From owner-freebsd-security Fri Dec 15 12:16:14 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 12:16:08 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 9D79437B404 for ; Fri, 15 Dec 2000 12:16:07 -0800 (PST) Received: (qmail 12769 invoked by uid 0); 15 Dec 2000 20:16:06 -0000 Received: from p3ee21663.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.99) by mail.gmx.net (mail07) with SMTP; 15 Dec 2000 20:16:06 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id SAA12031 for freebsd-security@FreeBSD.ORG; Fri, 15 Dec 2000 18:41:51 +0100 Date: Fri, 15 Dec 2000 18:41:51 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: Extended ipfw Logging Message-ID: <20001215184150.K253@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20001214205854.J253@speedy.gsinet> <200012150443.PAA19298@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200012150443.PAA19298@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Fri, Dec 15, 2000 at 03:43:48PM +1100 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 15, 2000 at 15:43 +1100, Darren Reed wrote: > In some mail from Gerhard Sittig, sie said: > > > > Why not have the "verbosity" written in the matching rule? > > One surely doesn't want to bloat *all* logged entries (not > > even log all denials, and maybe log some accepted packets > > too). > > Getting back to what you are discussing here, the problem I > have with variable verbosity is the text then becomes irregular > for the purpose of parsing and analysis. The most probable (from my POV) application for different verbosity depending on the matching rule would be to, say, log some UDP packets with "log body" while just doing "log" or "log first" for the fact that some TCP packet was dropped -- since the first TCP packet (SYN) doesn't contain level 5+ payload and reading the body in hex is not any more informative than reading its textual representation of the header immediately above. Speaking of "irregular log text layout" we already have this. :) The "Nx" for repeated matches between the timestamp and the interface name does already shift the rest of the line. Maybe those log lines without the count number should have a place holder, too? But then one could start printing IPs with "maximum width" etc to have everything aligned for the (human) reader. I see, thinking about this is getting endless ... And maybe I'm just missing how the verbosity level differs from the "simple" (since two stage only) header / header + body logging. Maybe having ipfw log a line like it does now and maybe printing a "continuation line" with additional data when asked to do so in the matching rule would be a way to go. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message