[Dshield] ipchains parsing problems

Wayne Larmon wlarmon at dshield.org
Tue Mar 19 19:36:26 GMT 2002


> I'm a dshield newbie...I've been wrestling with getting a log
> parser working with my 2.2x logs to no avail.  I've used three
> different parsers with the same results...all of them ignore my
> logs.  I know I'm probably overlooking something simple, but I'm
> too deep in the forest to see it (or too ignorant?)  Anyway,
> here's a sanitized example from my /var/log/messages file:

<snip>

> ipchains tell me:

> SKIPPING: Mar 19 05:36:13 sparky kernel: Packet log: PUB_IN -
> eth0 PROTO=6 10.231.23.7:1421 10.11.12.133:25 L=48 S=0x00 I=55309
> F=0x4000 T=107 SYN (#11)

I'm not sure what the problem is with the other two scripts, but I know why
ipchains.pl skipped them all.   It has a built in default filter that looks
for the presence of 'input DENY' for any log line that it will process.
Yours don't contain that string.   The workaround would be to put a suitable
matching pattern in the 'line_filter' variable the dshield.cnf file.

It has to be a regular expression that will match each line in
/var/log/messages that is to be considered an ipchains log line.

'Packet log' should work.

Examine the beginning of the parse() subroutine at the end of the
ipchains.pl script to see how this testing is done.

    # Is this any kind of packet filter log line?
    if ($line_filter) {
        return 0 unless ( $line =~ /$line_filter/ );
    } else {
        return 0 unless ( $line =~ /input DENY/ );
    }

If $line_filter is defined, then it matches against it.   If $line_filter
isn't defined then it matches against 'input DENY'  $line_filter isn't
defined unless you explicitly define it in dshield.cnf.

Wayne Larmon
wlarmon at dshield.org




More information about the list mailing list