Re: [syslog-ng] netmask

15 Dec 2005


      Antonio Brown wrote:
...
Hello All,
I was wondering which of the two formats below would you use when 
filtering using syslog-ng:
filter f_pix          { match(PIX) and not 
match("1.2.3.4|1.2.3.4|1.2.3.4|1.2.3.4|netmask("*MailScanner warning: 
numerical links are often malicious:* 
1.2.3.4/28")|netmask("1.2.3.4/20")|netmask("1.2.3.4/22")|netmask("1.2.3.4/28") 
<http://1.2.3.4/28")|netmask("1.2.3.4/20")|netmask("1.2.3.4/22")|netmask("1.2.3.4/28")>")
     };
or......
filter f_pix          { match(PIX)
              and not match(*MailScanner warning: numerical links are 
often malicious:* 1.2.3.4 <http://1.2.3.4>)
                        and not match(*MailScanner warning: numerical 
links are often malicious:* 1.2.3.4 <http://1.2.3.4>)
                        and not match(*MailScanner warning: numerical 
links are often malicious:* 1.2.3.4 <http://1.2.3.4>)
                        and not match(*MailScanner warning: numerical 
links are often malicious:* 1.2.3.4 <http://1.2.3.4>)
                        and not match(netmask("*MailScanner warning: 
numerical links are often malicious:* 1.2.3.4/28")) <http://1.2.3.4/28"))>
                        and not match(netmask("*MailScanner warning: 
numerical links are often malicious:* 1.2.3.4/20")) <http://1.2.3.4/20"))>
                        and not match(netmask("*MailScanner warning: 
numerical links are often malicious:* 1.2.3.4/22")) <http://1.2.3.4/22"))>
                        and not match(netmask("*MailScanner warning: 
numerical links are often malicious:* 1.2.3.4/28")) <http://1.2.3.4/28"))>
     };
I am currently using the latter, but it seems as if the individual ips 
and subnets would only be filtered if ALL is true. Would using "|", like
in the first format, check for each individual ip or subnet and filter 
accordingly? When I say filter I mean, I would like everything except 
for the individual IPs and subnets specified. I am not certain that this 
is appropriate format for filtering subnets, please advise....
Thank You, in advance for your assistance!!!
------------------------------------------------------------------------
_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
the syntax for a 10.0.0.0/24 netmask is
netmask("10.0.0.0/255.255.255.0")

- Henning

Re: [syslog-ng] netmask

Henning Markussen