[Dshield] Re: Dshield digest, Vol 1 #196 - 12 msgs

Taps Taps at Iniquity.Org
Fri Aug 10 21:51:20 GMT 2001


| > 
| [...]
| > I do have the ability to send that information to a syslog port 
| > somewhere, and I am currently using Kiwi's SyslogD for Windows to 
| > monitor that router.
| 
| The registered version of that software is probably OK, but 
| the unregistered version may drop syslog packets if more than 
| 25 arrive in a row.

As of right now, I am running the freeware version as a service.  But I
actually like the software, and especially the ability to log to an ODBC
connection.  If I could just find a way to split the incoming message
into multiple parts.  But that's my own project.



| [...]
| > What I am wondering is if there is a client for Dshield.Org 
| that will 
| > interpret the syslogd logs to use.  I am not able to write 
| a client to 
| > do so.  Is anyone else in a similar situation?
| 
| Kiwi's syslogd prepends 4 fields to whatever the sender sends.
| 
| What do typical log entries look like?

Aug 11	00:01:17	gatekeeper	ASCEND: wan1 tcp 64.64.x.x;80 <-
210.96.167.6;1540 62 syn !pass (reject)

In case it isn't apparent the format is such:

           DATE <TAB> TIME <TAB> ROUTERNAME <TAB> MESSAGE

MESSAGE is in the format of :

           ROUTERNAME: <connection> <protocol> <localIP;port>
<direction> <remoteIP;port> <length> <syn/ack> <response>


Each part in the message is separated by a space.  I hope this is
helpful.


* Taps 
* Taps at Iniquity.Org 
* Http://Www.Iniquity.Org 
* 191618 




More information about the list mailing list