Date: Wed, 20 Aug 2008 13:14:15 +0100 (BST) From: "Reinhold" <freebsd@violetlan.net> To: freebsd-questions@freebsd.org Subject: grok not parsing tcpdump output Message-ID: <60643.217.45.165.129.1219234455.squirrel@www.violetlan.net>
next in thread | raw e-mail | index | archive | help
Hi
I'm trying to get grok to parse tcpdump output from port scanners but for
some reason I can't get it to work.
This is what I have in my grok.conf
exec "tcpdump -li rl0 -n 2> /dev/null" {
type "ssh-connect" {
match = "%IP:SRC%.\d+ > %IP:DST%.22: S";
reaction = "echo 'ssh-connect: %IP:SRC% -> %IP:DST%' >>
/var/log/sshconnect";
};
type "port-scan" {
match = "%IP:SRC%.%PORT% > %IP:DST%.%PORT:DST%: S";
key = "%IP:SRC%";
threshold = 5;
interval = 5;
reaction = "echo 'Port scan from %IP:SRC%' >> /var/log/portscan";
};
};
The ssh part of it works, I get all the goodies in the sshconnect file but
when I run nmap against the system the portscan file stays empty.
Any one that can help me with this please?
Thanks
Reinhold
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?60643.217.45.165.129.1219234455.squirrel>