This gave me an idea Most of what gets logged doesn't really interest me that much and since I've differentiated between each of the tables I use by setting log-levels most of the parameters are identical anyway. I think it actually makes sense to reformat those logs to Dshield standard.
So I remembered reading something about being to able to use pipes with syslog. Actually turned out to be somewhat more complicated than I thought but it appears to be supported by Bering uClibc. I also found an ancient project on reformatting firewall loglines by using fifo pipes (in real-time!) and I think it will be fairly simple to make the necesary changes to the source so it will fit the Shorewall output. Given time I'll most definitly try to get this running on Bering. Meanwhile if someone else is in a bold mood just google for "firelogd" Gordon J.L. Blom wrote: > David, > Thanks for the reply. > My thoughts were very parallel to yours. I think the most convenient way > is to transfer the shorewall log to the standard workstation(e.g. in the > logrotate script using scp) where you can do all you want, even use the > by dshield provided perl scripts. > I haven't looked at them yet but I presume they use the standard > mailfacility (sendmail or postfix or whatever) to send the mail. Then > the user must only provide the mailserver address. As this server is > normally not running on the Leaf firewall (mine is memory only). > A simple script (on the workstation) can remove all private information > (e.g. replace your IP-address with XXX.XXX.XXX.XXX). I think this is the > easiest way. > Joep > > On Sun, 2008-06-29 at 15:35 +0100, davidMbrooke wrote: >> Interesting idea. I've been thinking about reporting / graphing the >> numbers of DROPs I get on different port numbers, which is what >> isc.sans.org do on a global basis. >> >> I did have some success with using uperl.lrp to run the >> sensors-detect.pl script as reported in my leaf-user post from 2006- >> 08-26 20:07:17 (http://marc.info/?l=leaf-user&m=115662286507631&w=2) >> >> Presumably we'd want to submit shorewall.log. It seems that this is >> already in one of the acceptable DShield formats (iptables) so there >> would be no need to re-format the logfile lines - assuming people are >> happy to submit as-is, complete with real destination IP addresses etc. >> Might want to filter out anything but net2all DROP lines, I suppose, but >> that's easy enough with "grep DROP". >> >> The file needs to be mailed to [EMAIL PROTECTED] - >> presumably /usr/sbin/mail could do that, with suitable per-user >> configuration and a firewall port opening. >> >> ISC seem very keen not to have duplicate submissions of the same log >> entries from the same firewall. Would the best thing be to integrate >> with the existing LEAF log rotation, perhaps submitting shorewall.log.0 >> just after the log rotation happens? That would mean we'd submit logs >> once a day. >> >> dMb >> >> On Sun, 2008-06-29 at 15:21 +0200, J.L. Blom wrote: >>> Thanks kp, >>> I know Ihaven't seen anything on the perl package also. But would it be >>> too difficult to do the same in a bash script? I haven't looked in it >>> and a perl script is easier but nevertheless I think it is worthwhile to >>> look into it as the many thousands of Leaf users could add in making the >>> net safer. >>> Joep >>> >>> On Sun, 2008-06-29 at 14:44 +0200, KP Kirchdoerfer wrote: >>>> Am Sonntag, 29. Juni 2008 14:29:08 schrieb J.L. Blom: >>>>> On Sun, 2008-06-29 at 13:52 +0200, J.L. Blom wrote: >>>>>> Members, >>>>>> I was browsing my firewall log and, looking for more information of the >>>>>> attacked ports, I came upon the site isc.incidents.org. >>>>>> This site give a wealth of information on ports attacked and more. Among >>>>>> others found I was vigorously attacked by "Adore" a Linux trojan (of >>>>>> course dropped by leaf). >>>>>> However, the organisation would very much like to receive the firewall >>>>>> logs from users (the more the better). They offer software (I assume >>>>>> scripts) to do this automatically. >>>>>> In their list of Linux firewalls for which they have scripts Leaf is >>>>>> missing but they have general scripts for linux 2.2 (ip-chain) and 2.4 >>>>>> (ip tables) firewalls. >>>>>> Isn't it an idea to have a special client for Leaf added to that list? >>>>>> Joep >>>>> One small addition: >>>>> The provided scripts are written in perl and that is beyond the >>>>> capabilities of Leaf. >>>>> One question: Can a perl compiled program (with e.g. a 64-bit >>>>> 2.6.kernel) run under Leaf? >>>>> (I would think it couldn't). >>>>> Joep >>>> No; perl scripts usually don't work on a LEAF box. >>>> >>>> There is a microperl package in testing with a subset of perl (uperl.lrp), >>>> but >>>> we have never received a feedback, if it works at all; and if so, it may >>>> not >>>> provide all features needed for the scripts. >>>> >>>> kp ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
