[Dshield] Netgear Log and converting

Wayne Larmon wlarmon at dshield.org
Tue Mar 11 01:35:36 GMT 2003


Doesn't it log to syslog?  If so, then get Kiwi Syslog Daemon
(http://www.kiwisyslog.com/info_syslog.htm) and collect some logs.  Then
send them to me and I'll write a cvtwin converter for them.

BTW, thanks to Kevin Stadler for unearthing the logexprt.exe program for
Norton Firewall.  Norton users can now use Cvtwin on the Task Scheduler.
You don't have to do a manual export for each conversion any more.  See the
Cvtwin changelog (http://www.dshield.org/clients/cvtwinchangelog.php) for
details.

http://www.dshield.org/windows_clients.php to get Cvtwin.

Wayne Larmon
wlarmon at dshield.org
DShield.org

> I recently bought a Netgear FR114P , router/firewall and have it set up to
> send the logs every so often to my email, when the log fills, which lately
> is more often than previously.
>
> Anyway, I have seen the discussions on here of parsing logs, and
> wonder with
> a small sample I post below, if anyone would see a converter that might
> work. I used to send daily logs, with looking at Link Logger and
> these logs,
> I don't see a easy way to automatically transmit my data. Since I
> am located
> in the Midwest and on Mediacom, I figure the data would be unique
> enough to
> give insight on IP ranges outside the bigger providers.
>
> I used to use the CVTWIn with my BlackIce logs, and enjoyed
> submitting data,
> but now it seems it might be more difficult.
>
> Here is sample:
> Sun, 2003-03-09 06:22:10 - TCP packet - Source:218.235.7.156,3891,WAN -
> Destination:12.219.xxx.xxx,445,LAN [Drop] - [Inbound Default rule match]
> Sun, 2003-03-09 06:29:08 - UDP packet - Source:218.3.243.70,3098,WAN -
> Destination:12.219.xxx.xxx,1434,LAN [Drop] - [Inbound Default rule match]
> Sun, 2003-03-09 06:36:39 - TCP packet - Source:218.146.9.3,1848,WAN -
> Destination:12.219.xxx.xxx,445,LAN [Drop] - [Inbound Default rule match]
> Sun, 2003-03-09 07:30:29 - TCP packet - Source:61.15.155.127,4553,WAN -
> Destination:12.219.xxx.xxx,445,LAN [Drop] - [Inbound Default rule match]
> Sun, 2003-03-09 07:31:40 - UDP packet - Source:218.3.192.52,1492,WAN -
> Destination:12.219.xxx.xxx,1434,LAN [Drop] - [Inbound Default rule match]
> Sun, 2003-03-09 07:36:19 - TCP packet - Source:4.3.44.131,29323,WAN -
> Destination:12.219.xxx.xxx,445,LAN [Drop] - [Inbound Default rule match]
> Sun, 2003-03-09 08:10:54 - TCP packet - Source:220.78.208.123,1514,WAN -
> Destination:12.219.xxx.xxx,445,LAN [Drop] - [Inbound Default rule match]
> Sun, 2003-03-09 08:15:49 - TCP packet - Source:61.135.110.25,2946,WAN -
> Destination:12.219.xxx.xxx,445,LAN [Drop] - [Inbound Default rule match]
>
> Does this format seem similar to logs that are covered by other parsing
> tools ???
>
> I would not have probably emailed for help, but since I see the port 445
> being scanned from many different IP's, I thought I would ask
>
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list