILTER_DESTINATION_PORT] [-src FILTER_SOURCE_IP]
              [-dst FILTER_DESTINATION_IP]
              [filename]

positional arguments:
  filename              Specify which ufw log file to parse. - for stdin.
                        /var/log/ufw.log is default.

optional arguments:
  -h, --help            show this help message and exit
  -p, --print           Print the parsed data with a basic formatter which
                        displays source and destination pairs.
  -s, --summary         Print the parsed data with a summary which displays
                        distinct sources and destinations, ports.
  -src2dpt, --source-to-dst-port
                        Print the parsed data with a summary which displays
                        distinct sources and destination ports for each
                        source.
  -dst2dpt, --destination-to-dst-port
                        Print the parsed data with a summary which displays
                        distinct destinations and destination ports for each
                        destination.
  -src2dst, --source-to-dst
                        Print the parsed data with a summary which displays
                        distinct sources and destination addresses for each
                        source.
  -ct, --count          Count entries after filtering and display the number.
  -r, --reverse-dns     Enable reverse DNS lookup to translate IP addresses
                        into hostnames.
  -c, --colorize        Use colored icons in output to represent ALLOW or
                        BLOCK.
  -a, --filter-allow-only
                        Only display entries for which the resulting action
                        was ALLOW.
  -b, --filter-block-only
                        Only display entries for which the resulting action
                        was BLOCK.
  -i, --filter-inbound-only
                        Only display entries which were initiated inbound to
                        the logging host.
  -o, --filter-outbound-only
                        Only display entries which were initiated outbound
                        from the logging host.
  -spt FILTER_SOURCE_PORT, --filter-source-port FILTER_SOURCE_PORT
                        Only display entries which have a source port matching
                        the value provided.
  -dpt FILTER_DESTINATION_PORT, --filter-destination-port FILTER_DESTINATION_PORT
                        Only display entries which have a destination port
                        matching the value provided.
  -src FILTER_SOURCE_IP, --filter-source-ip FILTER_SOURCE_IP
                        Only display entries which have a source ip matching
                        the value provided.
  -dst FILTER_DESTINATION_IP, --filter-destination-ip FILTER_DESTINATION_IP
                        Only display entries which have a destination ip
                        matching the value provided.
                   
If no formatting arguments are provided, a table is printed along with
the count of matching entries (same as -p -ct).

Examples

  • Only show traffic with a source of 8.8.4.4

    • ./ufp.py -src 8.8.4.4

  • Only show allowed traffic with a destination port of 443

    • ./ufp.py -a -dpt 443

  • Only show traffic inbound to the logging host which was blocked

    • ./ufp.py -i -b

  • Only show traffic outbound from the logging host which was blocked. Enable reverse DNS lookup for entries.

    • ./ufp.py -o -b -r

    Outbound entries will only appear if you have explicitly enabled that type of logging. For example: ufw allow out log to any proto tcp port 22

UFP Python Package

  • ufp.parser
    • ufp.parser.base.BaseParser
      • Basic regex parser for UFW logs.
    • ufp.parser.base.ParsedLine
      • Representation of a fully parsed log line with access and data retrieval helpers.
    • ufp.parser.base.ParserFilter
      • Enables filtering the collection of ParsedLine objects according to various criteria.
    • ufp.parser.file.FileParser
      • Extends ufp.parser.base.BaseParser to provide iteration of lines in a log file or file-like object.
  • ufp.formatter
    • ufp.formatter.base.BaseFormatter
      • Base formatter with display helpers. format method must be extended.
    • ufp.formatter.basic.BasicSrcDstActionFormatter
      • Basic formatter used with the -p argument. Prints a table with date, protocol, src, dst, spt, dpt, and action.
    • ufp.formatter.count.CountFormatter
      • Displays count of filtered ParsedLine instances.
    • ufp.formatter.summary.SummaryFormatter
      • Displays summary information regarding sources, destinations, source ports, and destination ports.
    • ufp.formatter.summary.SrcToDstPortFormatter
      • Displays mapping of source IP addresses to destintion ports.
    • ufp.formatter.summary.DstToDstPortFormatter
      • Displays mapping of destination IP addresses to destintion ports.
    • ufp.formatter.summary.SrcToDstIPFormatter
      • Displays mapping of source IP addresses to destintion IP addresses.

Running tests

pytest

About

The Uncomplicated Firewall (ufw) log parser

Resources

Readme
Activity

Stars

28 stars

Watchers

4 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages