Linux Firewalls - Michael Rash [156]
$ cat fig14-2.gnu
reset
❶ set title "psad iptables log visualization: timestamp dp:counthour"
❷ set terminal png transparent nocrop enhanced
set output "fig14-2.png"
❸ set xdata time
set timefmt x "%s"
set format x "%m/%d"
set xlabel "time"
❹ set xrange ["1140887484":"1143867180"]
set ylabel "dp:counthour"
set yrange [0:3000]
❺ plot 'fig14-2.dat' using 1:2 with lines
The most important directives in the fig14-2.gnu file above are the following:
set title
The graph title at ❶, which is set by psad in this case, as we'll see in the next section.
set terminal
The terminal settings and output file at ❷, which can be omitted if you want Gnuplot to launch an interactive window in which you can move a cursor over the graph. (This can be helpful when viewing complicated data sets.)
set xdata time
The time setting at ❸, along with the time input and output formats in the next two lines, which tell Gnuplot that the x-coordinate of each point is a time value.
set xrange
The x-axis range at ❹, which in this case is set to the starting and ending values of the Scan34 data set. (The time values are the number of seconds since the Unix epoch, 00:00 UTC on January 1, 1970.)
plot
The plot setting at ❺ is the most important Gnuplot directive because it tells Gnuplot where the raw data is and how to graph it. In this case, a two-dimensional line graph is made of the data within the fig14-2.dat file. Other plot styles we will see in this chapter are points graphs in two and three dimensions (the splot directive puts Gnuplot in three-dimensional mode). The using 1:2 string specifies the column numbers to graph in the fig14-2.dat file; in three-dimensional mode, using 1:2:3 tells Gnuplot to plot columns 1, 2, and 3 as the x-, y-, and z- axes.
Combining psad and Gnuplot
As seen in Chapter 6 and Chapter 7, a core piece of functionality offered by psad is the ability to parse and interpret iptables log messages. Through the use of a series of command-line switches, the parsing ability of psad can be combined with the graphing capabilities of Gnuplot.
The most important of these switches is --gnuplot. Additional command-line arguments add a degree of configurability to the way psad parses iptables logging data and builds the Gnuplot data input file, and these options are the following:
--CSV-fields
Sets the fields to extract from the iptables logfile. Fields that are commonly used are src, dst, dp, and proto (which are mapped to the SRC, DST, DPT, and PROTO fields within iptables log messages). Each of the --CSV-fields accepts an additional match criteria to allow specific values to be excluded or included. For example, to include data points only if the source IP address is within the 192.168.50.0/24 subnet, the destination IP address is within the 10.100.10.0/24 subnet, and the destination port is 80, you could use --CSV-fields "src:192.168.50.0/24 dst:10.100.10.0/24 dp:80". In addition, counting fields over three time scales (day, hours, or minutes) is supported with the strings countday, counthour, and countmin.
--CSV-regex
Performs a regular expression match against the raw iptables log string and only includes fields from the message if the regular expression matches. For example, to require an fwsnort logging prefix of SIDnnn (see Chapter 10) where nnn is any set of three digits, you could use --CSV-regex "SID\d{3}". Negated regular expressions are also supported with the --CSV-neg-regex command-line argument.
--gnuplot-graph-style
Sets the Gnuplot graphing style. Possible values include lines, dots, points, and linespoints.
--gnuplot-file-prefix
Sets a file prefix name that psad uses to create the two files prefix.dat and prefix.gnu as iptables log data is parsed. The prefix.gnu file contains the Gnuplot directives