Firewall Wizards: Re: parsing logs ultra-fast inline

["Patrick M. Hausen" <hausen () punkt de>]

Hi, all!

On Mon, Feb 06, 2006 at 05:05:06PM -0500, Anton Chuvakin wrote:

> > meaning. Take Tina's VPN example - how many types of log entries you would
> > expect from a VPN concentrator? From my experience, not more than 20 but
> > let's assume there are 50. Give a sample from each entry to a Perl
> He-he, no :-) I just looked at the old documentation bundle of Cisco
> VPN 3000 messages and its nowhere near the above. How about 2049
> unique messages documented by Cisco?
But 99+% of these messages will probably be of these kinds:

IKE phase 1 completed with peer X
IKE phase 2 completed with peer X, IPSec SA established
RADIUS/CA/XAUTH successful for X
IPSec SA terminated upon request
IPSec SA rekey
IKE SA terminated up request
IKE SA rekey
IPSec SA timeout
IKE SA timeout
IKE phase 1 failed - invalid peer/certificate/PSK/proposal/...

Did I forget anything? Obviously it doesn't matter. Detect, weed
out and store the messages above - they are the routine cases
an not interesting. Or don't store them. Only count their numbers.
A sudden raise of the last one for a single remote IP-Address _is_
interesting.

Flag the remaining <1% for human inspection. Then write parsing rules
for the handfull of distinct messages that comprise 99+% of
these remaining <1%.

I didn't invent the "counting" thing - someone else on this list
once wrote: "The number of times an uninteresting thing occurs
is an interesting thing." I found that worth memorizing ;-)

Kind regards,
Patrick
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards