Combining psad and Gnuplot

As seen in Chapters 6 and 7, a core piece of functionality offered by psad is the ability to parse and interpret iptables log messages. Through the use of a series of command-line switches, the parsing ability of psad can be combined with the graphing capabilities of Gnuplot.

The most important of these switches is --gnuplot. Additional command-line arguments add a degree of configurability to the way psad parses iptables logging data and builds the Gnuplot data input file, and these options are the following:

--CSV-fields Sets the fields to extract from the iptables logfile. Fields that are commonly used are src, dst, dp, and proto (which are mapped to the SRC, DST, DPT, and PROTO fields within iptables log messages). Each of the --CSV-fields accepts an additional match criteria to allow specific values to be excluded or included. For example, to include data points only if the source IP address is within the subnet, the destination IP address is within the subnet, and the destination port is 80, you could use --CSV-fields "src: dst: dp:80". In addition, counting fields over three time scales (day, hours, or minutes) is supported with the strings countday, counthour, and countmin.

--CSV-regex Performs a regular expression match against the raw iptables log string and only includes fields from the message if the regular expression matches. For example, to require an fwsnort logging prefix of SIDnnn (see Chapter 10) where nnn is any set of three digits, you could use --CSV-regex "SID\d{3}". Negated regular expressions are also supported with the --CSV-neg-regex command-line argument.

--gnuplot-graph-style Sets the Gnuplot graphing style. Possible values include lines, dots, points, and linespoints.

--gnuplot-file-prefix Sets a file prefix name that psad uses to create the two files prefix.dat and prefix.gnu as iptables log data is parsed. The prefix.gnu file contains the Gnuplot directives for graphing the data in the prefix.dat file.

Was this article helpful?

0 0

Post a comment