how to hack DNS name lookups in iptables and firewall DLF conversion? (was: Re: adding resolved hostnames to ...)
Joost van Baal
joostvb at logreport.org
Sun Mar 21 23:07:11 CET 2004
On Sun, Mar 21, 2004 at 07:18:45PM +0100, Joost van Baal wrote:
>
> I've been trying to enhance the iptables converter and Lire firewall
> reports, to deal with resolved hostnames next to IP adresses in the DLF.
>
> My initial idea was to convert logs to ascii-based DLF, do the resolving
> in the DLF file, and feed this enhanced DLF to the rest of the Lire
> processing chain. However, this seems no longer possible: we are no
> longer supporting plain ascii DLF's. I guess I'll need to get the
> iptables convertor fill the from_host and to_host fields some way.
> Perhaps define an extra extended Firewall schema?
OK, I've converted iptables2dlf to the new module-based API (code is in
CVS (untested....)) Now, I could get IptablesDlfConverter.pm do a
resolver lookup for every IP address found in the raw log, and write
these to from_host and to_host. However, this is quite drastic: it
causes quite some load and network traffic. I guess this could better
be configurable, and disabled by default. Any good ideas on how to set
this up? There aren't any configurable converters yet, are they? Could
this better be implemented in an extra step in the 2dlf phase, perhaps?
Ideas welcome.
Bye,
Joost
--
. . http://logreport.com/
| '.| /^LogReport$/
| Lire http://logreport.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.logreport.org/pipermail/development/attachments/20040321/92879f3b/attachment.bin
More information about the Development
mailing list