fields in the conn.log

Hash: SHA1


Explains how the fields are structured, but its a little out of date.
I'll fill in the missing parts and see that the manual gets updated.

Given a line like this from the conn.log:

1122055977.662564 0.105927 http 55985 80 tcp 735 12946 SF
L %71

Unix Date/time: 1122055977.662564
Duration of the connection: 0.105927
Originator IP:
Responder IP:
Protocol: http
Originator port: 55985
Responder port: 80
Transport Protocol: tcp
Originator bytes sent: 735
Responder bytes sent: 12946
Flags: SF (Normal connection saw both SYN and FIN packets)
Additional Flags: L (connection was initiated locally)
Tag: %71

Now I can take my tag, and look in the http.log to
find out more about that connection (i'm running the
http analyzer):

http.log looks like this (example):
1121793380.980924 %71 start >
1121793380.985317 %71 GET /foo/bar/baz.html (200 "OK" [145])

Having said all this, the alarm.log is very different, its
a 'tagged' format that is fairly self descriptive. This is
an example from the alarm.log file:

t=1000057981.940712 no=AddressScan na=NOTICE_ALARM_ALWAYS sa=
sp=2222/tcp da= dp=3333/tcp msg=\ has\ scanned\ 2000\ hosts\
) tag=@42

t: time
no: notice
na: notice action
sa: source address
sp: source port
dp: destination port
msg: message (in this case a host has scanned 20 hosts)
tag: identifier to match this to lines in notice.log and conn.log:

Now you can take the tag and look in the conn.log to find the connection
(with grep):

1000057956.062082 ? other 2222 3333 tcp ? ? S0 X @142
(we can see that it didn't connect and no bytes were transfered)

Also there is a good section in the manual about alarms:

That should help explain the sort ids.

Hope this helps.

Angelita de Cássia Corrêa wrote: