[Dshield] Dshield FW-1 script.

Jay Wren JRWren at advnetworks.com
Wed Aug 8 20:32:52 GMT 2001


The perl script for parsing Checkpoint Firewall-1 logs at the dshield
website does no filtering on the action field of the logs.  Depending on the
Checkpoint Ruleset, the logs could contain all valid packets where
action=accept.  I've compared it to the Linux Shell script script, and
noticed that the Linux script only grabs 'input DROP' type packets through
use of a regular expression.

My question is twofold.  What is dshield actually trying to collect, only
unwanted packets, or all packets?  Is is possible that people currently
using the fw-1 perl script are corrupting the dshield database through use
of valid IP's?

Thanks

-Jay




More information about the list mailing list