hatchet - Project Hosting on Google Code

Older May 26, 2009 issue 30 (Regex for VQP) reported by jasondixon - Submitted by tom@bofh.upstreaminter.net (tdm in silc #openbsd) 159a160,162 > } elsif (/VQPv4/) { > /(\w+ \d+ \d+:.\d:.\d+)\.(\d+) rule (\d+)\/\(match\) (\w+ \w+) \w+ (\w+)\: (\d+\.\d+\.\d+\.\d+)\.(\d+) > (\d+\.\d+\.\d+\.\d+)\.(\d+)\:(.)/; > insert_table($1, $2, $3, $4, $5, $6, $7, $8, $9, 'VQP'); --- Adds detection of Cisco VLAN Query Protocol May 26 16:19:06.114010 rule 0/(match) block in on pppoe1: 218.75.199.50.1589 > 88.96.248.176.1434: VQPv4 Submitted by tom@bofh.upstreaminter.net (tdm in silc #openbsd) 159a160,162 > } elsif (/VQPv4/) { > /(\w+ \d+ \d+:.\d:.\d+)\.(\d+) rule (\d+)\/\(match\) (\w+ \w+) \w+ (\w+)\: (\d+\.\d+\.\d+\.\d+)\.(\d+) > (\d+\.\d+\.\d+\.\d+)\.(\d+)\:(.)/; > insert_table($1, $2, $3, $4, $5, $6, $7, $8, $9, 'VQP'); --- Adds detection of Cisco VLAN Query Protocol May 26 16:19:06.114010 rule 0/(match) block in on pppoe1: 218.75.199.50.1589 > 88.96.248.176.1434: VQPv4 Mar 07, 2009 issue 27 (Regex for ip-proto-46) commented on by jasondixon - Appears to be RSVP (protocol 46). Appears to be RSVP (protocol 46). Mar 07, 2009 issue 28 (Regex (IAPPv0 unknown)) changed by jasondixon - Owner: jasondixon Cc: −jasondixon Owner: jasondixon Cc: −jasondixon Mar 07, 2009 issue 28 (Regex (IAPPv0 unknown)) commented on by jasondixon - This appears to be Inter-Access Point Protocol (802.11F). This appears to be Inter-Access Point Protocol (802.11F). Mar 07, 2009 issue 29 (Regex l2tp:[P](25650/50944)[hdlc\|]) changed by jasondixon - Status: Accepted Owner: jasondixon Status: Accepted Owner: jasondixon Mar 07, 2009 issue 28 (Regex (IAPPv0 unknown)) changed by jasondixon - Status: Accepted Cc: jasondixon Status: Accepted Cc: jasondixon Mar 07, 2009 issue 27 (Regex for ip-proto-46) changed by jasondixon - Status: Accepted Owner: jasondixon Status: Accepted Owner: jasondixon Mar 05, 2009 issue 29 (Regex l2tp:[P](25650/50944)[hdlc\|]) reported by goo...@lechtermann.net - Mar 05 06:48:07.296924 rule 0/(match) block in on cas0: 115.138.143.177.1701 > 80.237.235.11.15892: l2tp:[P](25650/50944)[hdlc\|] Mar 05 06:48:07.296924 rule 0/(match) block in on cas0: 115.138.143.177.1701 > 80.237.235.11.15892: l2tp:[P](25650/50944)[hdlc\|] Jan 13, 2009 issue 22 (Regex for ipv6 [\|tcp]) commented on by goo...@lechtermann.net - Something similar also happens for IPv4... guess its the [\|tcp] part. Jan 13 22:59:49.143509 rule 30/(match) pass in on enc0: 208.86.227.89.22 > 217.115.138.30.3836: [\|tcp] (encap) Something similar also happens for IPv4... guess its the [\|tcp] part. Jan 13 22:59:49.143509 rule 30/(match) pass in on enc0: 208.86.227.89.22 > 217.115.138.30.3836: [\|tcp] (encap) Jan 13, 2009 issue 28 (Regex (IAPPv0 unknown)) reported by goo...@lechtermann.net - Whatever this is, had it pop up on my server last night... Jan 14 00:29:07.280500 rule 0/(match) block in on cas0: 76.114.16.124.2313 > 80.237.253.236.4534: IAPPv0 unknown: 0x35 (id 0) 0: [tos 0x20] Whatever this is, had it pop up on my server last night... Jan 14 00:29:07.280500 rule 0/(match) block in on cas0: 76.114.16.124.2313 > 80.237.253.236.4534: IAPPv0 unknown: 0x35 (id 0) 0: [tos 0x20] Dec 09, 2008 issue 27 (Regex for ip-proto-46) reported by goo...@lechtermann.net - Dec 08 23:40:02.071189 rule 1/(match) block in on cas0: 218.106.119.133 > 80.237.235.9: ip-proto-46 43 [tos 0x1e (E)] Dec 08 23:40:02.071189 rule 1/(match) block in on cas0: 218.106.119.133 > 80.237.235.9: ip-proto-46 43 [tos 0x1e (E)] Nov 29, 2008 r31 (tagging release 0.9.2) committed by jasondixon - tagging release 0.9.2 tagging release 0.9.2 Nov 29, 2008 r30 (ready for 0.9.2) committed by jasondixon - ready for 0.9.2 ready for 0.9.2 Nov 29, 2008 issue 22 (Regex for ipv6 [\|tcp]) Summary changed by jasondixon - Summary: Regex for ipv6 [\|tcp] Summary: Regex for ipv6 [\|tcp] Nov 29, 2008 issue 21 (Add regex for IPv6 over IPv4 tunnels) commented on by jasondixon - Issue 26 has been merged into this issue. Issue 26 has been merged into this issue. Nov 29, 2008 issue 26 (Regex for \|ip6 (encap)) changed by jasondixon - Duplicate Status: Duplicate Owner: jasondixon Duplicate Status: Duplicate Owner: jasondixon Nov 29, 2008 issue 25 (Regex for "\|icmp (encap)" and "ah.spi.seq") changed by jasondixon - Added in revision 29. Status: Fixed Owner: jasondixon Added in revision 29. Status: Fixed Owner: jasondixon Nov 29, 2008 r29 (support for AH/spi) committed by jasondixon - support for AH/spi support for AH/spi Nov 29, 2008 issue 23 (Regex for ipv6 frag) Status changed by jasondixon - Status: Accepted Status: Accepted Nov 29, 2008 issue 23 (Regex for ipv6 frag) Owner changed by jasondixon - Owner: jasondixon Owner: jasondixon Nov 29, 2008 issue 24 (Regex for \|lwres) changed by jasondixon - Added in revision 28 Status: Fixed Owner: jasondixon Added in revision 28 Status: Fixed Owner: jasondixon Nov 29, 2008 r28 (support for lwres) committed by jasondixon - support for lwres support for lwres Nov 29, 2008 issue 21 (Add regex for IPv6 over IPv4 tunnels) Status changed by jasondixon - Added in revision 27 Status: Fixed Added in revision 27 Status: Fixed Nov 29, 2008 r27 (add IPv6 over IPv4 encap; fix GRE encap descriptions) committed by jasondixon - add IPv6 over IPv4 encap; fix GRE encap descriptions add IPv6 over IPv4 encap; fix GRE encap descriptions Sep 16, 2008 issue 26 (Regex for \|ip6 (encap)) reported by goo...@lechtermann.net - Sep 16 14:15:37.682147 rule 0/(match) block in on enc0: [\|ip6] (encap) Sep 16 14:15:37.682147 rule 0/(match) block in on enc0: [\|ip6] (encap) Sep 02, 2008 issue 25 (Regex for "\|icmp (encap)" and "ah.spi.seq") reported by goo...@lechtermann.net - Sep 02 09:51:16.035301 rule 0/(match) block in on cas0: ah 217.115.138.4 > 224.0.0.18 spi 0xABABABAB seq 18761114 len 48 [tos 0xc0] Sep 02 09:51:16.909233 rule 0/(match) block in on cas0: ah 217.115.138.4 > 224.0.0.18 spi 0xABABABAB seq 18761115 len 48 [tos 0xc0] Sep 02 09:59:17.751529 rule 29/(match) pass in on enc0: 172.16.94.10 > 172.16.94.9: [\|icmp] (encap) Sep 02 10:07:37.289945 rule 29/(match) pass in on enc0: 172.16.94.10 > 172.16.94.9: [\|icmp] (encap) Sep 02 09:51:16.035301 rule 0/(match) block in on cas0: ah 217.115.138.4 > 224.0.0.18 spi 0xABABABAB seq 18761114 len 48 [tos 0xc0] Sep 02 09:51:16.909233 rule 0/(match) block in on cas0: ah 217.115.138.4 > 224.0.0.18 spi 0xABABABAB seq 18761115 len 48 [tos 0xc0] Sep 02 09:59:17.751529 rule 29/(match) pass in on enc0: 172.16.94.10 > 172.16.94.9: [\|icmp] (encap) Sep 02 10:07:37.289945 rule 29/(match) pass in on enc0: 172.16.94.10 > 172.16.94.9: [\|icmp] (encap) Aug 28, 2008 issue 24 (Regex for \|lwres) reported by goo...@lechtermann.net - Aug 28 03:07:44.321290 rule 125/(match) pass in on cas2: 10.10.199.10.921 > 10.11.29.62.10080:[\|lwres] Aug 28 03:09:14.309202 rule 125/(match) pass in on cas2: 10.10.199.10.921 > 10.11.29.62.10080:[\|lwres] Aug 28 03:10:59.175705 rule 125/(match) pass in on cas2: 10.10.199.10.921 > 10.11.29.62.10080:[\|lwres] Aug 28 03:07:44.321290 rule 125/(match) pass in on cas2: 10.10.199.10.921 > 10.11.29.62.10080:[\|lwres] Aug 28 03:09:14.309202 rule 125/(match) pass in on cas2: 10.10.199.10.921 > 10.11.29.62.10080:[\|lwres] Aug 28 03:10:59.175705 rule 125/(match) pass in on cas2: 10.10.199.10.921 > 10.11.29.62.10080:[\|lwres] Aug 24, 2008 issue 23 (Regex for ipv6 frag) reported by goo...@lechtermann.net - Aug 24 13:22:57.827431 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1400\|108) Aug 24 13:22:58.828452 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1400\|108) Aug 24 13:23:05.157777 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1400\|60) Aug 24 13:24:53.849904 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1232\|178) Aug 24 13:24:55.001874 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1232\|178) Aug 24 13:22:57.827431 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1400\|108) Aug 24 13:22:58.828452 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1400\|108) Aug 24 13:23:05.157777 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1400\|60) Aug 24 13:24:53.849904 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1232\|178) Aug 24 13:24:55.001874 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1232\|178) Aug 21, 2008 issue 22 (Regex for ipv6 ltcp) reported by jasondixon - Submitted by Michael Lechtermann Aug 18 22:13:58.929560 rule 0/(match) block in on gif0: 2001:500:4:1::81.43 > 2a01:198:200:175::2.22297: [\|tcp] Submitted by Michael Lechtermann Aug 18 22:13:58.929560 rule 0/(match) block in on gif0: 2001:500:4:1::81.43 > 2a01:198:200:175::2.22297: [\|tcp] Aug 13, 2008 issue 21 (Add regex for IPv6 over IPv4 tunnels) reported by jasondixon - Example output: > Aug 12 17:49:09.703723 rule 92/(match) pass out on cas0: [\|ip6] (encap) > Aug 12 17:51:25.910824 rule 71/(match) pass in on tun0: [\|ip6] (encap) > Aug 12 17:51:25.911075 rule 92/(match) pass out on cas0: [\|ip6] (encap) > Aug 12 18:00:06.369798 rule 92/(match) pass out on cas0: [\|ip6] (encap) > Aug 12 18:00:56.317923 rule 90/(match) pass in on cas0: [\|ip6] (encap) Submitted by Michael Lechtermann. Example output: > Aug 12 17:49:09.703723 rule 92/(match) pass out on cas0: [\|ip6] (encap) > Aug 12 17:51:25.910824 rule 71/(match) pass in on tun0: [\|ip6] (encap) > Aug 12 17:51:25.911075 rule 92/(match) pass out on cas0: [\|ip6] (encap) > Aug 12 18:00:06.369798 rule 92/(match) pass out on cas0: [\|ip6] (encap) > Aug 12 18:00:56.317923 rule 90/(match) pass in on cas0: [\|ip6] (encap) Submitted by Michael Lechtermann.

issue 23 (Regex for ipv6 frag) reported by goo...@lechtermann.net - Aug 24 13:22:57.827431 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1400|108) Aug 24 13:22:58.828452 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1400|108) Aug 24 13:23:05.157777 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1400|60) Aug 24 13:24:53.849904 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1232|178) Aug 24 13:24:55.001874 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1232|178)

Aug 24 13:22:57.827431 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1400|108) Aug 24 13:22:58.828452 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1400|108) Aug 24 13:23:05.157777 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1400|60) Aug 24 13:24:53.849904 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1232|178) Aug 24 13:24:55.001874 rule 0/(match) block in on gif0: 2001:4978:f:19b::2 > 2a01:198:2ae::50ed:eba: frag (1232|178)

Older