[Dshield] Looking for tester of new ipf/ipmon parser

Kenneth McKinlay km-web at home.com
Fri Aug 10 01:33:17 GMT 2001


I have modified some of the key parts of the Perl-based ipf/ipmon 
Dshield parser and am looking for some knowledgeable testers to make 
sure I didn't foul things up too badly ;-) before sending it in for 
posting on the client page.

If you are interested in testing it out and trying to make it fail, 
please drop me a line at kmckinlay at home.com and I will send you the 
script.

The changes are:
- order of when excluded targets/sources files are loaded
- support for syslog ipmon output
- proper decoding of TCP flags (ECN/CWR)
- proper decoding of ICMP protocol
- only reporting blocked packets (my test environment only had 
blocked packets in the log file)
- timezone detection if not set
- count file uses date/time value to remember last packets processed
- changed from regexp to array for parsing the line (much easier to 
process and understand)
- support for ipmon -a option (ignores STATE and NAT records)
- code clean up and documentation

Ken McKinlay, GCIA
Ottawa, Canada




More information about the list mailing list