Date: Fri, 15 Dec 2000 18:41:51 +0100 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: freebsd-security@FreeBSD.ORG Subject: Re: Extended ipfw Logging Message-ID: <20001215184150.K253@speedy.gsinet> In-Reply-To: <200012150443.PAA19298@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Fri, Dec 15, 2000 at 03:43:48PM %2B1100 References: <20001214205854.J253@speedy.gsinet> <200012150443.PAA19298@caligula.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 15, 2000 at 15:43 +1100, Darren Reed wrote:
> In some mail from Gerhard Sittig, sie said:
> >
> > Why not have the "verbosity" written in the matching rule?
> > One surely doesn't want to bloat *all* logged entries (not
> > even log all denials, and maybe log some accepted packets
> > too).
>
> Getting back to what you are discussing here, the problem I
> have with variable verbosity is the text then becomes irregular
> for the purpose of parsing and analysis.
The most probable (from my POV) application for different
verbosity depending on the matching rule would be to, say, log
some UDP packets with "log body" while just doing "log" or "log
first" for the fact that some TCP packet was dropped -- since the
first TCP packet (SYN) doesn't contain level 5+ payload and
reading the body in hex is not any more informative than reading
its textual representation of the header immediately above.
Speaking of "irregular log text layout" we already have this. :)
The "Nx" for repeated matches between the timestamp and the
interface name does already shift the rest of the line. Maybe
those log lines without the count number should have a place
holder, too? But then one could start printing IPs with "maximum
width" etc to have everything aligned for the (human) reader. I
see, thinking about this is getting endless ...
And maybe I'm just missing how the verbosity level differs from
the "simple" (since two stage only) header / header + body
logging. Maybe having ipfw log a line like it does now and maybe
printing a "continuation line" with additional data when asked to
do so in the matching rule would be a way to go.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001215184150.K253>