Re: [wallfire-users] Help about how the wflogs reads the logs
Brought to you by:
eychenne
Menu
▾
▴
Re: [wallfire-users] Help about how the wflogs reads the logs
|
From: V. B. <vin...@ba...> - 2008-11-07 18:43:00
|
Are you sure that nepenthes don't do any kind of filter? For example, i have many packets that is part of a DNS connection (my host did a DNS request) and, with wflogs, the port that my host used to do that appears only one time. It don't consider all the packets. On Fri, Nov 7, 2008 at 7:49 AM, Herve Eychenne <rv...@wa...> wrote: > On Thu, Nov 06, 2008 at 06:39:18PM -0200, Vinícius Batistela wrote: > > Hi Vinícius, > > > i am using wflogs with the logs generated by iptables and i have a doubt. > > I used the wflogs filtrating by protocols (TCP and UDP) and i generated a > > XML file. Then, i wrote a script to read this XML. But, looking for the > > results i got with this script and looking for the results i got using a > > script that reads directly the iptables' log, i saw they are different. > > > So, i think that for TCP, the wflogs just consider the packages with the > > SYN flag activated, that represent a try of start a connection. Am i > > wrong? > > Well, it's supposed to consider all packets (SYN or not) by default, > even if you can filter only SYN ones if you wish to do so. > > > So, and for UDP, i have different results too, using the xml and > > reading the iptables' log directly. But the UDP protocol do not have > > control mechanisms. What wflogs do about UDP? > > It's the same (except that there is no connection/SYN in UDP), it considers > all packets by default. > > > Thank you for the answers. > > Regards, > > Hervé > -- Vinícius Batistela |
