From: Billy Newsom (billy~AT~nlcc.us)
Date: Thu Jun 26 2003 - 01:39:11 CEST
Are things that are being passed (and logged) included in the analog report? If so, I guess this kind of defeats why I needed a logfile analyzer! I'm trying to selectively ignore blocked or passed packets in my firewall.
Is there an option that will either ignore passed packets or blocked packets?
25/06/2003 17:41:50.257679 ep0 ~AT~0:29 p 126.96.36.199,50793 -> 192.168.1.2,25 PR tcp len 20 40 -AF K-S IN
25/06/2003 17:41:50.257800 ep0 ~AT~0:29 p 192.168.1.2,25 -> 188.8.131.52,50793 PR tcp len 20 40 -AF K-S OUT
25/06/2003 17:41:50.325722 3x ep0 ~AT~0:29 p 184.108.40.206,50793 -> 192.168.1.2,25 PR tcp len 20 40 -R K-S IN 25/06/2003 17:50:14.223721 ep0 ~AT~0:41 b 220.127.116.11,49988 -> 192.168.1.2,113 PR tcp len 20 60 -S IN
25/06/2003 17:50:14.234160 ep0 ~AT~0:41 b 18.104.22.168,49989 -> 192.168.1.2,113 PR tcp len 20 60 -S IN
In this example, I passed SMTP mail packets in/out of my server at 192.168.1.2 port 25. (Rule 0:29) I log this because I like to know who has been mailing me!
I then blocked two packets directed at port 113 -- it looks like a port scan. (Rule 0:41)
Now, won't I want to show these things on two different Analog reports? One for passed, one for blocked? Is the "p" and "b" something you ignore?? It shouldn't be.
Maybe what I need is a parser that will toss out all of the "p" lines from the logfile, or all of the "b" lines. Can anyone help? After I parse them, won't I need two different output folders, or two config files? As for replacing the word "block" with "pass" -- that looks hard.
This archive was generated by hypermail 2.1.5 : Thu Jun 26 2003 - 10:22:03 CEST