[Dshield] Dshield FW-1 script.
JRWren at advnetworks.com
Wed Aug 8 20:32:52 GMT 2001
The perl script for parsing Checkpoint Firewall-1 logs at the dshield
website does no filtering on the action field of the logs. Depending on the
Checkpoint Ruleset, the logs could contain all valid packets where
action=accept. I've compared it to the Linux Shell script script, and
noticed that the Linux script only grabs 'input DROP' type packets through
use of a regular expression.
My question is twofold. What is dshield actually trying to collect, only
unwanted packets, or all packets? Is is possible that people currently
using the fw-1 perl script are corrupting the dshield database through use
of valid IP's?
More information about the list