[ previous ] [ next ] [ threads ]
 
 From:  Chet Harvey <chet at pittech dot com>
 To:  Pat Ellison <pat at zbit dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] M0N0Wall Syslog Client
 Date:  Thu, 19 Aug 2004 10:49:38 -0400
this is real time, I get an email the instant snort picks something up.

I cant access the SQL to look at the table from here. I will get it to you 
tonight when I get home.

And I am all for anything that makes my life easier =)

Chet Harvey


Quoting Pat Ellison <pat at zbit dot net>:

> True, but it's not real time. I was using kiwi and the lack of formatting
> was making me have to concentrate hard to see what was happening.
> color coding would be the greatest.
> 
> BTW.. give me the CREATE TABLE TSql statement for your SQL Logs and
> then if we use the same format then you would be able to use this out of the
> box if you like it..
> 
> -Pat
> my Primary goal is formatted, realtime Syslog viewing
> 
> -----Original Message-----
> From: Chet Harvey [mailto:chet at pittech dot com]
> Sent: Thursday, August 19, 2004 10:27 AM
> To: Pat Ellison
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] M0N0Wall Syslog Client
> 
> 
> this could all be accomplised using syslog-ng (or syslog if you dont mind
> unencrypted UDP) to an ACID reporting server. I am not a fan of reinventing
> the
> wheel but I know you programming geeks love to play =)
> 
> Right now I have my m0n0's piping logs via encrypted stunnel using certs for
> auth then dumping to mySQL for reporting.
> 
> Someday when I get the time I will put this all together to share.
> 
> Chet Harvey
> Pitbull Technologies <http://www.pittech.com/>
> Protecting your Digital Assets
> 703.407.7311
> 
> 
> Quoting Pat Ellison <pat at zbit dot net>:
> 
> > I'm looking to write a killer .Net Syslog exclusive for M0N0Wall with
> > formatted output
> > for a realtime display. Maybe export to SQL, Alerts... etc all the
> goodies.
> > I already have many IP projects that run 24/7 without fail on my Socket
> > class so the
> > Comm is already written and surly tested so writting this app will be
> almost
> > trivial.
> >
> > I also plan to post the source code so that others can make changes it
> they
> > like.
> > My goal is really to give me the same look as if this was just an
> extention
> > of M0N0Wall
> > except it is in real time and runs on a client. I desire to use the same
> > great color scheme.
> >
> > To do this I need help with a few items. reading the raw logs there are a
> > few items that I
> > am not sure of in their meaning.. Please help me with the description of
> > these items.
> >
> > Also if anybody would be gracious enough to send me any weird lines that
> > they get that is
> > out of the norm such as this one I came accross.
> >
> > 09:16:50.302903 rl0 @0:17 b 217.81.173.76 -> 9.3.18.20 PR icmp len 20 56
> > icmp unreach/port for 9.3.18.20,13794 - 192.168.0.34,4675 PR udp len 20 61
> > IN
> >
> >
> > 09:26:54.775565 rl0 @0:15 b 68.248.200.13,63021 -> 9.3.18.20,13802 PR tcp
> > len 20 40 -AR IN
> > |-Time---------| IF  ?    ?   Src        , Port      Dest   , Port ?  Prot
> ?
> > ?  ?  ?   ?
> >
> > -S   ? Are these TCP packet flags?  Ack Syn etc?
> > -AF  ?
> > -AFP ?
> > -AP  ?
> >
> >
> > -Pat
> >
> >
> > 09:24:41.188275 rl0 @0:17 b 66.132.253.215,3928 -> 69.33.178.214,1080 PR
> tcp
> > len 20 48 -S IN
> > 09:24:40.950029 rl0 @0:17 b 66.132.253.215,3913 -> 9.3.18.20,1080 PR tcp
> len
> > 20 48 -S IN
> > 09:24:38.009032 rl0 @0:17 b 66.132.253.215,3918 -> 69.33.178.211,1080 PR
> tcp
> > len 20 48 -S IN
> > 09:24:38.008883 rl0 @0:17 b 66.132.253.215,3913 -> 9.3.18.20,1080 PR tcp
> len
> > 20 48 -S IN
> > 09:24:34.239139 rl0 @0:17 b 69.42.65.104,52200 -> 9.3.18.20,113 PR tcp len
> > 20 60 -S IN
> > 09:23:29.132812 rl0 @0:15 b 82.120.24.40,3792 -> 192.2.3.4,4201 PR tcp len
> > 20 40 -AF IN
> > 09:22:53.943146 rl0 @0:17 b 202.105.21.247,1055 -> 69.33.178.212,1434 PR
> udp
> > len 20 404 IN
> > 09:22:38.114079 rl0 @0:15 b 82.120.24.40,3792 -> 192.2.3.4,4201 PR tcp len
> > 20 40 -AF IN
> > 09:22:12.159733 rl0 @0:15 b 82.120.24.40,3792 -> 192.2.3.4,4201 PR tcp len
> > 20 40 -AF IN
> > 09:21:15.131251 rl0 @0:17 b 69.42.65.104,46234 -> 9.3.18.20,113 PR tcp len
> > 20 60 -S IN
> > 09:20:54.143636 rl0 @0:17 b 69.42.65.104,46234 -> 9.3.18.20,113 PR tcp len
> > 20 60 -S IN
> > 09:16:50.302903 rl0 @0:17 b 217.81.173.76 -> 9.3.18.20 PR icmp len 20 56
> > icmp unreach/port for 9.3.18.20,13794 - 192.168.0.34,4675 PR udp len 20 61
> > IN
> > 09:14:39.252967 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp
> len
> > 20 239 -AFP IN
> > 09:14:31.523658 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp
> len
> > 20 108 -AFP IN
> > 09:13:18.484451 rl0 @0:17 b 83.31.83.69,2214 -> 69.33.178.214,135 PR tcp
> len
> > 20 48 -S IN
> > 09:13:15.498901 rl0 @0:17 b 83.31.83.69,2214 -> 69.33.178.214,135 PR tcp
> len
> > 20 48 -S IN
> > 09:13:05.394718 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp
> len
> > 20 108 -AFP IN
> > 09:13:03.226206 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp
> len
> > 20 239 -AFP IN
> > 09:12:25.151444 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp
> len
> > 20 40 -AF IN
> > 09:12:23.501803 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp
> len
> > 20 40 -AF IN
> > 09:12:15.321926 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp
> len
> > 20 239 -AP IN
> > 09:12:13.738375 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp
> len
> > 20 108 -AP IN
> > 09:11:51.260291 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp
> len
> > 20 239 -AP IN
> > 09:11:50.235581 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp
> len
> > 20 108 -AP IN
> > 09:11:40.666172 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp
> len
> > 20 108 -AP IN
> > 09:11:39.230193 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp
> len
> > 20 239 -AP IN
> > 09:11:36.593161 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp
> len
> > 20 40 -A IN
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> 
>