Project

General

Profile

Actions

Bug #2421

closed

Filter log parser misinterprets some rare lines resulting in TCP:lo for the proto/flags

Added by Jim Pingle over 12 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
Very Low
Assignee:
-
Category:
Web Interface
Target version:
Start date:
05/09/2012
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

The following raw log entry:

May  9 10:35:46 pfsense pf: 00:01:06.694431 rule 1/0(match): block in on bge1: (tos 0x0, ttl 231, id 59683, offset 0, flags [DF], proto TCP (6), length 86)
May  9 10:35:46 pfsense pf:     x.x.x.x.443 > y.y.y.y.36046: Flags [R.], cksum 0x76a3 (correct), seq 4021180300:4021180346, ack 165425407, win 0, length 46 [RST+ BIG-IP: [0x116b7f6:165] Flow e]

Is misinterpreted by the parser, somehow it's using "lo" (From the word "Flow" in the entry) as the TCP flags. It appears that the part of the regex called "leftovers" should contain everything after the destination IP and port, but in this case it anchors on ": " and due to the greedy nature of regex, it's taking the ": " after BIG-IP and not the one after the destination IP/port.

Making the regex ungreedy (/U) breaks it in various other ways so it's not quite an easy fix.

Actions

Also available in: Atom PDF