Sorry for the late reply. The nice feature about working on email while on the plane is that there are no new messages coming in ;-). See comments inline. On Wed, 4 Dec 2002 04:35:12 +0000 (GMT) Tina Bird <tbird@precision-guesswork.com> wrote: > they've got a >>huge<< number > of what they call client programs, that parse logs from routers and > firewall devices into the format required by their database: Actually, the number of client programs is quite small. We currently support two and there are a couple of user supported programs. However, the number of recognized log formats has grown quite a bit. Basically, the two "clients" (one Windows in Visual Basic, one Unix in Perl) provide a framework that makes it quite easy to write new parsers. One limitation: Things get uggly if an "event" covers more than one line in the original log file (but we have covered them as well). The basic idea: The "client" reads the logfile, parses it and does some basic validation/ filtering (this is done after parsing, so we can keep that stuff log format independent). The output format is a simple tab delimited format. We choose tab delimited because it is easy to parse, and can bread into the database "as is" after validation. The clients currently use e-mail to send the log to the central server. > http://www.dshield.org/specs.html yep. source code is available as well (I think the same page or howto.html). > anyone worked with these systems before? I will be in San Fransisco next week at CDI if someone wants to chat. There is a plan for a DShield BOF, and I will talk about the Storm Center / DShield (probably not too much about the details of parsers) -- -------------------------------------------------------------------- jullrichat_private Collaborative Intrusion Detection join http://www.dshield.org
This archive was generated by hypermail 2b30 : Fri Dec 13 2002 - 13:09:49 PST