M0N0Wall Syslog Client

From:	"Pat Ellison" <pat at zbit dot net>
To:	<m0n0wall at lists dot m0n0 dot ch>
Subject:	M0N0Wall Syslog Client
Date:	Thu, 19 Aug 2004 10:11:42 -0400
I'm looking to write a killer .Net Syslog exclusive for M0N0Wall with
formatted output
for a realtime display. Maybe export to SQL, Alerts... etc all the goodies.
I already have many IP projects that run 24/7 without fail on my Socket
class so the
Comm is already written and surly tested so writting this app will be almost
trivial.

I also plan to post the source code so that others can make changes it they
like.
My goal is really to give me the same look as if this was just an extention
of M0N0Wall
except it is in real time and runs on a client. I desire to use the same
great color scheme.

To do this I need help with a few items. reading the raw logs there are a
few items that I
am not sure of in their meaning.. Please help me with the description of
these items.

Also if anybody would be gracious enough to send me any weird lines that
they get that is
out of the norm such as this one I came accross.

09:16:50.302903 rl0 @0:17 b 217.81.173.76 -> 9.3.18.20 PR icmp len 20 56
icmp unreach/port for 9.3.18.20,13794 - 192.168.0.34,4675 PR udp len 20 61
IN


09:26:54.775565 rl0 @0:15 b 68.248.200.13,63021 -> 9.3.18.20,13802 PR tcp
len 20 40 -AR IN
|-Time---------| IF  ?    ?   Src        , Port      Dest   , Port ?  Prot ?
?  ?  ?   ?

-S   ? Are these TCP packet flags?  Ack Syn etc?
-AF  ?
-AFP ?
-AP  ?


-Pat


09:24:41.188275 rl0 @0:17 b 66.132.253.215,3928 -> 69.33.178.214,1080 PR tcp
len 20 48 -S IN
09:24:40.950029 rl0 @0:17 b 66.132.253.215,3913 -> 9.3.18.20,1080 PR tcp len
20 48 -S IN
09:24:38.009032 rl0 @0:17 b 66.132.253.215,3918 -> 69.33.178.211,1080 PR tcp
len 20 48 -S IN
09:24:38.008883 rl0 @0:17 b 66.132.253.215,3913 -> 9.3.18.20,1080 PR tcp len
20 48 -S IN
09:24:34.239139 rl0 @0:17 b 69.42.65.104,52200 -> 9.3.18.20,113 PR tcp len
20 60 -S IN
09:23:29.132812 rl0 @0:15 b 82.120.24.40,3792 -> 192.2.3.4,4201 PR tcp len
20 40 -AF IN
09:22:53.943146 rl0 @0:17 b 202.105.21.247,1055 -> 69.33.178.212,1434 PR udp
len 20 404 IN
09:22:38.114079 rl0 @0:15 b 82.120.24.40,3792 -> 192.2.3.4,4201 PR tcp len
20 40 -AF IN
09:22:12.159733 rl0 @0:15 b 82.120.24.40,3792 -> 192.2.3.4,4201 PR tcp len
20 40 -AF IN
09:21:15.131251 rl0 @0:17 b 69.42.65.104,46234 -> 9.3.18.20,113 PR tcp len
20 60 -S IN
09:20:54.143636 rl0 @0:17 b 69.42.65.104,46234 -> 9.3.18.20,113 PR tcp len
20 60 -S IN
09:16:50.302903 rl0 @0:17 b 217.81.173.76 -> 9.3.18.20 PR icmp len 20 56
icmp unreach/port for 9.3.18.20,13794 - 192.168.0.34,4675 PR udp len 20 61
IN
09:14:39.252967 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp len
20 239 -AFP IN
09:14:31.523658 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp len
20 108 -AFP IN
09:13:18.484451 rl0 @0:17 b 83.31.83.69,2214 -> 69.33.178.214,135 PR tcp len
20 48 -S IN
09:13:15.498901 rl0 @0:17 b 83.31.83.69,2214 -> 69.33.178.214,135 PR tcp len
20 48 -S IN
09:13:05.394718 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp len
20 108 -AFP IN
09:13:03.226206 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp len
20 239 -AFP IN
09:12:25.151444 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp len
20 40 -AF IN
09:12:23.501803 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp len
20 40 -AF IN
09:12:15.321926 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp len
20 239 -AP IN
09:12:13.738375 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp len
20 108 -AP IN
09:11:51.260291 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp len
20 239 -AP IN
09:11:50.235581 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp len
20 108 -AP IN
09:11:40.666172 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp len
20 108 -AP IN
09:11:39.230193 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp len
20 239 -AP IN
09:11:36.593161 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp len
20 40 -A IN