[syslog-ng] netmask

Antonio Brown abrown5 at gmail.com
Thu Dec 15 21:19:30 CET 2005


Thanks Again Henning!!!
I truly appreciate it!

On 12/15/05, Henning Markussen <hm at mib.dk> wrote:
>
> Antonio Brown wrote:
> > Hello All,
> >
> > I was wondering which of the two formats below would you use when
> > filtering using syslog-ng:
> >
> > filter f_pix          { match(PIX) and not
> > match("1.2.3.4|1.2.3.4|1.2.3.4|1.2.3.4|netmask("*MailScanner warning:
> > numerical links are often malicious:*
> >
> 1.2.3.4/28")|netmask("1.2.3.4/20")|netmask("1.2.3.4/22")|netmask("1.2.3.4/28")
> > <
> http://1.2.3.4/28")|netmask("1.2.3.4/20")|netmask("1.2.3.4/22")|netmask("1.2.3.4/28")
> >")
> >      };
> >
> > or......
> >
> > filter f_pix          { match(PIX)
> >               and not match(*MailScanner warning: numerical links are
> > often malicious:* 1.2.3.4 <http://1.2.3.4>)
> >                         and not match(*MailScanner warning: numerical
> > links are often malicious:* 1.2.3.4 <http://1.2.3.4>)
> >                         and not match(*MailScanner warning: numerical
> > links are often malicious:* 1.2.3.4 <http://1.2.3.4>)
> >                         and not match(*MailScanner warning: numerical
> > links are often malicious:* 1.2.3.4 <http://1.2.3.4>)
> >                         and not match(netmask("*MailScanner warning:
> > numerical links are often malicious:* 1.2.3.4/28")) <
> http://1.2.3.4/28"))>
> >                         and not match(netmask("*MailScanner warning:
> > numerical links are often malicious:* 1.2.3.4/20")) <
> http://1.2.3.4/20"))>
> >                         and not match(netmask("*MailScanner warning:
> > numerical links are often malicious:* 1.2.3.4/22")) <
> http://1.2.3.4/22"))>
> >                         and not match(netmask("*MailScanner warning:
> > numerical links are often malicious:* 1.2.3.4/28")) <
> http://1.2.3.4/28"))>
> >      };
> >
> > I am currently using the latter, but it seems as if the individual ips
> > and subnets would only be filtered if ALL is true. Would using "|", like
> > in the first format, check for each individual ip or subnet and filter
> > accordingly? When I say filter I mean, I would like everything except
> > for the individual IPs and subnets specified. I am not certain that this
> > is appropriate format for filtering subnets, please advise....
> >
> > Thank You, in advance for your assistance!!!
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> >
>
> the syntax for a 10.0.0.0/24 netmask is
> netmask("10.0.0.0/255.255.255.0")
>
> - Henning
>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20051215/d9ee8c43/attachment.htm


More information about the syslog-ng mailing list