[Oisf-users] format for drop.log
Victor Julien
victor at inliniac.net
Tue Dec 14 11:17:49 UTC 2010
Gurvinder Singh wrote:
> Hi,
>
> We are looking in to the log format for the information to be logged for
> dropped packet, when the suricata is running in inline mode. We found
> the log format of netfilter and pfsense quite informative and useful. It
> would be good to get the community feedback on it. Below are the given
> log formats of netfilter and pfsense.
>
>
> Netfilter:
>
> Apr 16 00:30:45 megahard kernel: NF: D(I,Priv) IN=eth1
> OUT= MAC=00:80:8c:1e:12:60:00:10:76:00:2f:c2:08:00
> SRC=198.169.0.65 DST=198.169.0.62
> LEN=60 TOS=0x00 PREC=0x00 TTL=44
> ID=31526 CE DF MF FRAG=179 OPT
> (072728CBA404DFCBA40253CBA4032ECBA403A2CBA4033ECBA402C1180746EA18074C52892734A200)
> PROTO=TCP SPT=4515 DPT=111
> SEQ=1168094040 ACK=0 WINDOW=32120 RES=0x03
> URG ACK PSH RST SYN FIN
> URGP=0
>
>
> Pfsense:
>
> Mar 27 05:32:39 pf: 036068 rule 74/0(match): pass in on vr1: (tos 0x0,
> ttl 128, id 40459, offset 0, flags [DF], proto: TCP (6), length:
> 48) 198.169.0.65.3848> 198.169.0.62.80: S, cksum 0x133d (correct),
> 3737710370:3737710370(0) win 65535<mss 1460,nop,nop,sackOK>
The idea here is that for logging dropped packets we use an existing log
format so existing log parsing / analysis tools can work with it.
Anyone have a preference?
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list