I've been a party to the following conversation a few times:

 

- Ever send pfSense to the Nitro?

- Sure, I run it at home.

- Did you write a parser for it?

- I did.

- Me too, though it would be great to see your rules if you have them.

- No problem, I'll send them out when I remember.

 

The transaction never seems to happen though. It isn't helped that no ESM is safe in my lab and the rules have been written and wiped them more times than I will admit. So it serves us all well for them to be posted somewhere.

 

Since we're not admitting things, I'll tell you a short and recent story about someone that found themselves in a situation where one of their log forwarders was configured to send to two external destinations. However, both destinations become blocked by the firewall. As the traffic was blocked, the firewall would generate a log. This log would be sent to the log forwarder that would then forward the event to the two external log forwarders... which can lead to wondering why your SIEM is suddenly trying to process an extra 10k EPS all of a sudden.

 

At any rate, here are the details:


The heart of the pfSense ruleset is the filterlog component. pfSense is somewhat unique since it can represent such a wide variety of service logs due to how versatile it is. I write parsing rules for these as they come up, but I'll never see them all. Feel free to post or send any scrubbed logs that don't parse and I'll continue to build out the ruleset. I'll be adding OpenVPN rules to this next as it seems the existing ones aren't up to date.


I add the firewall as a Linux Data Source and then specifically enable the Snort ruleset in addition to my custom rules. This covers a lot of the OS level stuff and some services like cron or dhcp.


All the fields are captured and labeled, but not all the fields are mapped. If I need to find packets with a specific packet offset pattern, the SIEM is not my first stop. I do map relevant packet details for various use cases though. Also, since all of the fields are all captured by the parsing rules, it's easy enough to drag and drop an additional field mapping when required.

 

Most of the mappings are as expected and I map TOS to Service_Name, TCP Flags (Ack, Seq, etc), to Session_Status and TCP options and packet messages to Method.

 

For configuring pfSense logging, I find it critical to check the Allow IPv6 box under System | Advanced | Networking | IPv6 Options. When this is disabled, every blocked IPv6 data creates a log and creates a disproportionate amount of garbage in the logs. If you need IPv6 to be disabled, you can do so by adding a Floating Rule with logging disabled. These rules are processed first (make sure you check the Apply the action immediately on match box for each rule) and not tied to a particular interface. I use the following 4 rules to block multicast, IPv6, broadcast and SSDP silently and keep my logs clean.

 

pfsense-rules.PNG

 

The rules are available at this link, or at Github if it's easier to clone the repo.

 

I also pasted the regex for the rules below for easier reference or if you just want your head to hurt a little.

 

To import the rules, go to the Policy Manager, File, Import Rules. The default is to Overwrite existing rules which you might want to change if you created rules with the same name, but it's unlikely.

 

Once the rules are Imported, select the pfsense device policy using the arrow to the right of the Default Policy label.

 

Select Advanced Syslog Parser on the left and click the Advanced tab on the bottom right.

 

Change the Origin to user defined and refresh the filter.

policy-manager1.PNG

 

 

You can then select the rules (control/shift-click) and click the Action title bar to enable them all.

policy-manager2.PNG

Finally, roll out your policy and start parsing.

 

Feedback is welcome, especially if you find something that doesn't parse! I'll post here when I update the file.

 

Below is just the regex since some folks were interested in samples.

 

(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(6)?\x2c(?#protoname)([^\x2c]+)\x2c(?#len)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#srcport)([^\x2c]+)?\x2c(?#dstport)([^\x2c]+)?\x2c(?#len)([^\x2c]+)?\x2c(?#tcpflags)([^\x2c]+)?\x2c(?#seq)([^\x2c]+)?\x2c(?#ack)([^\x2c]+)?\x2c(?#window)([^\x2c]+)?\x2c(?#urg)([^\x2c]+)?\x2c(?#tcpopts)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(17)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#srcport)([^\x2c]+)?\x2c(?#dstport)([^\x2c]+)?\x2c(?#datalen)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(2)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#srcport)([^\x2c]+)?\x2c(?#dstport)([^\x2c]+)?\x2c(?#datalen)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(112)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#vhid)([^\x2c]+)?\x2c(?#version)([^\x2c]+)?\x2c(?#advskew)([^\x2c]+)?\x2c(?#advbase)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|pass)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)([^\x2c]+)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#details)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(6)?\x2c(?#protoname)([^\x2c]+)\x2c(?#len)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#srcport)([^\x2c]+)?\x2c(?#dstport)([^\x2c]+)?\x2c(?#len)([^\x2c]+)?\x2c(?#tcpflags)([^\x2c]+)?\x2c(?#seq)([^\x2c]+)?\x2c(?#ack)([^\x2c]+)?\x2c(?#window)([^\x2c]+)?\x2c(?#urg)([^\x2c]+)?\x2c(?#tcpopts)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(17)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#srcport)([^\x2c]+)?\x2c(?#dstport)([^\x2c]+)?\x2c(?#datalen)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(2)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#srcport)([^\x2c]+)?\x2c(?#dstport)([^\x2c]+)?\x2c(?#datalen)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(112)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#vhid)([^\x2c]+)?\x2c(?#version)([^\x2c]+)?\x2c(?#advskew)([^\x2c]+)?\x2c(?#advbase)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(41)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#options)([^\x2c]+)?\x2c(?#unknown)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)([^\x2c]+)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#details)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(request)\x2c(?#icmp_id)([^\x2c]+)?\x2c(?#icmp_seq)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(reply)\x2c(?#icmp_id)([^\x2c]+)?\x2c(?#icmp_seq)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(unreachproto)\x2c(?#icmp_dst_ip)([^\x2c]+)?\x2c(?#icmp_prot_id)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(unreachport)\x2c(?#icmp_dst_ip)([^\x2c]+)?\x2c(?#icmp_prot_id)([^\x2c]+)?\x2c(?#icmp_port)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(unreach)\x2c(?#icmp_desc)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(timexceed)\x2c(?#icmp_desc)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(paramprob)\x2c(?#icmp_desc)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(redirect)\x2c(?#icmp_desc)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(maskreply)\x2c(?#icmp_desc)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(needfrag)\x2c(?#icmp_dstip)([^\x2c]+)?\x2c(?#icmp_mtu)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(tstamp)\x2c(?#icmp_id)([^\x2c]+)?\x2c(?#icmp_seq)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(tstampreply)\x2c(?#icmp_id)([^\x2c]+)?\x2c(?#icmp_seq)([^\x2c]+)?\x2c(?#icmp_otime)([^\x2c]+)?\x2c(?#icmp_rtime)([^\x2c]+)?\x2c(?#icmp_ttime)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(4)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?(?#icmp_desc)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#class)([^\x2c]+)\x2c(?#flow)([^\x2c]+)?\x2c(?#hops)([^\x2c]+)?\x2c(?#proto-name)([^\x2c]+)?\x2c(?#proto-id)(6)?\x2c(?#packetlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#srcport)([^\x2c]+)?\x2c(?#dstport)([^\x2c]+)?\x2c(?#len)([^\x2c]+)?\x2c(?#tcpflags)([^\x2c]+)?\x2c(?#seq)([^\x2c]+)?\x2c(?#ack)([^\x2c]+)?\x2c(?#window)([^\x2c]+)?\x2c(?#urg)([^\x2c]+)?\x2c(?#tcpopts)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#class)([^\x2c]+)\x2c(?#flow)([^\x2c]+)?\x2c(?#hops)([^\x2c]+)?\x2c(?#proto-name)([^\x2c]+)?\x2c(?#proto-id)(17)?\x2c(?#packetlen)([^\x2c]+)?\x2c(?#src-ip)([^\x2c]+)?\x2c(?#dst-ip)([^\x2c]+)?\x2c(?#src-port)([^\x2c]+)?\x2c(?#dst-port)([^\x2c]+)?\x2c(?#datalen)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#class)([^\x2c]+)\x2c(?#flow)([^\x2c]+)?\x2c(?#hops)([^\x2c]+)?\x2c(?#proto-name)([^\x2c]+)?\x2c(?#proto-id)(112)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packetlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#vhid)([^\x2c]+)?\x2c(?#version)([^\x2c]+)?\x2c(?#advskew)([^\x2c]+)?\x2c(?#advbase)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#class)([^\x2c]+)\x2c(?#flow)([^\x2c]+)?\x2c(?#hops)([^\x2c]+)?\x2c(?#proto-name)(Options)?\x2c(?#proto-id)(0)?\x2c(?#packetlen)([^\x2c]+)?\x2c(?#src-ip)([^\x2c]+)?\x2c(?#dst-ip)([^\x2c]+)?\x2c(?#options)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#class)([^\x2c]+)\x2c(?#flow)([^\x2c]+)?\x2c(?#hops)([^\x2c]+)?\x2c(?#proto-name)([^\x2c]+)?\x2c(?#proto-id)([^\x2c]+)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packetlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#details)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#class)([^\x2c]+)\x2c(?#flow)([^\x2c]+)?\x2c(?#hops)([^\x2c]+)?\x2c(?#proto-name)([^\x2c]+)?\x2c(?#proto-id)(6)?\x2c(?#packetlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#srcport)([^\x2c]+)?\x2c(?#dstport)([^\x2c]+)?\x2c(?#len)([^\x2c]+)?\x2c(?#tcpflags)([^\x2c]+)?\x2c(?#seq)([^\x2c]+)?\x2c(?#ack)([^\x2c]+)?\x2c(?#window)([^\x2c]+)?\x2c(?#urg)([^\x2c]+)?\x2c(?#tcpopts)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#class)([^\x2c]+)\x2c(?#flow)([^\x2c]+)?\x2c(?#hops)([^\x2c]+)?\x2c(?#proto-name)([^\x2c]+)?\x2c(?#proto-id)(17)?\x2c(?#packetlen)([^\x2c]+)?\x2c(?#src-ip)([^\x2c]+)?\x2c(?#dst-ip)([^\x2c]+)?\x2c(?#src-port)([^\x2c]+)?\x2c(?#dst-port)([^\x2c]+)?\x2c(?#datalen)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#class)([^\x2c]+)\x2c(?#flow)([^\x2c]+)?\x2c(?#hops)([^\x2c]+)?\x2c(?#proto-name)([^\x2c]+)?\x2c(?#proto-id)(112)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packetlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#vhid)([^\x2c]+)?\x2c(?#version)([^\x2c]+)?\x2c(?#advskew)([^\x2c]+)?\x2c(?#advbase)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#class)([^\x2c]+)\x2c(?#flow)([^\x2c]+)?\x2c(?#hops)([^\x2c]+)?\x2c(?#proto-name)(Options)?\x2c(?#proto-id)(0)?\x2c(?#packetlen)([^\x2c]+)?\x2c(?#src-ip)([^\x2c]+)?\x2c(?#dst-ip)([^\x2c]+)?\x2c(?#options)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#class)([^\x2c]+)\x2c(?#flow)([^\x2c]+)?\x2c(?#hops)([^\x2c]+)?\x2c(?#proto-name)([^\x2c]+)?\x2c(?#proto-id)([^\x2c]+)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packetlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#details)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(request)\x2c(?#icmp_id)([^\x2c]+)?\x2c(?#icmp_seq)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(reply)\x2c(?#icmp_id)([^\x2c]+)?\x2c(?#icmp_seq)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(unreachproto)\x2c(?#icmp_dst_ip)([^\x2c]+)?\x2c(?#icmp_prot_id)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(unreachport)\x2c(?#icmp_dst_ip)([^\x2c]+)?\x2c(?#icmp_prot_id)([^\x2c]+)?\x2c(?#icmp_port)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(unreach)\x2c(?#icmp_desc)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(timexceed)\x2c(?#icmp_desc)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(paramprob)\x2c(?#icmp_desc)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(redirect)\x2c(?#icmp_desc)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(maskreply)\x2c(?#icmp_desc)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(needfrag)\x2c(?#icmp_dstip)([^\x2c]+)?\x2c(?#icmp_mtu)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(tstamp)\x2c(?#icmp_id)([^\x2c]+)?\x2c(?#icmp_seq)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?\x2c(?#type)(tstampreply)\x2c(?#icmp_id)([^\x2c]+)?\x2c(?#icmp_seq)([^\x2c]+)?\x2c(?#icmp_otime)([^\x2c]+)?\x2c(?#icmp_rtime)([^\x2c]+)?\x2c(?#icmp_ttime)([^\b]+)?
(?#rulenum)(\d+)\x2c(?#subrulenum)([^\x2c]+)?\x2c(?#anchor)([^\x2c]+)?\x2c(?#tracker)([^\x2c]+)?\x2c(?#interface)([^\x2c]+)?\x2c(?#reason)([^\x2c]+)\x2c(?#action)(pass|block)\x2c(?#direction)([^\x2c]+)?\x2c(?#ipver)(6)?\x2c(?#tos)([^\x2c]+)\x2c(?#ecn)([^\x2c]+)?\x2c(?#ttl)([^\x2c]+)?\x2c(?#id)([^\x2c]+)?\x2c(?#offsetl)([^\x2c]+)?\x2c(?#ipflags)([^\x2c]+)?\x2c(?#protoid)(1)?\x2c(?#protoname)([^\x2c]+)\x2c(?#packlen)([^\x2c]+)?\x2c(?#srcip)([^\x2c]+)?\x2c(?#dstip)([^\x2c]+)?(?#icmp_desc)([^\b]+)?