[Dshield] Shorewall log parser?

Bogdan Stancescu mgv at fx.ro
Thu Nov 14 16:55:23 GMT 2002


Errata: I just saw what I wrote below - I have a natural gift for 
writing wrong paths - it's obviously not /etc/messages but 
/var/log/messages.

BTW (and this is more or less off-topic), I get such log entries both in 
messages and in syslog. Should I expect them to be different? Is one 
recommended for parsing over the other? Or should I somehow merge them 
prior to parsing?

Anyway, dshieldpy seems to be working, so I'll use that if you're going 
to tell me that line looks right (didn't want to start sending logs 
before making sure they're properly formatted). The last "2" on the 
second line in my previous line shouldn't be there - I accidentally 
copied the first character on the next line.

Thanks for the replies!

Bogdan

Wayne Larmon wrote:

>>Yes, that's the first thing I tried - didn't work. The problem is I
>>don't know how pure iptables logs look like. Here's how a Shorewall
>>entry looks like in my /etc/messages (told you I'm a newbie - please let
>>me know if I'm looking in the wrong place):
>>
>>Nov 10 02:34:39 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
>>MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=213.224.93.36
>>DST=217.156.116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=112 ID=34579 DF
>>PROTO=TCP SPT=1334 DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0
>>    
>>
>
>This is correct.  This is an iptables log line.  I just tried our Framework
>iptables script on this line, and it converted it OK.
>
>http://www.dshield.org/framework.html
>
>If you are having configuration problems with this client, contact me off
>list.
>
>Wayne Larmon
>wlarmon at dshield.org
>DShield.org
>
>  
>
>>Wayne Larmon wrote:
>>
>>    
>>
>>>>Hello everybody!
>>>>
>>>>I'm a newbie, so please don't flame if I happen to ask the wrong
>>>>question - looked for an answer both on dshield's site and on Google and
>>>>haven't found it...
>>>>
>>>>...And the question obviously is: is there any readily available
>>>>Shorewall log parser for dshield?
>>>>
>>>>
>>>>        
>>>>
>>>http://www.shorewall.net/ says that it uses iptables.  Have you
>>>      
>>>
>>tried one of
>>    
>>
>>>our iptables scripts?
>>>
>>>http://www.dshield.org/framework.html
>>>
>>>or http://www.dshield.org/linux_clients.html#dshieldpy
>>>
>>>
>>>Wayne Larmon
>>>DShield.org
>>>
>>>
>>>_______________________________________________
>>>Dshield mailing list
>>>Dshield at dshield.org
>>>To change your subscription options (or unsubscribe), see:
>>>      
>>>
>>http://www.dshield.org/mailman/listinfo/list
>>    
>>
>>>
>>>      
>>>
>>_______________________________________________
>>Dshield mailing list
>>Dshield at dshield.org
>>To change your subscription options (or unsubscribe), see:
>>http://www.dshield.org/mailman/listinfo/list
>>
>>    
>>
>
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>  
>




More information about the list mailing list