> Aug 7 20:35:11 wormhole ipmon: 20:35:06.266243 2x rtk1
> ~AT~138:1 b xxx.xxx.xxx.xxx,www -> xxx.xxx.xxx.xxx,16793 PR tcp len 20 56325
> -A 194209914 3141330721 17339 IN
The only relevant difference to an OpenBSD log I see is the ",www" port. Everything else (ipf, ipchains, iptables) logs the port number numerically. So the regexps assume that port numbers are \d+ (numeric).
There are two options:
- Don't call ipmon with "-n"
- Change the '?(\d*)'-s in line 279 (under 7 and 9) of fwanalog.sh to '?(\w*)' so fwanalog accepts letters on this position.
I think the first way is better as Analog does a better job resolving IP addresses and port numbers (using the nmap config) than your kernel. (Resolving IPs shouldn't be the job of a firewall, anyway.)
What is the default setting on NetBSD? -n or not?
This was the only problem I've found, aside from that, the OpenBSD parser works perfectly.
Please delete everything from the $outdir before you try it again, and make sure that you only give ipflogs to fwanalog which were created without "-n".
I hope this helps
-- _________________________________________________________________ Balázs Bárány balazs~AT~tud.at http://tud.at ICQ 10747763 Computers. You can't live with them, you can't live without them.
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 22:22:04 CEST