Make Flow a separate, more flexible type in PACF.

This allows the use of wildcards, etc. in rules and removes the need
for a few entity types that were separate so far.

scripts/base/frameworks/pacf/main.bro

@@ -265,7 +265,7 @@ function entity_to_info(info: Info, e: Entity)
 	info$entity_type = fmt("%s", e$ty);
 
 	switch ( e$ty ) {
-		case ADDRESS, ORIGINATOR, RESPONDER:
+		case ADDRESS:
 			info$entity = fmt("%s", e$ip);
 			break;
 
@@ -364,7 +364,13 @@ function drop_address(a: addr, t: interval, location: string &default="") : bool
 
 function shunt_flow(f: flow_id, t: interval, location: string &default="") : bool
 	{
-	local e: Entity = [$ty=FLOW, $flow=f];
+	local flow = Pacf::Flow(
+		$src_h=addr_to_subnet(f$src_h),
+		$src_p=f$src_p,
+		$dst_h=addr_to_subnet(f$dst_h),
+		$dst_p=f$dst_p
+	);
+	local e: Entity = [$ty=FLOW, $flow=flow];
 	local r: Rule = [$ty=DROP, $target=MONITOR, $entity=e, $expire=t, $location=location];
 
 	local id = add_rule(r);

scripts/base/frameworks/pacf/plugins/openflow.bro

@@ -63,6 +63,26 @@ function openflow_flow_mod_pred(p: PluginState, r: Rule, m: OpenFlow::ofp_flow_m
 	return m;
 	}
 
+function determine_dl_type(s: subnet): count
+	{
+	local pdl = OpenFlow::ETH_IPv4;
+	if ( is_v6_subnet(s) )
+		pdl = OpenFlow::ETH_IPv6;
+
+	return pdl;
+	}
+
+function determine_proto(p: port): count
+	{
+	local proto = OpenFlow::IP_TCP;
+	if ( is_udp_port(p) )
+		proto = OpenFlow::IP_UDP;
+	else if ( is_icmp_port(p) )
+		proto = OpenFlow::IP_ICMP;
+
+	return proto;
+	}
+
 function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_match
 	{
 	local v : vector of OpenFlow::ofp_match = vector();
@@ -74,49 +94,34 @@ function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_mat
 		return openflow_match_pred(p, e, v);
 		}
 
-	if ( e$ty == MAC || e$ty == ORIGMAC || e$ty == DESTMAC )
+	if ( e$ty == MAC )
 		{
-		if ( e$ty == MAC || e$ty == ORIGMAC )
+		v[|v|] = OpenFlow::ofp_match(
-			v[|v|] = OpenFlow::ofp_match(
+			$dl_src=e$mac
-				$dl_src=e$mac
+		);
-			);
+		v[|v|] = OpenFlow::ofp_match(
-
+			$dl_dst=e$mac
-		if ( e$ty == MAC || e$ty == DESTMAC )
+		);
-			v[|v|] = OpenFlow::ofp_match(
-				$dl_dst=e$mac
-			);
-
-		return openflow_match_pred(p, e, v);
-		}
-
-	if ( e$ty == MACFLOW )
-		{
-			v[|v|] = OpenFlow::ofp_match(
-				$dl_src=e$mac,
-				$dl_dst=e$dst_mac
-			);
 
 		return openflow_match_pred(p, e, v);
 		}
 
 	local dl_type = OpenFlow::ETH_IPv4;
 
-	if ( e$ty == ADDRESS || e$ty == RESPONDER || e$ty == ORIGINATOR )
+	if ( e$ty == ADDRESS )
 		{
 		if ( is_v6_subnet(e$ip) )
 			dl_type = OpenFlow::ETH_IPv6;
 
-		if ( e$ty == ADDRESS || e$ty == ORIGINATOR )
+		v[|v|] = OpenFlow::ofp_match(
-			v[|v|] = OpenFlow::ofp_match(
+			$dl_type=dl_type,
-				$dl_type=dl_type,
+			$nw_src=e$ip
-				$nw_src=e$ip
+		);
-			);
 
-		if ( e$ty == ADDRESS || e$ty == RESPONDER )
+		v[|v|] = OpenFlow::ofp_match(
-			v[|v|] = OpenFlow::ofp_match(
+			$dl_type=dl_type,
-				$dl_type=dl_type,
+			$nw_dst=e$ip
-				$nw_dst=e$ip
+		);
-			);
 
 		return openflow_match_pred(p, e, v);
 		}
@@ -125,22 +130,39 @@ function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_mat
 
 	if ( e$ty == FLOW )
 		{
-		if ( is_v6_addr(e$flow$src_h) )
+		local m = OpenFlow::ofp_match();
-			dl_type = OpenFlow::ETH_IPv6;
+		local f = e$flow;
 
-		if ( is_udp_port(e$flow$src_p) )
+		if ( f?$src_m )
-			proto = OpenFlow::IP_UDP;
+			m$dl_src=f$src_m;
-		else if ( is_icmp_port(e$flow$src_p) )
+		if ( f?$dst_m )
-			proto = OpenFlow::IP_ICMP;
+			m$dl_dst=f$dst_m;
 
-		v[|v|] = OpenFlow::ofp_match(
+		if ( f?$src_h )
-			$dl_type=dl_type,
+			{
-			$nw_proto=proto,
+			m$dl_type = determine_dl_type(f$src_h);
-			$nw_src=addr_to_subnet(e$flow$src_h),
+			m$nw_src = f$src_h;
-			$tp_src=e$flow$src_p,
+			}
-			$nw_dst=addr_to_subnet(e$flow$dst_h),
+
-			$tp_dst=e$flow$dst_p
+		if ( f?$dst_h )
-		);
+			{
+			m$dl_type = determine_dl_type(f$dst_h);
+			m$nw_dst = f$dst_h;
+			}
+
+		if ( f?$src_p )
+			{
+			m$nw_proto = determine_proto(f$src_p);
+			m$tp_src = f$src_p;
+			}
+
+		if ( f?$dst_p )
+			{
+			m$nw_proto = determine_proto(f$dst_p);
+			m$tp_dst = f$dst_p;
+			}
+
+		v[|v|] = m;
 
 		return openflow_match_pred(p, e, v);
 		}

scripts/base/frameworks/pacf/types.bro

@@ -5,24 +5,28 @@ export {
 	## Type of a :bro:id:`Entity` for defining an action.
 	type EntityType: enum {
 		ADDRESS,	##< Activity involving a specific IP address.
-		ORIGINATOR,	##< Activity *from* a source IP address.
-		RESPONDER,	##< Activity *to* a destination IP address.
 		CONNECTION,	##< All of a bi-directional connection's activity.
-		FLOW,		##< All of a  uni-directional flow's activity.
+		FLOW,		##< All of a uni-directional flow's activity. Can contain wildcards.
 		MAC,		##< Activity involving a MAC address.
-		ORIGMAC,	##< Activity *from* a source MAC address.
+	};
-		DESTMAC,	##< Activity *to* a destination MAC adress.
+
-		MACFLOW		##< Activity involving a pair of MAC addresses.
+	## Type of a :bro:id:`Flow` for defining a flow.
+	type Flow: record {
+		src_h: subnet &optional;	##< The source IP address/subnet.
+		src_p: port &optional;	##< The source port number.
+		dst_h: subnet &optional;	##< The destination IP address/subnet.
+		dst_p: port &optional;	##< The desintation port number.
+		src_m: string &optional;	##< The source MAC address.
+		dst_m: string &optional;	##< The destination MAC address.
 	};
 
 	## Type defining the enity an :bro:id:`Rule` is operating on.
 	type Entity: record {
 		ty: EntityType;			##< Type of entity.
 		conn: conn_id &optional;	##< Used with :bro:id:`CONNECTION` .
-		flow: flow_id &optional;	##< Used with :bro:id:`FLOW` .
+		flow: Flow &optional;	##< Used with :bro:id:`FLOW` .
-		ip: subnet &optional;		##< Used with :bro:id:`ORIGINATOR`/:bro:id:`RESPONDER`/:bro:id:`ADDRESS`; can specifiy a CIDR subnet.
+		ip: subnet &optional;		##< Used with bro:id:`ADDRESS`; can specifiy a CIDR subnet.
-		mac: string &optional;		##< Used with :bro:id:`MAC`/:bro:id:`ORIGMAC`/:bro:id:`DESTMAC`/:bro:id:`MACFLOW`.
+		mac: string &optional;		##< Used with :bro:id:`MAC`.
-		dst_mac: string &optional;	##< Used with :bro:id:`MACFLOW`; specifies the destination for the flow.
 	};
 
 	## Target of :bro:id:`Rule` action.

testing/btest/Baseline/scripts.base.frameworks.pacf.basic/.stdout

@@ -1,4 +1,4 @@
-pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4, src_p=1470/tcp, dst_h=74.53.140.153, dst_p=25/tcp], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, id=2, _plugin=<uninitialized>]
+pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, id=2, _plugin=<uninitialized>]
 pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, id=3, _plugin=<uninitialized>]
-pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, id=3, _plugin=[config={^J^I[all] = 1^J}, _priority=0, plugin=[name=Pacf::debug_name^J{ ^Jreturn (fmt(Debug-%s, (Pacf::do_something(Pacf::p) ? All : None)));^J}, can_expire=F, init=Pacf::debug_init^J{ ^JPacf::debug_log(Pacf::p, init);^J}, done=Pacf::debug_done^J{ ^JPacf::debug_log(Pacf::p, init);^J}, add_rule=Pacf::debug_add_rule^J{ ^JPacf::s = fmt(add_rule: %s, Pacf::r);^JPacf::debug_log(Pacf::p, Pacf::s);^Jif (Pacf::do_something(Pacf::p)) ^J^I{ ^J^Ievent Pacf::rule_added(Pacf::r, Pacf::p, );^J^Ireturn (T);^J^I}^J^Jreturn (F);^J}, remove_rule=Pacf::debug_remove_rule^J{ ^JPacf::s = fmt(remove_rule: %s, Pacf::r);^JPacf::debug_log(Pacf::p, Pacf::s);^Jevent Pacf::rule_removed(Pacf::r, Pacf::p, );^Jreturn (T);^J}, add_notification=Pacf::debug_add_notification^J{ ^JPacf::s = fmt(add_notification: %s, Pacf::r);^JPacf::debug_log(Pacf::p, Pacf::s);^Jif (Pacf::do_something(Pacf::p)) ^J^I{ ^J^Ievent Pacf::notification_added(Pacf::r, Pacf::p, );^J^Ireturn (T);^J^I}^J^Jreturn (F);^J}, remove_notification=Pacf::debug_remove_notification^J{ ^JPacf::s = fmt(remove_notification: %s, Pacf::r);^JPacf::debug_log(Pacf::p, Pacf::s);^Jreturn (Pacf::do_something(Pacf::p));^J}, transaction_begin=Pacf::debug_transaction_begin^J{ ^JPacf::debug_log(Pacf::p, transaction_begin);^J}, transaction_end=Pacf::debug_transaction_end^J{ ^JPacf::debug_log(Pacf::p, transaction_end);^J}], of_controller=<uninitialized>, of_config=<uninitialized>]]
+pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, id=3, _plugin=[config={\x0a\x09[all] = 1\x0a}, _priority=0, plugin=[name=Pacf::debug_name\x0a{ \x0areturn (fmt(Debug-%s, (Pacf::do_something(Pacf::p) ? All : None)));\x0a}, can_expire=F, init=Pacf::debug_init\x0a{ \x0aPacf::debug_log(Pacf::p, init);\x0a}, done=Pacf::debug_done\x0a{ \x0aPacf::debug_log(Pacf::p, init);\x0a}, add_rule=Pacf::debug_add_rule\x0a{ \x0aPacf::s = fmt(add_rule: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aif (Pacf::do_something(Pacf::p)) \x0a\x09{ \x0a\x09event Pacf::rule_added(Pacf::r, Pacf::p, );\x0a\x09return (T);\x0a\x09}\x0a\x0areturn (F);\x0a}, remove_rule=Pacf::debug_remove_rule\x0a{ \x0aPacf::s = fmt(remove_rule: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aevent Pacf::rule_removed(Pacf::r, Pacf::p, );\x0areturn (T);\x0a}, add_notification=Pacf::debug_add_notification\x0a{ \x0aPacf::s = fmt(add_notification: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aif (Pacf::do_something(Pacf::p)) \x0a\x09{ \x0a\x09event Pacf::notification_added(Pacf::r, Pacf::p, );\x0a\x09return (T);\x0a\x09}\x0a\x0areturn (F);\x0a}, remove_notification=Pacf::debug_remove_notification\x0a{ \x0aPacf::s = fmt(remove_notification: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0areturn (Pacf::do_something(Pacf::p));\x0a}, transaction_begin=Pacf::debug_transaction_begin\x0a{ \x0aPacf::debug_log(Pacf::p, transaction_begin);\x0a}, transaction_end=Pacf::debug_transaction_end\x0a{ \x0aPacf::debug_log(Pacf::p, transaction_end);\x0a}], of_controller=<uninitialized>, of_config=<uninitialized>]]
-pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4, src_p=1470/tcp, dst_h=74.53.140.153, dst_p=25/tcp], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, id=2, _plugin=[config={^J^I[all] = 1^J}, _priority=0, plugin=[name=Pacf::debug_name^J{ ^Jreturn (fmt(Debug-%s, (Pacf::do_something(Pacf::p) ? All : None)));^J}, can_expire=F, init=Pacf::debug_init^J{ ^JPacf::debug_log(Pacf::p, init);^J}, done=Pacf::debug_done^J{ ^JPacf::debug_log(Pacf::p, init);^J}, add_rule=Pacf::debug_add_rule^J{ ^JPacf::s = fmt(add_rule: %s, Pacf::r);^JPacf::debug_log(Pacf::p, Pacf::s);^Jif (Pacf::do_something(Pacf::p)) ^J^I{ ^J^Ievent Pacf::rule_added(Pacf::r, Pacf::p, );^J^Ireturn (T);^J^I}^J^Jreturn (F);^J}, remove_rule=Pacf::debug_remove_rule^J{ ^JPacf::s = fmt(remove_rule: %s, Pacf::r);^JPacf::debug_log(Pacf::p, Pacf::s);^Jevent Pacf::rule_removed(Pacf::r, Pacf::p, );^Jreturn (T);^J}, add_notification=Pacf::debug_add_notification^J{ ^JPacf::s = fmt(add_notification: %s, Pacf::r);^JPacf::debug_log(Pacf::p, Pacf::s);^Jif (Pacf::do_something(Pacf::p)) ^J^I{ ^J^Ievent Pacf::notification_added(Pacf::r, Pacf::p, );^J^Ireturn (T);^J^I}^J^Jreturn (F);^J}, remove_notification=Pacf::debug_remove_notification^J{ ^JPacf::s = fmt(remove_notification: %s, Pacf::r);^JPacf::debug_log(Pacf::p, Pacf::s);^Jreturn (Pacf::do_something(Pacf::p));^J}, transaction_begin=Pacf::debug_transaction_begin^J{ ^JPacf::debug_log(Pacf::p, transaction_begin);^J}, transaction_end=Pacf::debug_transaction_end^J{ ^JPacf::debug_log(Pacf::p, transaction_end);^J}], of_controller=<uninitialized>, of_config=<uninitialized>]]
+pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, id=2, _plugin=[config={\x0a\x09[all] = 1\x0a}, _priority=0, plugin=[name=Pacf::debug_name\x0a{ \x0areturn (fmt(Debug-%s, (Pacf::do_something(Pacf::p) ? All : None)));\x0a}, can_expire=F, init=Pacf::debug_init\x0a{ \x0aPacf::debug_log(Pacf::p, init);\x0a}, done=Pacf::debug_done\x0a{ \x0aPacf::debug_log(Pacf::p, init);\x0a}, add_rule=Pacf::debug_add_rule\x0a{ \x0aPacf::s = fmt(add_rule: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aif (Pacf::do_something(Pacf::p)) \x0a\x09{ \x0a\x09event Pacf::rule_added(Pacf::r, Pacf::p, );\x0a\x09return (T);\x0a\x09}\x0a\x0areturn (F);\x0a}, remove_rule=Pacf::debug_remove_rule\x0a{ \x0aPacf::s = fmt(remove_rule: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aevent Pacf::rule_removed(Pacf::r, Pacf::p, );\x0areturn (T);\x0a}, add_notification=Pacf::debug_add_notification\x0a{ \x0aPacf::s = fmt(add_notification: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aif (Pacf::do_something(Pacf::p)) \x0a\x09{ \x0a\x09event Pacf::notification_added(Pacf::r, Pacf::p, );\x0a\x09return (T);\x0a\x09}\x0a\x0areturn (F);\x0a}, remove_notification=Pacf::debug_remove_notification\x0a{ \x0aPacf::s = fmt(remove_notification: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0areturn (Pacf::do_something(Pacf::p));\x0a}, transaction_begin=Pacf::debug_transaction_begin\x0a{ \x0aPacf::debug_log(Pacf::p, transaction_begin);\x0a}, transaction_end=Pacf::debug_transaction_end\x0a{ \x0aPacf::debug_log(Pacf::p, transaction_end);\x0a}], of_controller=<uninitialized>, of_config=<uninitialized>]]

testing/btest/Baseline/scripts.base.frameworks.pacf.basic/pacf.log

@@ -3,16 +3,16 @@
 #empty_field	(empty)
 #unset_field	-
 #path	pacf
-#open	2015-04-13-23-44-49
+#open	2015-05-12-20-36-36
 #fields	ts	category	cmd	state	action	target	entity_type	entity	msg	location	plugin
 #types	time	enum	string	enum	string	enum	string	string	string	string	string
 0.000000	Pacf::MESSAGE	-	-	-	-	-	-	activated plugin with priority 0	-	Debug-All
-1254722767.875996	Pacf::RULE	ADD	Pacf::REQUESTED	Pacf::DROP	Pacf::MONITOR	Pacf::FLOW	10.10.1.4/1470->74.53.140.153/25	-	(empty)	Debug-All
+1254722767.875996	Pacf::RULE	ADD	Pacf::REQUESTED	Pacf::DROP	Pacf::MONITOR	Pacf::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	(empty)	Debug-All
 1254722767.875996	Pacf::RULE	ADD	Pacf::REQUESTED	Pacf::DROP	Pacf::FORWARD	Pacf::ADDRESS	10.10.1.4/32	-	(empty)	Debug-All
-1254722767.875996	Pacf::RULE	ADD	Pacf::SUCCEEDED	Pacf::DROP	Pacf::MONITOR	Pacf::FLOW	10.10.1.4/1470->74.53.140.153/25	-	(empty)	Debug-All
+1254722767.875996	Pacf::RULE	ADD	Pacf::SUCCEEDED	Pacf::DROP	Pacf::MONITOR	Pacf::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	(empty)	Debug-All
 1254722767.875996	Pacf::RULE	ADD	Pacf::SUCCEEDED	Pacf::DROP	Pacf::FORWARD	Pacf::ADDRESS	10.10.1.4/32	-	(empty)	Debug-All
 1254722776.690444	Pacf::RULE	REMOVE	Pacf::REQUESTED	Pacf::DROP	Pacf::FORWARD	Pacf::ADDRESS	10.10.1.4/32	-	(empty)	Debug-All
-1254722776.690444	Pacf::RULE	REMOVE	Pacf::REQUESTED	Pacf::DROP	Pacf::MONITOR	Pacf::FLOW	10.10.1.4/1470->74.53.140.153/25	-	(empty)	Debug-All
+1254722776.690444	Pacf::RULE	REMOVE	Pacf::REQUESTED	Pacf::DROP	Pacf::MONITOR	Pacf::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	(empty)	Debug-All
 1254722776.690444	Pacf::RULE	REMOVE	Pacf::SUCCEEDED	Pacf::DROP	Pacf::FORWARD	Pacf::ADDRESS	10.10.1.4/32	-	(empty)	Debug-All
-1254722776.690444	Pacf::RULE	REMOVE	Pacf::SUCCEEDED	Pacf::DROP	Pacf::MONITOR	Pacf::FLOW	10.10.1.4/1470->74.53.140.153/25	-	(empty)	Debug-All
+1254722776.690444	Pacf::RULE	REMOVE	Pacf::SUCCEEDED	Pacf::DROP	Pacf::MONITOR	Pacf::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	(empty)	Debug-All
-#close	2015-04-13-23-44-49
+#close	2015-05-12-20-36-36

testing/btest/Baseline/scripts.base.frameworks.pacf.openflow/pacf.log

@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	pacf
-#open	2015-04-14-22-20-31
+#open	2015-05-12-20-36-53
 #fields	ts	category	cmd	state	action	target	entity_type	entity	msg	location	plugin
 #types	time	enum	string	enum	string	enum	string	string	string	string	string
 0.000000	Pacf::MESSAGE	-	-	-	-	-	-	activated plugin with priority 0	-	Openflow - OpenFlog Log Plugin - DPID 42
-1254722767.875996	Pacf::RULE	ADD	Pacf::REQUESTED	Pacf::DROP	Pacf::MONITOR	Pacf::FLOW	10.10.1.4/1470->74.53.140.153/25	-	(empty)	Openflow - OpenFlog Log Plugin - DPID 42
+1254722767.875996	Pacf::RULE	ADD	Pacf::REQUESTED	Pacf::DROP	Pacf::MONITOR	Pacf::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	(empty)	Openflow - OpenFlog Log Plugin - DPID 42
 1254722767.875996	Pacf::RULE	ADD	Pacf::REQUESTED	Pacf::DROP	Pacf::FORWARD	Pacf::ADDRESS	10.10.1.4/32	-	(empty)	Openflow - OpenFlog Log Plugin - DPID 42
-#close	2015-04-14-22-20-31
+#close	2015-05-12-20-36-53