[Dshield] Cisco logfile client

Jost Krieger Jost.Krieger at ruhr-uni-bochum.de
Wed May 16 12:02:14 GMT 2001


On Fri, May 11, 2001 at 09:11:34AM -0400, Johannes B. Ullrich wrote:

> This looks like something we could support on the DShield server
> site. Is there a way to get the protocol and flag information
> into the file?

Hmm, the protocol is in there, I don't think you can get the flags
(although you can block on those). I'll do some reading, though.

Unfortunately, the format is somewhat variable in the front part.
Here's a possible conversion for the last part:

perl -ne '/IPACCESS.*: list \S+ denied (\S+) ([0-9.]+)\((\d+)\) -> ([0-9.]+)\((\d+)\), (\d+) pack/ and print "$6\t$2\t$3\t$4\t$5\t".uc($1)."\n"'

Jost
-- 
| Jost.Krieger at ruhr-uni-bochum.de      Please help stamp out spam! |
| Postmaster, JAPH, resident answer machine          am RZ der RUB |
| Pluralitas non est ponenda sine necessitate                      |
|                                 William of Ockham (1285-1347/49) |




More information about the list mailing list