[Dshield] ipchains parsing problems

Lou Rabon lrabon at netstream.ws
Tue Mar 19 19:07:41 GMT 2002


Hi all:

I'm a dshield newbie...I've been wrestling with getting a log parser working with my 2.2x logs to no avail.  I've used three different parsers with the same results...all of them ignore my logs.  I know I'm probably overlooking something simple, but I'm too deep in the forest to see it (or too ignorant?)  Anyway, here's a sanitized example from my /var/log/messages file:

Mar 19 13:54:06 name kernel: Packet log: PUB_IN - eth0 PROTO=6 10.11.12.13:4726 14:15:16:172:25 L=64 S=0x00 I=62347 F=0x4000 T=46 SYN (#11) 

ipchains2dshield tells me:

ipchains2dshield: Reading from /var/log/messages.1 ... done.
ipchains2dshield: Reading from /var/log/messages ... done.
ipchains2dshield: Nothing to update.

dshield.py tells me:

Opening /var/log/messages for reading...
No lines found, bummer...

ipchains tell me:

<snip>
------------------------------Processing line 188------------------------------
PARSING: Mar 19 05:36:13 sparky kernel: Packet log: PUB_IN - eth0 PROTO=6 10.231.23.7:1421 10.11.12.133:25 L=48 S=0x00 I=55309 F=0x4000 T=107 SYN (#11) 
SKIPPING: Mar 19 05:36:13 sparky kernel: Packet log: PUB_IN - eth0 PROTO=6 10.231.23.7:1421 10.11.12.133:25 L=48 S=0x00 I=55309 F=0x4000 T=107 SYN (#11) 
==============================Clean-up processing==============================
DEBUG: updating timestamp file /tmp/dshield.cnt (1-- ::)
WARNING: /tmp/dshield.16829.tmp is empty.  Not sending any mail.
DEBUG: deleting /tmp/dshield.16829.tmp
====================================Totals=====================================
Wrote 0 valid log lines
Excluded 189 invalid (unparsable for some reason) lines
Excluded 0 lines that were too early
Excluded 0 source IP filtered lines
Excluded 0 target IP filtered lines
Excluded 0 source Port filtered lines
Excluded 0 target Port filtered lines
===================================All Done====================================

What am I doing wrong?!?!  

TIA,
Lou Rabon, GSNA
Netstream
http://www.netstream.ws
420 Lexington Avenue, Suite 300
New York, NY 10170
tel 212.297.6167 
fax 212.479.2537




More information about the list mailing list