On 12/15/05, Henning Markussen <hm@mib.dk> wrote:

Antonio Brown wrote:
> Hello All,
>
> I was wondering which of the two formats below would you use when
> filtering using syslog-ng:
>
> filter f_pix          { match(PIX) and not
> match(" 1.2.3.4|1.2.3.4|1.2.3.4|1.2.3.4|netmask("*MailScanner warning:
> numerical links are often malicious:*
> 1.2.3.4/28")|netmask("1.2.3.4/20")|netmask("1.2.3.4/22")|netmask("1.2.3.4/28")
> < http://1.2.3.4/28")|netmask("1.2.3.4/20")|netmask("1.2.3.4/22")|netmask("1.2.3.4/28")>")
>      };
>
> or......
>
> filter f_pix          { match(PIX)
>               and not match(*MailScanner warning: numerical links are
> often malicious:* 1.2.3.4 <http://1.2.3.4>)
>                         and not match(*MailScanner warning: numerical
> links are often malicious:* 1.2.3.4 <http://1.2.3.4>)
>                         and not match(*MailScanner warning: numerical
> links are often malicious:* 1.2.3.4 <http://1.2.3.4>)
>                         and not match(*MailScanner warning: numerical
> links are often malicious:* 1.2.3.4 <http://1.2.3.4>)
>                         and not match(netmask("*MailScanner warning:
> numerical links are often malicious:* 1.2.3.4/28")) <http://1.2.3.4/28")) >
>                         and not match(netmask("*MailScanner warning:
> numerical links are often malicious:* 1.2.3.4/20")) <http://1.2.3.4/20")) >
>                         and not match(netmask("*MailScanner warning:
> numerical links are often malicious:* 1.2.3.4/22")) <http://1.2.3.4/22")) >
>                         and not match(netmask("*MailScanner warning:
> numerical links are often malicious:* 1.2.3.4/28")) <http://1.2.3.4/28")) >
>      };
>
> I am currently using the latter, but it seems as if the individual ips
> and subnets would only be filtered if ALL is true. Would using "|", like
> in the first format, check for each individual ip or subnet and filter
> accordingly? When I say filter I mean, I would like everything except
> for the individual IPs and subnets specified. I am not certain that this
> is appropriate format for filtering subnets, please advise....
>
> Thank You, in advance for your assistance!!!
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>

the syntax for a 10.0.0.0/24 netmask is
netmask("10.0.0.0/255.255.255.0")

- Henning

_______________________________________________
syslog-ng maillist  -   syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html