[Logwatch-Devel] Re: Logwatch - cisco analyzer

Giovanni Mellini giovanni.mellini at gmail.com
Thu Dec 1 07:30:04 MST 2005


OK
I work to finish some features and I'll send to ML in few days

Tks very much

Giovanni

laurent.dufour at havas.com wrote:
> Hi Giovanni
> 
> Send your filter to the logwatch mailing list so we could test it .
> 
> I think it would be "cool" if someone from the logwatch team could
> integrate your cisco pix filter to logwatch.
> 
> Cheers.
> 
> ----------------------------------------------------------------------------------------
> 
> Laurent DUFOUR - HAVAS IT
> Vice Chief Technical Officer - Directeur Technique Adjoint
> 2 Allée de Longchamp - 92281 - Suresnes - France
> tel: +33 (0)158478830 - fax: +33 (0)1 58478815
> mailto:laurent.dufour at havas.com
> http://www.havas.com
> ----------------------------------------------------------------------------------------
> 
> 
> 
> 
>                                                                            
>              Giovanni Mellini                                              
>              <giovanni.mellini                                             
>              @gmail.com>                                                To 
>                                        laurent.dufour at havas.com            
>              01/12/2005 15:03                                           cc 
>                                                                            
>                                                                    Subject 
>                                        Logwatch - cisco analyzer           
>                                                                            
>                                                                            
>                                                                            
>                                                                            
>                                                                            
>                                                                            
> 
> 
> 
> 
> Hi
> I read your email address on cisco file for logwatch you wrote.
> I used your module many times and I appriciated yur work :)
> 
> I have a customer that owns a Cisco PIX 505e and this PIX logs on a
> Linux slack10.1 via syslog. So I have a file only with Pix logs.
> I wrote a module for logwatch (I called'em cisco-pix) that analyze only
> pix logs and report some useful information about (I hope ;)
> 
> You can see a snapshot below
> 
> [Snap]
>  --------------------- cisco PIX logs Begin ------------------------
> 
>  +++++++++++++++++++++++++++++++
>  + Short report                +
>  +   attack merged by sender   +
>  +   attack count for dest     +
>  +++++++++++++++++++++++++++++++
> 
>  ICMP echo reply from  *.*.*.*
>    *.*.*.*  - 1 time(s)
>  ICMP unreachable from  *.*.*.*
>    *.*.*.*  - 229 time(s)
>    *.*.*.*  - 222 time(s)
>  ICMP unreachable from  *.*.*.*
>    *.*.*.*  - 4 time(s)
>  ICMP unreachable from  *.*.*.*
>    *.*.*.*  - 1 time(s)
>  ICMP unreachable from  *.*.*.*
>    *.*.*.*  - 19 time(s)
>    *.*.*.*  - 7 time(s)
>    *.*.*.*  - 12 time(s)
> 
> [cutted]
> 
>  +++++++++++++++++++++++++++++++
>  + Full report                 +
>  +   date of the attack        +
>  +   ip of sender and receiver +
>  +++++++++++++++++++++++++++++++
> 
>  [ICMP echo reply]
>  *** Total: 1 ***
>  Dec  1 13:02:23 - from: *.*.*.*  to: *.*.*.*
>  [/ICMP echo reply]
> 
>  [ICMP unreachable]
>  *** Total: 495 ***
>  Dec  1 12:56:37 - from: *.*.*.*  to: *.*.*.*
>  Dec  1 12:56:37 - from: *.*.*.*  to: *.*.*.*
>  Dec  1 12:56:40 - from: *.*.*.*  to: *.*.*.*
>  Dec  1 12:56:42 - from: *.*.*.*  to: *.*.*.*
>  Dec  1 12:56:46 - from: *.*.*.*  to: *.*.*.*
> 
> [cutted]
> 
> [/Snap]
> 
> I read the attack signatures on a text file and now I'm working on a
> cron deamon that updates the signature file (based on Cisco web site).
> 
> What do you think about? I hope you'll enjoy.
> Send me a feedback if u want
> 
> Best regards
> 
> Giovanni Mellini
> 
> --
> Giovanni Mellini
>  GoogleTalk: giovanni.mellini at gmail.com
>  ICQ# 77188394
>  Skype id: g.mellini
>  MSN: merlos at libero.it
>  http://www.scubarda.net
> 
>             .-.  .---.  .-.
>            /   `'`. .'`'   \
>           / .''___ V ___``. \
>          /.'     /---\     `.\
> 
>              http://www.ascii-art.de
> (See attached file: giovanni.mellini.vcf)

-- 
Giovanni Mellini
 GoogleTalk: giovanni.mellini at gmail.com
 ICQ# 77188394
 Skype id: g.mellini
 MSN: merlos at libero.it
 http://www.scubarda.net

            .-.  .---.  .-.
           /   `'`. .'`'   \
          / .''___ V ___``. \
         /.'     /---\     `.\

	http://www.ascii-art.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: giovanni.mellini.vcf
Type: text/x-vcard
Size: 208 bytes
Desc: not available
Url : http://www2.list.logwatch.org/pipermail/logwatch-devel/attachments/20051201/e116780c/giovanni.mellini-0001.vcf


More information about the Logwatch-Devel mailing list