Date: Wed, 20 Aug 2008 13:14:15 +0100 (BST) From: "Reinhold" <freebsd@violetlan.net> To: freebsd-questions@freebsd.org Subject: grok not parsing tcpdump output Message-ID: <60643.217.45.165.129.1219234455.squirrel@www.violetlan.net>
next in thread | raw e-mail | index | archive | help
Hi I'm trying to get grok to parse tcpdump output from port scanners but for some reason I can't get it to work. This is what I have in my grok.conf exec "tcpdump -li rl0 -n 2> /dev/null" { type "ssh-connect" { match = "%IP:SRC%.\d+ > %IP:DST%.22: S"; reaction = "echo 'ssh-connect: %IP:SRC% -> %IP:DST%' >> /var/log/sshconnect"; }; type "port-scan" { match = "%IP:SRC%.%PORT% > %IP:DST%.%PORT:DST%: S"; key = "%IP:SRC%"; threshold = 5; interval = 5; reaction = "echo 'Port scan from %IP:SRC%' >> /var/log/portscan"; }; }; The ssh part of it works, I get all the goodies in the sshconnect file but when I run nmap against the system the portscan file stays empty. Any one that can help me with this please? Thanks Reinhold
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?60643.217.45.165.129.1219234455.squirrel>