Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

RE: parsing logs ultra-fast inline
From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 9 Feb 2006 13:26:15 -0500

-----Original Message-----
Subject: Re: [fw-wiz] parsing logs ultra-fast inline

Second question: Hasn't anyone else ever written these scripts? You would
think they'd be 
pretty widely available - especially for things like a PIX or 2600 or AIX.
I mean, yes 
they're site specific but if you know all of the errors/messages a PIX can
provide (someone 
said 26k or so?) then the "meat" of a script could be generic enough...the
most common 
messages aren't likely to differ by much from site to site...place your
IPs/whatever in and > run... or start to run...??

If by anyone, you mean anyone with some perl/shell knowledge and a PIX, then
yes, anyone can and has written them.  Even me, and my code sucks.

http://honor.icsalabs.com/pipermail/firewall-wizards/2003-October/015488.htm
l
http://honor.icsalabs.com/pipermail/firewall-wizards/2003-October/015503.htm
l
http://www.loganalysis.org/sections/parsing/application-specific/index.html

With regard to AIX, sure there are.  But generally Unix syslog, as opposed
to syslog from a router or firewall, contains messages from lots of
different pieces of software (i.e. Postfix vs. Sendmail, vsftpd vs. wu-ftpd,
vixie vs. anacron, etc.) so you will spend a little time putting things
together.  But for security purposes, you can put together a quick list of
things to grep for off the top of your head (or in this case my head, but
you can take credit for it off list).

root
connect
login
accept
fail
refuse
restart

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault