Thanks Again Henning!!!<br>
I truly appreciate it!<br><br><div><span class="gmail_quote">On 12/15/05, <b class="gmail_sendername">Henning Markussen</b> &lt;<a href="mailto:hm@mib.dk">hm@mib.dk</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Antonio Brown wrote:<br>&gt; Hello All,<br>&gt;<br>&gt; I was wondering which of the two formats below would you use when<br>&gt; filtering using syslog-ng:<br>&gt;<br>&gt; filter f_pix&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{ match(PIX) and not<br>&gt; match(&quot;
1.2.3.4|1.2.3.4|1.2.3.4|1.2.3.4|netmask(&quot;*MailScanner warning:<br>&gt; numerical links are often malicious:*<br>&gt; <a href="http://1.2.3.4/28&quot;)|netmask(&quot;1.2.3.4/20&quot;)|netmask(&quot;1.2.3.4/22&quot;)|netmask(&quot;1.2.3.4/28&quot;)">
1.2.3.4/28&quot;)|netmask(&quot;1.2.3.4/20&quot;)|netmask(&quot;1.2.3.4/22&quot;)|netmask(&quot;1.2.3.4/28&quot;)</a><br>&gt; &lt;<a href="http://1.2.3.4/28&quot;)|netmask(&quot;1.2.3.4/20&quot;)|netmask(&quot;1.2.3.4/22&quot;)|netmask(&quot;1.2.3.4/28&quot;)">
http://1.2.3.4/28&quot;)|netmask(&quot;1.2.3.4/20&quot;)|netmask(&quot;1.2.3.4/22&quot;)|netmask(&quot;1.2.3.4/28&quot;)</a>&gt;&quot;)<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;};<br>&gt;<br>&gt; or......<br>&gt;<br>&gt; filter f_pix&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{ match(PIX)
<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
and not match(*MailScanner warning: numerical links are<br>&gt; often malicious:* <a href="http://1.2.3.4">1.2.3.4</a> &lt;<a href="http://1.2.3.4">http://1.2.3.4</a>&gt;)<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
and not match(*MailScanner warning: numerical<br>&gt; links are often malicious:* <a href="http://1.2.3.4">1.2.3.4</a> &lt;<a href="http://1.2.3.4">http://1.2.3.4</a>&gt;)<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
and not match(*MailScanner warning: numerical<br>&gt; links are often malicious:* <a href="http://1.2.3.4">1.2.3.4</a> &lt;<a href="http://1.2.3.4">http://1.2.3.4</a>&gt;)<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
and not match(*MailScanner warning: numerical<br>&gt; links are often malicious:* <a href="http://1.2.3.4">1.2.3.4</a> &lt;<a href="http://1.2.3.4">http://1.2.3.4</a>&gt;)<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
and not match(netmask(&quot;*MailScanner warning:<br>&gt; numerical links are often malicious:* <a href="http://1.2.3.4/28&quot;))">1.2.3.4/28&quot;))</a> &lt;<a href="http://1.2.3.4/28&quot;))">http://1.2.3.4/28&quot;))
</a>&gt;<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
and not match(netmask(&quot;*MailScanner warning:<br>&gt; numerical links are often malicious:* <a href="http://1.2.3.4/20&quot;))">1.2.3.4/20&quot;))</a> &lt;<a href="http://1.2.3.4/20&quot;))">http://1.2.3.4/20&quot;))
</a>&gt;<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
and not match(netmask(&quot;*MailScanner warning:<br>&gt; numerical links are often malicious:* <a href="http://1.2.3.4/22&quot;))">1.2.3.4/22&quot;))</a> &lt;<a href="http://1.2.3.4/22&quot;))">http://1.2.3.4/22&quot;))
</a>&gt;<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
and not match(netmask(&quot;*MailScanner warning:<br>&gt; numerical links are often malicious:* <a href="http://1.2.3.4/28&quot;))">1.2.3.4/28&quot;))</a> &lt;<a href="http://1.2.3.4/28&quot;))">http://1.2.3.4/28&quot;))
</a>&gt;<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;};<br>&gt;<br>&gt; I am currently using the latter, but it seems as if the individual ips<br>&gt; and subnets would only be filtered if ALL is true. Would using &quot;|&quot;, like<br>&gt; in the first format, check for each individual ip or subnet and filter
<br>&gt; accordingly? When I say filter I mean, I would like everything except<br>&gt; for the individual IPs and subnets specified. I am not certain that this<br>&gt; is appropriate format for filtering subnets, please advise....
<br>&gt;<br>&gt; Thank You, in advance for your assistance!!!<br>&gt;<br>&gt;<br>&gt; ------------------------------------------------------------------------<br>&gt;<br>&gt; _______________________________________________
<br>&gt; syslog-ng maillist&nbsp;&nbsp;-&nbsp;&nbsp;<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a><br>&gt; <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng
</a><br>&gt; Frequently asked questions at <a href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a><br>&gt;<br><br>the syntax for a <a href="http://10.0.0.0/24">10.0.0.0/24</a> netmask is
<br>netmask(&quot;<a href="http://10.0.0.0/255.255.255.0">10.0.0.0/255.255.255.0</a>&quot;)<br><br>- Henning<br><br>_______________________________________________<br>syslog-ng maillist&nbsp;&nbsp;-&nbsp;&nbsp;<a href="mailto:syslog-ng@lists.balabit.hu">
syslog-ng@lists.balabit.hu</a><br><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>Frequently asked questions at <a href="http://www.campin.net/syslog-ng/faq.html">
http://www.campin.net/syslog-ng/faq.html</a><br><br></blockquote></div><br>