[syslog-ng] netmask

Henning Markussen hm at mib.dk
Thu Dec 15 21:16:33 CET 2005 

Antonio Brown wrote:
> Hello All,
> 
> I was wondering which of the two formats below would you use when 
> filtering using syslog-ng:
> 
> filter f_pix          { match(PIX) and not 
> match("1.2.3.4|1.2.3.4|1.2.3.4|1.2.3.4|netmask("*MailScanner warning: 
> numerical links are often malicious:* 
> 1.2.3.4/28")|netmask("1.2.3.4/20")|netmask("1.2.3.4/22")|netmask("1.2.3.4/28") 
> <http://1.2.3.4/28")|netmask("1.2.3.4/20")|netmask("1.2.3.4/22")|netmask("1.2.3.4/28")>")
>      };
> 
> or......
> 
> filter f_pix          { match(PIX)
>               and not match(*MailScanner warning: numerical links are 
> often malicious:* 1.2.3.4 <http://1.2.3.4>)
>                         and not match(*MailScanner warning: numerical 
> links are often malicious:* 1.2.3.4 <http://1.2.3.4>)
>                         and not match(*MailScanner warning: numerical 
> links are often malicious:* 1.2.3.4 <http://1.2.3.4>)
>                         and not match(*MailScanner warning: numerical 
> links are often malicious:* 1.2.3.4 <http://1.2.3.4>)
>                         and not match(netmask("*MailScanner warning: 
> numerical links are often malicious:* 1.2.3.4/28")) <http://1.2.3.4/28"))>
>                         and not match(netmask("*MailScanner warning: 
> numerical links are often malicious:* 1.2.3.4/20")) <http://1.2.3.4/20"))>
>                         and not match(netmask("*MailScanner warning: 
> numerical links are often malicious:* 1.2.3.4/22")) <http://1.2.3.4/22"))>
>                         and not match(netmask("*MailScanner warning: 
> numerical links are often malicious:* 1.2.3.4/28")) <http://1.2.3.4/28"))>
>      };
> 
> I am currently using the latter, but it seems as if the individual ips 
> and subnets would only be filtered if ALL is true. Would using "|", like
> in the first format, check for each individual ip or subnet and filter 
> accordingly? When I say filter I mean, I would like everything except 
> for the individual IPs and subnets specified. I am not certain that this 
> is appropriate format for filtering subnets, please advise....
> 
> Thank You, in advance for your assistance!!!
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 

the syntax for a 10.0.0.0/24 netmask is
netmask("10.0.0.0/255.255.255.0")

- Henning

More information about the syslog-ng mailing list