grok not parsing tcpdump output

Reinhold freebsd at
Wed Aug 20 12:14:17 UTC 2008


I'm trying to get grok to parse tcpdump output from port scanners but for
some reason I can't get it to work.

This is what I have in my grok.conf
exec "tcpdump -li rl0 -n 2> /dev/null" {
  type "ssh-connect" {
    match = "%IP:SRC%.\d+ > %IP:DST%.22: S";
    reaction = "echo 'ssh-connect: %IP:SRC% -> %IP:DST%' >>
  type "port-scan" {
    match = "%IP:SRC%.%PORT% > %IP:DST%.%PORT:DST%: S";
    key = "%IP:SRC%";
    threshold = 5;
    interval = 5;
    reaction = "echo 'Port scan from %IP:SRC%' >> /var/log/portscan";

The ssh part of it works, I get all the goodies in the sshconnect file but
when I run nmap against the system the portscan file stays empty.

Any one that can help me with this please?


