certego/fw1-loggrabber

Filter for ! not working

david-drake opened this issue · 1 comments

david-drake commented

I am trying to filter out any connection that contains action=accept... basically I don't want to pull any logs that are accepted.

When I change the filter to "action!=accept", it still pulls all actions including accept. The only way I've been able to get this working (slightly) is to specify "action=deny,drop,prevent"

Anybody else have this issue?

adepasquale commented

Not sure, this is the relevant code section:

fw1-loggrabber/fw1-loggrabber.c

Lines 2087 to 2120 in ab8e506

/*
* split filter string in arguments separated by ";"
*/
filterargument = strtok (filterstring, ";");
while (filterargument != NULL)
{
/*
* split argument into name and value separated by "="
*/
argumentvalue = strchr (filterargument, '=');
if (argumentvalue == NULL)
{
fprintf (stderr, "ERROR: syntax error in rule argument '%s'.\n"
" Required syntax: 'argument=value'\n",
filterargument);
return NULL;
}
argumentvalue++;
argumentname = filterargument;
argumentname[argumentvalue - filterargument - 1] = '\0';
argumentvalue = string_trim (argumentvalue, ' ');
argumentname = string_trim (argumentname, ' ');
filterargument = strtok (NULL, ";");
val_arr = NULL;
if (argumentname[strlen (argumentname) - 1] == '!')
{
negation = 1;
argumentname = string_trim (argumentname, '!');
}
else
{
negation = 0;
}

negation variable is conditionally set based on the presence of = or !=.