[Logwatch-Devel] Re: Logwatch - cisco analyzer

laurent.dufour at havas.com laurent.dufour at havas.com
Thu Dec 1 07:11:49 MST 2005


Hi Giovanni

Send your filter to the logwatch mailing list so we could test it .

I think it would be "cool" if someone from the logwatch team could
integrate your cisco pix filter to logwatch.

Cheers.

----------------------------------------------------------------------------------------

Laurent DUFOUR - HAVAS IT
Vice Chief Technical Officer - Directeur Technique Adjoint
2 Allée de Longchamp - 92281 - Suresnes - France
tel: +33 (0)158478830 - fax: +33 (0)1 58478815
mailto:laurent.dufour at havas.com
http://www.havas.com
----------------------------------------------------------------------------------------




                                                                           
             Giovanni Mellini                                              
             <giovanni.mellini                                             
             @gmail.com>                                                To 
                                       laurent.dufour at havas.com            
             01/12/2005 15:03                                           cc 
                                                                           
                                                                   Subject 
                                       Logwatch - cisco analyzer           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi
I read your email address on cisco file for logwatch you wrote.
I used your module many times and I appriciated yur work :)

I have a customer that owns a Cisco PIX 505e and this PIX logs on a
Linux slack10.1 via syslog. So I have a file only with Pix logs.
I wrote a module for logwatch (I called'em cisco-pix) that analyze only
pix logs and report some useful information about (I hope ;)

You can see a snapshot below

[Snap]
 --------------------- cisco PIX logs Begin ------------------------

 +++++++++++++++++++++++++++++++
 + Short report                +
 +   attack merged by sender   +
 +   attack count for dest     +
 +++++++++++++++++++++++++++++++

 ICMP echo reply from  *.*.*.*
   *.*.*.*  - 1 time(s)
 ICMP unreachable from  *.*.*.*
   *.*.*.*  - 229 time(s)
   *.*.*.*  - 222 time(s)
 ICMP unreachable from  *.*.*.*
   *.*.*.*  - 4 time(s)
 ICMP unreachable from  *.*.*.*
   *.*.*.*  - 1 time(s)
 ICMP unreachable from  *.*.*.*
   *.*.*.*  - 19 time(s)
   *.*.*.*  - 7 time(s)
   *.*.*.*  - 12 time(s)

[cutted]

 +++++++++++++++++++++++++++++++
 + Full report                 +
 +   date of the attack        +
 +   ip of sender and receiver +
 +++++++++++++++++++++++++++++++

 [ICMP echo reply]
 *** Total: 1 ***
 Dec  1 13:02:23 - from: *.*.*.*  to: *.*.*.*
 [/ICMP echo reply]

 [ICMP unreachable]
 *** Total: 495 ***
 Dec  1 12:56:37 - from: *.*.*.*  to: *.*.*.*
 Dec  1 12:56:37 - from: *.*.*.*  to: *.*.*.*
 Dec  1 12:56:40 - from: *.*.*.*  to: *.*.*.*
 Dec  1 12:56:42 - from: *.*.*.*  to: *.*.*.*
 Dec  1 12:56:46 - from: *.*.*.*  to: *.*.*.*

[cutted]

[/Snap]

I read the attack signatures on a text file and now I'm working on a
cron deamon that updates the signature file (based on Cisco web site).

What do you think about? I hope you'll enjoy.
Send me a feedback if u want

Best regards

Giovanni Mellini

--
Giovanni Mellini
 GoogleTalk: giovanni.mellini at gmail.com
 ICQ# 77188394
 Skype id: g.mellini
 MSN: merlos at libero.it
 http://www.scubarda.net

            .-.  .---.  .-.
           /   `'`. .'`'   \
          / .''___ V ___``. \
         /.'     /---\     `.\

             http://www.ascii-art.de
(See attached file: giovanni.mellini.vcf)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: =?ISO-8859-15?Q?giovanni=2Emellini=2Evcf?=
Type: application/octet-stream
Size: 219 bytes
Desc: not available
Url : http://www2.list.logwatch.org/pipermail/logwatch-devel/attachments/20051201/c150a011/ISO-8859-15Qgiovanni2Emellini2Evcf.obj


More information about the Logwatch-Devel mailing list