Re: [logs] log analysis of netfilter entries?

• Previous message: Steve Wray: "RE: [logs] log analysis of netfilter entries?"
• In reply to: Jason Haar: "Re: [logs] log analysis of netfilter entries?"
• Next in thread: Steve Wray: "RE: [logs] log analysis of netfilter entries?"
• Reply: Steve Wray: "RE: [logs] log analysis of netfilter entries?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 4 Dec 2001, Jason Haar wrote:
> 
> Sounds like you need logsnorter. Dumps some Firewall syslog entries into
> snort's backend SQL databases...

Another possible is something as simple as scripting some grep
passes. Using Netfilter's --log-prefix switch allows you to ID log entries
any way you want. This can provide a great level of detail. For example I
prefix banned IP's as "BADGUY", Null scans as "NULLSCAN", SSH scans as
"SSH_SCAN",  etc. etc. etc. In fact, Bill Stearns is working on a module
that will tag log entries with the sender's OS (based on p0f).

Netfilter's logging is pretty advanced. You really have to stop and think
to realize the full possibilities.

HTH,
Chris
-- 
**************************************
cbrentonat_private

$ chown -R us:us yourbase



---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

• Next message: Devdas Bhagat: "Re: [logs] Due Diligence for Admission in Court"
• Previous message: Steve Wray: "RE: [logs] log analysis of netfilter entries?"
• In reply to: Jason Haar: "Re: [logs] log analysis of netfilter entries?"
• Next in thread: Steve Wray: "RE: [logs] log analysis of netfilter entries?"
• Reply: Steve Wray: "RE: [logs] log analysis of netfilter entries?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 22:18:56 PST