[Dshield] PF Parser update

millerbn millerbn at chiba.dhs.org
Fri Mar 14 05:09:54 GMT 2003


The current parser works great. Having the output sent to me daily by email; I'm able to keep an eye on what 
isn't being parsed. A number of the below lines were parsed but I included them with those that weren't since 
they are related. While it may be by design that the fragmented packets aren't being parsed, I thought I'd post 
just in case it's not.


------------------------------Processing line 457------------------------------
PARSING: Mar 13 21:01:57.552793 rule 45/0(match): block in on we0: 208.185.54.25.2460 > 66.93.187.127.2638:  udp 1472 (ttl 116, id 864)
PARSE RESULT:2003-03-13 21:01:57 -05:00|12203927|1|208.185.54.25|2460|66.93.187.127|2638|UDP|
WRITTEN: 2003-03-13 21:01:57 -05:00	12203927	1	208.185.54.25	2460	66.93.187.127	2638	UDP	
------------------------------Processing line 458------------------------------
PARSING: Mar 13 21:01:57.573716 rule 45/0(match): block in on we0: 208.185.54.25.2460 > 66.93.187.127.2638:  udp 1472 (ttl 116, id 865)
PARSE RESULT:2003-03-13 21:01:57 -05:00|12203927|1|208.185.54.25|2460|66.93.187.127|2638|UDP|
WRITTEN: 2003-03-13 21:01:57 -05:00	12203927	1	208.185.54.25	2460	66.93.187.127	2638	UDP	
------------------------------Processing line 459------------------------------
PARSING: Mar 13 21:01:57.595180 rule 45/0(match): block in on we0: 208.185.54.25.2460 > 66.93.187.127.2638:  udp 2410 (frag 866:1480 at 0+) (ttl 116)
PARSE RESULT:2003-03-13 21:01:57 -05:00|12203927|1|208.185.54.25|2460|66.93.187.127|2638|UDP|
WRITTEN: 2003-03-13 21:01:57 -05:00	12203927	1	208.185.54.25	2460	66.93.187.127	2638	UDP	
------------------------------Processing line 460------------------------------
PARSING: Mar 13 21:01:57.610567 rule 45/0(match): block in on we0: 208.185.54.25 > 66.93.187.127: (frag 866:938 at 1480) (ttl 116)
SKIPPING: Can't parse this line. 
------------------------------Processing line 461------------------------------
PARSING: Mar 13 21:01:58.713975 rule 45/0(match): block in on we0: 208.185.54.25.2460 > 66.93.187.127.2638:  udp 2410 (frag 2168:1480 at 0+) (ttl 116)
PARSE RESULT:2003-03-13 21:01:58 -05:00|12203927|1|208.185.54.25|2460|66.93.187.127|2638|UDP|
WRITTEN: 2003-03-13 21:01:58 -05:00	12203927	1	208.185.54.25	2460	66.93.187.127	2638	UDP	
------------------------------Processing line 462------------------------------
PARSING: Mar 13 21:01:58.728883 rule 45/0(match): block in on we0: 208.185.54.25 > 66.93.187.127: (frag 2168:938 at 1480) (ttl 116)
SKIPPING: Can't parse this line. 
------------------------------Processing line 463------------------------------
PARSING: Mar 13 21:01:59.835995 rule 45/0(match): block in on we0: 208.185.54.25.2460 > 66.93.187.127.2638:  udp 2410 (frag 3272:1480 at 0+) (ttl 116)
PARSE RESULT:2003-03-13 21:01:59 -05:00|12203927|1|208.185.54.25|2460|66.93.187.127|2638|UDP|
WRITTEN: 2003-03-13 21:01:59 -05:00	12203927	1	208.185.54.25	2460	66.93.187.127	2638	UDP	
------------------------------Processing line 464------------------------------
PARSING: Mar 13 21:01:59.851156 rule 45/0(match): block in on we0: 208.185.54.25 > 66.93.187.127: (frag 3272:938 at 1480) (ttl 116)
SKIPPING: Can't parse this line. 
------------------------------Processing line 465------------------------------
PARSING: Mar 13 21:02:00.958789 rule 45/0(match): block in on we0: 208.185.54.25.2460 > 66.93.187.127.2638:  udp 2410 (frag 4547:1480 at 0+) (ttl 116)
PARSE RESULT:2003-03-13 21:02:00 -05:00|12203927|1|208.185.54.25|2460|66.93.187.127|2638|UDP|
WRITTEN: 2003-03-13 21:02:00 -05:00	12203927	1	208.185.54.25	2460	66.93.187.127	2638	UDP	
------------------------------Processing line 466------------------------------
PARSING: Mar 13 21:02:00.974155 rule 45/0(match): block in on we0: 208.185.54.25 > 66.93.187.127: (frag 4547:938 at 1480) (ttl 116)
SKIPPING: Can't parse this line. 
------------------------------Processing line 467------------------------------
PARSING: Mar 13 21:02:02.079070 rule 45/0(match): block in on we0: 208.185.54.25.2460 > 66.93.187.127.2638:  udp 2410 (frag 5658:1480 at 0+) (ttl 116)
PARSE RESULT:2003-03-13 21:02:02 -05:00|12203927|1|208.185.54.25|2460|66.93.187.127|2638|UDP|
WRITTEN: 2003-03-13 21:02:02 -05:00	12203927	1	208.185.54.25	2460	66.93.187.127	2638	UDP	
------------------------------Processing line 468------------------------------
PARSING: Mar 13 21:02:02.094271 rule 45/0(match): block in on we0: 208.185.54.25 > 66.93.187.127: (frag 5658:938 at 1480) (ttl 116)
SKIPPING: Can't parse this line. 




More information about the list mailing list