grok not parsing tcpdump output
Reinhold
freebsd at violetlan.net
Wed Aug 20 12:14:17 UTC 2008
Hi
I'm trying to get grok to parse tcpdump output from port scanners but for
some reason I can't get it to work.
This is what I have in my grok.conf
exec "tcpdump -li rl0 -n 2> /dev/null" {
type "ssh-connect" {
match = "%IP:SRC%.\d+ > %IP:DST%.22: S";
reaction = "echo 'ssh-connect: %IP:SRC% -> %IP:DST%' >>
/var/log/sshconnect";
};
type "port-scan" {
match = "%IP:SRC%.%PORT% > %IP:DST%.%PORT:DST%: S";
key = "%IP:SRC%";
threshold = 5;
interval = 5;
reaction = "echo 'Port scan from %IP:SRC%' >> /var/log/portscan";
};
};
The ssh part of it works, I get all the goodies in the sshconnect file but
when I run nmap against the system the portscan file stays empty.
Any one that can help me with this please?
Thanks
Reinhold
More information about the freebsd-questions
mailing list