[fwAnalog] Little bug in ipchains input filter?

From: Alexander Borkowski (bugbunny~AT~opus-b.com)
Date: Wed Aug 13 2003 - 12:28:41 CEST



Hi all,

I just installed fwanalog 0.6.3 on my Debian GNU/Linux machine in order to analyze my firewall's logs which are in ipchains format. It didn't work at first though, as in the ipchains() input filter function the first grep line looks like this

$zegrep -h "Packet log: .+ DENY .+PROTO=.+L=.+S.+I=.+F=.+T=" $inputfiles \

while my firewall rejects packets instead of denying them, i.e. there is a 'REJECT' instead of the 'DENY' in the logs. Near the end of the same function a perl filter looks for (DENY|REJECT) so I changed the above line to:

$zegrep -h "Packet log: .+ (DENY|REJECT) .+PROTO=.+L=.+S.+I=.+F=.+T="
$inputfiles \

And it worked.(After fixing some Debian-related configuration problems). Is this really a bug or am I missing something?

Thanks to the author and all contributors for a very fine program! I like analog very much and the idea of using it for firewall log analysis this way is great.

Alex



This archive was generated by hypermail 2.1.5 : Wed Aug 13 2003 - 13:02:03 CEST