From ed65fdb6ba4d6a36471dc89bd730a48c09acd0bc Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 12 May 2015 13:37:16 -0700 Subject: [PATCH] Make Flow a separate, more flexible type in PACF. This allows the use of wildcards, etc. in rules and removes the need for a few entity types that were separate so far. --- scripts/base/frameworks/pacf/main.bro | 10 +- .../base/frameworks/pacf/plugins/openflow.bro | 112 +++++++++++------- scripts/base/frameworks/pacf/types.bro | 24 ++-- .../.stdout | 6 +- .../pacf.log | 12 +- .../pacf.log | 6 +- 6 files changed, 101 insertions(+), 69 deletions(-) diff --git a/scripts/base/frameworks/pacf/main.bro b/scripts/base/frameworks/pacf/main.bro index c3b696bec2..c77edec8ef 100644 --- a/scripts/base/frameworks/pacf/main.bro +++ b/scripts/base/frameworks/pacf/main.bro @@ -265,7 +265,7 @@ function entity_to_info(info: Info, e: Entity) info$entity_type = fmt("%s", e$ty); switch ( e$ty ) { - case ADDRESS, ORIGINATOR, RESPONDER: + case ADDRESS: info$entity = fmt("%s", e$ip); break; @@ -364,7 +364,13 @@ function drop_address(a: addr, t: interval, location: string &default="") : bool function shunt_flow(f: flow_id, t: interval, location: string &default="") : bool { - local e: Entity = [$ty=FLOW, $flow=f]; + local flow = Pacf::Flow( + $src_h=addr_to_subnet(f$src_h), + $src_p=f$src_p, + $dst_h=addr_to_subnet(f$dst_h), + $dst_p=f$dst_p + ); + local e: Entity = [$ty=FLOW, $flow=flow]; local r: Rule = [$ty=DROP, $target=MONITOR, $entity=e, $expire=t, $location=location]; local id = add_rule(r); diff --git a/scripts/base/frameworks/pacf/plugins/openflow.bro b/scripts/base/frameworks/pacf/plugins/openflow.bro index fb7fd59bda..d87b83f7d6 100644 --- a/scripts/base/frameworks/pacf/plugins/openflow.bro +++ b/scripts/base/frameworks/pacf/plugins/openflow.bro @@ -63,6 +63,26 @@ function openflow_flow_mod_pred(p: PluginState, r: Rule, m: OpenFlow::ofp_flow_m return m; } +function determine_dl_type(s: subnet): count + { + local pdl = OpenFlow::ETH_IPv4; + if ( is_v6_subnet(s) ) + pdl = OpenFlow::ETH_IPv6; + + return pdl; + } + +function determine_proto(p: port): count + { + local proto = OpenFlow::IP_TCP; + if ( is_udp_port(p) ) + proto = OpenFlow::IP_UDP; + else if ( is_icmp_port(p) ) + proto = OpenFlow::IP_ICMP; + + return proto; + } + function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_match { local v : vector of OpenFlow::ofp_match = vector(); @@ -74,49 +94,34 @@ function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_mat return openflow_match_pred(p, e, v); } - if ( e$ty == MAC || e$ty == ORIGMAC || e$ty == DESTMAC ) + if ( e$ty == MAC ) { - if ( e$ty == MAC || e$ty == ORIGMAC ) - v[|v|] = OpenFlow::ofp_match( - $dl_src=e$mac - ); - - if ( e$ty == MAC || e$ty == DESTMAC ) - v[|v|] = OpenFlow::ofp_match( - $dl_dst=e$mac - ); - - return openflow_match_pred(p, e, v); - } - - if ( e$ty == MACFLOW ) - { - v[|v|] = OpenFlow::ofp_match( - $dl_src=e$mac, - $dl_dst=e$dst_mac - ); + v[|v|] = OpenFlow::ofp_match( + $dl_src=e$mac + ); + v[|v|] = OpenFlow::ofp_match( + $dl_dst=e$mac + ); return openflow_match_pred(p, e, v); } local dl_type = OpenFlow::ETH_IPv4; - if ( e$ty == ADDRESS || e$ty == RESPONDER || e$ty == ORIGINATOR ) + if ( e$ty == ADDRESS ) { if ( is_v6_subnet(e$ip) ) dl_type = OpenFlow::ETH_IPv6; - if ( e$ty == ADDRESS || e$ty == ORIGINATOR ) - v[|v|] = OpenFlow::ofp_match( - $dl_type=dl_type, - $nw_src=e$ip - ); + v[|v|] = OpenFlow::ofp_match( + $dl_type=dl_type, + $nw_src=e$ip + ); - if ( e$ty == ADDRESS || e$ty == RESPONDER ) - v[|v|] = OpenFlow::ofp_match( - $dl_type=dl_type, - $nw_dst=e$ip - ); + v[|v|] = OpenFlow::ofp_match( + $dl_type=dl_type, + $nw_dst=e$ip + ); return openflow_match_pred(p, e, v); } @@ -125,22 +130,39 @@ function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_mat if ( e$ty == FLOW ) { - if ( is_v6_addr(e$flow$src_h) ) - dl_type = OpenFlow::ETH_IPv6; + local m = OpenFlow::ofp_match(); + local f = e$flow; - if ( is_udp_port(e$flow$src_p) ) - proto = OpenFlow::IP_UDP; - else if ( is_icmp_port(e$flow$src_p) ) - proto = OpenFlow::IP_ICMP; + if ( f?$src_m ) + m$dl_src=f$src_m; + if ( f?$dst_m ) + m$dl_dst=f$dst_m; - v[|v|] = OpenFlow::ofp_match( - $dl_type=dl_type, - $nw_proto=proto, - $nw_src=addr_to_subnet(e$flow$src_h), - $tp_src=e$flow$src_p, - $nw_dst=addr_to_subnet(e$flow$dst_h), - $tp_dst=e$flow$dst_p - ); + if ( f?$src_h ) + { + m$dl_type = determine_dl_type(f$src_h); + m$nw_src = f$src_h; + } + + if ( f?$dst_h ) + { + m$dl_type = determine_dl_type(f$dst_h); + m$nw_dst = f$dst_h; + } + + if ( f?$src_p ) + { + m$nw_proto = determine_proto(f$src_p); + m$tp_src = f$src_p; + } + + if ( f?$dst_p ) + { + m$nw_proto = determine_proto(f$dst_p); + m$tp_dst = f$dst_p; + } + + v[|v|] = m; return openflow_match_pred(p, e, v); } diff --git a/scripts/base/frameworks/pacf/types.bro b/scripts/base/frameworks/pacf/types.bro index 08fa7bfeb8..4870135624 100644 --- a/scripts/base/frameworks/pacf/types.bro +++ b/scripts/base/frameworks/pacf/types.bro @@ -5,24 +5,28 @@ export { ## Type of a :bro:id:`Entity` for defining an action. type EntityType: enum { ADDRESS, ##< Activity involving a specific IP address. - ORIGINATOR, ##< Activity *from* a source IP address. - RESPONDER, ##< Activity *to* a destination IP address. CONNECTION, ##< All of a bi-directional connection's activity. - FLOW, ##< All of a uni-directional flow's activity. + FLOW, ##< All of a uni-directional flow's activity. Can contain wildcards. MAC, ##< Activity involving a MAC address. - ORIGMAC, ##< Activity *from* a source MAC address. - DESTMAC, ##< Activity *to* a destination MAC adress. - MACFLOW ##< Activity involving a pair of MAC addresses. + }; + + ## Type of a :bro:id:`Flow` for defining a flow. + type Flow: record { + src_h: subnet &optional; ##< The source IP address/subnet. + src_p: port &optional; ##< The source port number. + dst_h: subnet &optional; ##< The destination IP address/subnet. + dst_p: port &optional; ##< The desintation port number. + src_m: string &optional; ##< The source MAC address. + dst_m: string &optional; ##< The destination MAC address. }; ## Type defining the enity an :bro:id:`Rule` is operating on. type Entity: record { ty: EntityType; ##< Type of entity. conn: conn_id &optional; ##< Used with :bro:id:`CONNECTION` . - flow: flow_id &optional; ##< Used with :bro:id:`FLOW` . - ip: subnet &optional; ##< Used with :bro:id:`ORIGINATOR`/:bro:id:`RESPONDER`/:bro:id:`ADDRESS`; can specifiy a CIDR subnet. - mac: string &optional; ##< Used with :bro:id:`MAC`/:bro:id:`ORIGMAC`/:bro:id:`DESTMAC`/:bro:id:`MACFLOW`. - dst_mac: string &optional; ##< Used with :bro:id:`MACFLOW`; specifies the destination for the flow. + flow: Flow &optional; ##< Used with :bro:id:`FLOW` . + ip: subnet &optional; ##< Used with bro:id:`ADDRESS`; can specifiy a CIDR subnet. + mac: string &optional; ##< Used with :bro:id:`MAC`. }; ## Target of :bro:id:`Rule` action. diff --git a/testing/btest/Baseline/scripts.base.frameworks.pacf.basic/.stdout b/testing/btest/Baseline/scripts.base.frameworks.pacf.basic/.stdout index 30e8520853..3968f4e091 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.pacf.basic/.stdout +++ b/testing/btest/Baseline/scripts.base.frameworks.pacf.basic/.stdout @@ -1,4 +1,4 @@ -pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=, flow=[src_h=10.10.1.4, src_p=1470/tcp, dst_h=74.53.140.153, dst_p=25/tcp], ip=, mac=], expire=30.0 secs, priority=0, location=, i=, d=, s=, id=2, _plugin=] +pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=, dst_m=], ip=, mac=], expire=30.0 secs, priority=0, location=, i=, d=, s=, id=2, _plugin=] pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=, flow=, ip=10.10.1.4/32, mac=], expire=15.0 secs, priority=0, location=, i=, d=, s=, id=3, _plugin=] -pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=, flow=, ip=10.10.1.4/32, mac=], expire=15.0 secs, priority=0, location=, i=, d=, s=, id=3, _plugin=[config={^J^I[all] = 1^J}, _priority=0, plugin=[name=Pacf::debug_name^J{ ^Jreturn (fmt(Debug-%s, (Pacf::do_something(Pacf::p) ? All : None)));^J}, can_expire=F, init=Pacf::debug_init^J{ ^JPacf::debug_log(Pacf::p, init);^J}, done=Pacf::debug_done^J{ ^JPacf::debug_log(Pacf::p, init);^J}, add_rule=Pacf::debug_add_rule^J{ ^JPacf::s = fmt(add_rule: %s, Pacf::r);^JPacf::debug_log(Pacf::p, Pacf::s);^Jif (Pacf::do_something(Pacf::p)) ^J^I{ ^J^Ievent Pacf::rule_added(Pacf::r, Pacf::p, );^J^Ireturn (T);^J^I}^J^Jreturn (F);^J}, remove_rule=Pacf::debug_remove_rule^J{ ^JPacf::s = fmt(remove_rule: %s, Pacf::r);^JPacf::debug_log(Pacf::p, Pacf::s);^Jevent Pacf::rule_removed(Pacf::r, Pacf::p, );^Jreturn (T);^J}, add_notification=Pacf::debug_add_notification^J{ ^JPacf::s = fmt(add_notification: %s, Pacf::r);^JPacf::debug_log(Pacf::p, Pacf::s);^Jif (Pacf::do_something(Pacf::p)) ^J^I{ ^J^Ievent Pacf::notification_added(Pacf::r, Pacf::p, );^J^Ireturn (T);^J^I}^J^Jreturn (F);^J}, remove_notification=Pacf::debug_remove_notification^J{ ^JPacf::s = fmt(remove_notification: %s, Pacf::r);^JPacf::debug_log(Pacf::p, Pacf::s);^Jreturn (Pacf::do_something(Pacf::p));^J}, transaction_begin=Pacf::debug_transaction_begin^J{ ^JPacf::debug_log(Pacf::p, transaction_begin);^J}, transaction_end=Pacf::debug_transaction_end^J{ ^JPacf::debug_log(Pacf::p, transaction_end);^J}], of_controller=, of_config=]] -pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=, flow=[src_h=10.10.1.4, src_p=1470/tcp, dst_h=74.53.140.153, dst_p=25/tcp], ip=, mac=], expire=30.0 secs, priority=0, location=, i=, d=, s=, id=2, _plugin=[config={^J^I[all] = 1^J}, _priority=0, plugin=[name=Pacf::debug_name^J{ ^Jreturn (fmt(Debug-%s, (Pacf::do_something(Pacf::p) ? All : None)));^J}, can_expire=F, init=Pacf::debug_init^J{ ^JPacf::debug_log(Pacf::p, init);^J}, done=Pacf::debug_done^J{ ^JPacf::debug_log(Pacf::p, init);^J}, add_rule=Pacf::debug_add_rule^J{ ^JPacf::s = fmt(add_rule: %s, Pacf::r);^JPacf::debug_log(Pacf::p, Pacf::s);^Jif (Pacf::do_something(Pacf::p)) ^J^I{ ^J^Ievent Pacf::rule_added(Pacf::r, Pacf::p, );^J^Ireturn (T);^J^I}^J^Jreturn (F);^J}, remove_rule=Pacf::debug_remove_rule^J{ ^JPacf::s = fmt(remove_rule: %s, Pacf::r);^JPacf::debug_log(Pacf::p, Pacf::s);^Jevent Pacf::rule_removed(Pacf::r, Pacf::p, );^Jreturn (T);^J}, add_notification=Pacf::debug_add_notification^J{ ^JPacf::s = fmt(add_notification: %s, Pacf::r);^JPacf::debug_log(Pacf::p, Pacf::s);^Jif (Pacf::do_something(Pacf::p)) ^J^I{ ^J^Ievent Pacf::notification_added(Pacf::r, Pacf::p, );^J^Ireturn (T);^J^I}^J^Jreturn (F);^J}, remove_notification=Pacf::debug_remove_notification^J{ ^JPacf::s = fmt(remove_notification: %s, Pacf::r);^JPacf::debug_log(Pacf::p, Pacf::s);^Jreturn (Pacf::do_something(Pacf::p));^J}, transaction_begin=Pacf::debug_transaction_begin^J{ ^JPacf::debug_log(Pacf::p, transaction_begin);^J}, transaction_end=Pacf::debug_transaction_end^J{ ^JPacf::debug_log(Pacf::p, transaction_end);^J}], of_controller=, of_config=]] +pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=, flow=, ip=10.10.1.4/32, mac=], expire=15.0 secs, priority=0, location=, i=, d=, s=, id=3, _plugin=[config={\x0a\x09[all] = 1\x0a}, _priority=0, plugin=[name=Pacf::debug_name\x0a{ \x0areturn (fmt(Debug-%s, (Pacf::do_something(Pacf::p) ? All : None)));\x0a}, can_expire=F, init=Pacf::debug_init\x0a{ \x0aPacf::debug_log(Pacf::p, init);\x0a}, done=Pacf::debug_done\x0a{ \x0aPacf::debug_log(Pacf::p, init);\x0a}, add_rule=Pacf::debug_add_rule\x0a{ \x0aPacf::s = fmt(add_rule: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aif (Pacf::do_something(Pacf::p)) \x0a\x09{ \x0a\x09event Pacf::rule_added(Pacf::r, Pacf::p, );\x0a\x09return (T);\x0a\x09}\x0a\x0areturn (F);\x0a}, remove_rule=Pacf::debug_remove_rule\x0a{ \x0aPacf::s = fmt(remove_rule: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aevent Pacf::rule_removed(Pacf::r, Pacf::p, );\x0areturn (T);\x0a}, add_notification=Pacf::debug_add_notification\x0a{ \x0aPacf::s = fmt(add_notification: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aif (Pacf::do_something(Pacf::p)) \x0a\x09{ \x0a\x09event Pacf::notification_added(Pacf::r, Pacf::p, );\x0a\x09return (T);\x0a\x09}\x0a\x0areturn (F);\x0a}, remove_notification=Pacf::debug_remove_notification\x0a{ \x0aPacf::s = fmt(remove_notification: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0areturn (Pacf::do_something(Pacf::p));\x0a}, transaction_begin=Pacf::debug_transaction_begin\x0a{ \x0aPacf::debug_log(Pacf::p, transaction_begin);\x0a}, transaction_end=Pacf::debug_transaction_end\x0a{ \x0aPacf::debug_log(Pacf::p, transaction_end);\x0a}], of_controller=, of_config=]] +pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=, dst_m=], ip=, mac=], expire=30.0 secs, priority=0, location=, i=, d=, s=, id=2, _plugin=[config={\x0a\x09[all] = 1\x0a}, _priority=0, plugin=[name=Pacf::debug_name\x0a{ \x0areturn (fmt(Debug-%s, (Pacf::do_something(Pacf::p) ? All : None)));\x0a}, can_expire=F, init=Pacf::debug_init\x0a{ \x0aPacf::debug_log(Pacf::p, init);\x0a}, done=Pacf::debug_done\x0a{ \x0aPacf::debug_log(Pacf::p, init);\x0a}, add_rule=Pacf::debug_add_rule\x0a{ \x0aPacf::s = fmt(add_rule: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aif (Pacf::do_something(Pacf::p)) \x0a\x09{ \x0a\x09event Pacf::rule_added(Pacf::r, Pacf::p, );\x0a\x09return (T);\x0a\x09}\x0a\x0areturn (F);\x0a}, remove_rule=Pacf::debug_remove_rule\x0a{ \x0aPacf::s = fmt(remove_rule: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aevent Pacf::rule_removed(Pacf::r, Pacf::p, );\x0areturn (T);\x0a}, add_notification=Pacf::debug_add_notification\x0a{ \x0aPacf::s = fmt(add_notification: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aif (Pacf::do_something(Pacf::p)) \x0a\x09{ \x0a\x09event Pacf::notification_added(Pacf::r, Pacf::p, );\x0a\x09return (T);\x0a\x09}\x0a\x0areturn (F);\x0a}, remove_notification=Pacf::debug_remove_notification\x0a{ \x0aPacf::s = fmt(remove_notification: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0areturn (Pacf::do_something(Pacf::p));\x0a}, transaction_begin=Pacf::debug_transaction_begin\x0a{ \x0aPacf::debug_log(Pacf::p, transaction_begin);\x0a}, transaction_end=Pacf::debug_transaction_end\x0a{ \x0aPacf::debug_log(Pacf::p, transaction_end);\x0a}], of_controller=, of_config=]] diff --git a/testing/btest/Baseline/scripts.base.frameworks.pacf.basic/pacf.log b/testing/btest/Baseline/scripts.base.frameworks.pacf.basic/pacf.log index 100f5393f2..11ca981be1 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.pacf.basic/pacf.log +++ b/testing/btest/Baseline/scripts.base.frameworks.pacf.basic/pacf.log @@ -3,16 +3,16 @@ #empty_field (empty) #unset_field - #path pacf -#open 2015-04-13-23-44-49 +#open 2015-05-12-20-36-36 #fields ts category cmd state action target entity_type entity msg location plugin #types time enum string enum string enum string string string string string 0.000000 Pacf::MESSAGE - - - - - - activated plugin with priority 0 - Debug-All -1254722767.875996 Pacf::RULE ADD Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/1470->74.53.140.153/25 - (empty) Debug-All +1254722767.875996 Pacf::RULE ADD Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All 1254722767.875996 Pacf::RULE ADD Pacf::REQUESTED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All -1254722767.875996 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/1470->74.53.140.153/25 - (empty) Debug-All +1254722767.875996 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All 1254722767.875996 Pacf::RULE ADD Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All 1254722776.690444 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All -1254722776.690444 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/1470->74.53.140.153/25 - (empty) Debug-All +1254722776.690444 Pacf::RULE REMOVE Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All 1254722776.690444 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Debug-All -1254722776.690444 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/1470->74.53.140.153/25 - (empty) Debug-All -#close 2015-04-13-23-44-49 +1254722776.690444 Pacf::RULE REMOVE Pacf::SUCCEEDED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Debug-All +#close 2015-05-12-20-36-36 diff --git a/testing/btest/Baseline/scripts.base.frameworks.pacf.openflow/pacf.log b/testing/btest/Baseline/scripts.base.frameworks.pacf.openflow/pacf.log index c0362c23c4..1180186ac3 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.pacf.openflow/pacf.log +++ b/testing/btest/Baseline/scripts.base.frameworks.pacf.openflow/pacf.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path pacf -#open 2015-04-14-22-20-31 +#open 2015-05-12-20-36-53 #fields ts category cmd state action target entity_type entity msg location plugin #types time enum string enum string enum string string string string string 0.000000 Pacf::MESSAGE - - - - - - activated plugin with priority 0 - Openflow - OpenFlog Log Plugin - DPID 42 -1254722767.875996 Pacf::RULE ADD Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/1470->74.53.140.153/25 - (empty) Openflow - OpenFlog Log Plugin - DPID 42 +1254722767.875996 Pacf::RULE ADD Pacf::REQUESTED Pacf::DROP Pacf::MONITOR Pacf::FLOW 10.10.1.4/32/1470->74.53.140.153/32/25 - (empty) Openflow - OpenFlog Log Plugin - DPID 42 1254722767.875996 Pacf::RULE ADD Pacf::REQUESTED Pacf::DROP Pacf::FORWARD Pacf::ADDRESS 10.10.1.4/32 - (empty) Openflow - OpenFlog Log Plugin - DPID 42 -#close 2015-04-14-22-20-31 +#close 2015-05-12-20-36-53