Re: [Wallfire-users] Help!

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, Feb 20, 2003 at 08:49:03PM +0100, Herve Eychenne wrote:
> > Feb 19 00:13:41 pike.local %PIX-2-106006: Deny inbound UDP from 181.30.226.168/1030 to 192.168.1.179/137 on interface outside 
> 
> Ok, I see exactly what's going on. I didn't exactly rely on the same
> format files than you. You (or I) have really no luck, I'm sorry. ;-)
> But I come with a temporary solution, so I hope you'll forgive me.
> 
> I'm very interested with your feedback.
> Don't hesitate if you have other problems.
> 
> ****************
> For snort:
> 
> wflogs expects a snort log coming from syslog... so maybe I should do
> something to also recognize directly generated alert files...
> That will certainly be in the next release...
> But for the moment, you could try to log it to syslog, or write a short
> perl script to add "syslog information" to your lines in order to
> parse them correcty. Here's the little one I just wrote:
> (note that it requires libtime-piece-perl)
> 
> $ cat snortalert2syslog
> #!/usr/bin/perl -w
> use Time::Piece;
> while (<>) {
>   my ($str) = ($_ =~ /^([^.]*)\./);
>   my $t = Time::Piece->strptime($str, "%m/%d-%T");
>   print $t->strftime("%b %d %T"), " myhost snort: $_\n";
> }
> 
> But it isn't sufficient, as a little too much paranoia in the current
> checks prevent this from working (though this will be fixed in the
> next release). So for the moment you have to turn off the strict checking.
> 
> So, for the moment, use:
> $ ./snortalert2syslog < yoursnortlogs | wflogs --strict-parsing=loose -i snort -

OK, that should work.

> ****************
> 
> For Pix:
> 
> wflogs expects ": PIX-". Well, it's because my working test file is
> PIX-4, and yours is PIX-2. However, expecting only " PIX-" (without
> ':') does the job. This will be fixed in the next release as well.
> 
> So, for the moment, use:
> $ sed 's/ %PIX-/:&/' < yourpixlogs | wflogs -i cisco_pix -

OK, thanks.

Tim

-- 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>> Tim Sailer                       ><  Coastal Internet, Inc.          <<
>> Network and Systems Operations   ><  PO Box 671                      <<
>> http://www.buoy.com              ><  Ridge, NY 11961                 <<
>> tp...@bu...                     ><  (631) 924-3728  (888) 924-3728  <<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<