Closed HeavyMoon closed 3 years ago
The UDP iptables log contains two LEN fields. The ln_iptablesParser function overwrites the IP LEN field with the UDP LEN field. How can I do it individually?
sample:
$ lognormalizer -V lognormalizer version: 2.0.2 liblognorm version: 2.0.2 advanced stats: not available $ cat ./rule.rulebase rule=:%ipt:iptables% $ echo 'IN=if1 OUT=if2 MAC=01-23-45-67-89-ab SRC=1.2.3.4 DST=5.6.7.8 LEN=912 TOS=0x34 PREC=0x56 TTL=78 ID=90 DF PROTO=UDP SPT=123 DPT=456 LEN=789' | lognormalizer -r ./rule.rulebase { "IN": "if1", "OUT": "if2", "MAC": "01-23-45-67-89-ab", "SRC": "1.2.3.4", "DST": "5.6.7.8", "LEN": "789", "TOS": "0x34", "PREC": "0x56", "TTL": "78", "ID": "90", "DF": "[*PRESENT*]", "PROTO": "UDP", "SPT": "123", "DPT": "456" }
The UDP iptables log contains two LEN fields. The ln_iptablesParser function overwrites the IP LEN field with the UDP LEN field. How can I do it individually?
sample: