[Dshield] Netgear Log and converting

John Dalton dubuque1 at mchsi.com
Mon Mar 10 17:47:46 GMT 2003


I recently bought a Netgear FR114P , router/firewall and have it set up to
send the logs every so often to my email, when the log fills, which lately
is more often than previously.

Anyway, I have seen the discussions on here of parsing logs, and wonder with
a small sample I post below, if anyone would see a converter that might
work. I used to send daily logs, with looking at Link Logger and these logs,
I don't see a easy way to automatically transmit my data. Since I am located
in the Midwest and on Mediacom, I figure the data would be unique enough to
give insight on IP ranges outside the bigger providers.

I used to use the CVTWIn with my BlackIce logs, and enjoyed submitting data,
but now it seems it might be more difficult.

Here is sample:
Sun, 2003-03-09 06:22:10 - TCP packet - Source:218.235.7.156,3891,WAN -
Destination:12.219.xxx.xxx,445,LAN [Drop] - [Inbound Default rule match]
Sun, 2003-03-09 06:29:08 - UDP packet - Source:218.3.243.70,3098,WAN -
Destination:12.219.xxx.xxx,1434,LAN [Drop] - [Inbound Default rule match]
Sun, 2003-03-09 06:36:39 - TCP packet - Source:218.146.9.3,1848,WAN -
Destination:12.219.xxx.xxx,445,LAN [Drop] - [Inbound Default rule match]
Sun, 2003-03-09 07:30:29 - TCP packet - Source:61.15.155.127,4553,WAN -
Destination:12.219.xxx.xxx,445,LAN [Drop] - [Inbound Default rule match]
Sun, 2003-03-09 07:31:40 - UDP packet - Source:218.3.192.52,1492,WAN -
Destination:12.219.xxx.xxx,1434,LAN [Drop] - [Inbound Default rule match]
Sun, 2003-03-09 07:36:19 - TCP packet - Source:4.3.44.131,29323,WAN -
Destination:12.219.xxx.xxx,445,LAN [Drop] - [Inbound Default rule match]
Sun, 2003-03-09 08:10:54 - TCP packet - Source:220.78.208.123,1514,WAN -
Destination:12.219.xxx.xxx,445,LAN [Drop] - [Inbound Default rule match]
Sun, 2003-03-09 08:15:49 - TCP packet - Source:61.135.110.25,2946,WAN -
Destination:12.219.xxx.xxx,445,LAN [Drop] - [Inbound Default rule match]

Does this format seem similar to logs that are covered by other parsing
tools ???

I would not have probably emailed for help, but since I see the port 445
being scanned from many different IP's, I thought I would ask




More information about the list mailing list