[Firehol-support] Redirecting Logging
John Sullivan
lists at benzo8.org
Wed Jan 23 16:34:55 GMT 2008
Hi,
I'm wondering if there's a way to stop logging all IN-Internet matches
to syslog, and instead send them to another log. My server sits in a
farm full of kiddies constantly looking for open 137-139s (it appears!)
and it gets very difficult looking through the syslog for important
stuff with constant:
Jan 23 07:09:28 space kernel: ''IN-internet':'IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0b:6a:f6:b3:40:08:00 SRC=83.170.75.139
DST=83.170.75.191 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=32214 PROTO=UDP
SPT=137 DPT=137 LEN=58
Jan 23 08:56:57 space kernel: ''IN-internet':'IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0b:6a:f6:b3:40:08:00 SRC=83.170.75.139
DST=83.170.75.191 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58737 PROTO=UDP
SPT=137 DPT=137 LEN=58
Jan 23 09:55:29 space kernel: ''IN-internet':'IN=eth0 OUT=
MAC=00:0b:6a:f6:b2:d1:00:d0:02:95:74:00:08:00 SRC=62.152.115.217
DST=83.170.75.135 LEN=78 TOS=0x00 PREC=0x00 TTL=116 ID=58548 PROTO=UDP
SPT=137 DPT=137 LEN=58
Jan 23 12:25:08 space kernel: ''IN-internet':'IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0b:6a:b3:f5:91:08:00 SRC=83.170.75.136
DST=83.170.75.191 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=923 PROTO=UDP
SPT=137 DPT=137 LEN=58
Jan 23 12:42:11 space kernel: ''IN-internet':'IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0b:6a:f6:b3:40:08:00 SRC=83.170.75.139
DST=83.170.75.191 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=60475 PROTO=UDP
SPT=137 DPT=137 LEN=58
Jan 23 14:54:22 space kernel: ''IN-internet':'IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0b:6a:f6:b3:40:08:00 SRC=83.170.75.139
DST=83.170.75.191 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=34281 PROTO=UDP
SPT=137 DPT=137 LEN=58
I've tried changing the FIREHOL_LOG_LEVEL variable to something higher
than warning, but that doesn't seem to have any effect. Any other ideas?
Thanks in advance...
Me...
More information about the Firehol-support
mailing list