*ANY* firewall software should be able to handle this, usually by
added the 'log' keyword to the line containing the interesting
traffic. A couple examples:
pf:
block in log quick on fxp0 proto {tcp} from any to self port {80,443}
ipfw:
ipfw add log all from any to $self 80, 443
HTH
Eric
On May 2, 2008, at 7:49 AM, Josh Welch wrote:
> Quoting Chris Niesen <chris.niesen at gmail.com>:
>
>> I am trying to setup a server/app that can log when a certain port
>> has been
>> accessed on an inbound interface on my firewall. I don't need the
>> whole
>> contents of the packet, just the port number accessed (I have
>> certain ports
>> to filter and define, i.e. ssh, http, https), the time and the
>> date. I also
>> want to have this dumped to a text file, with a preset size limit
>> that will
>> automatically save to a new file once the threshold has been
>> reached. I
>> already have a port mirror setup on my core switch to dump all the
>> traffic
>> there so I can see all of it, I just am having a log of trouble
>> filtering
>> and logging exactly what I need with an app. I have tried writing
>> my own
>> custom snort rules, and dumping it to a file, but I can't seem to
>> get that
>> right. I also have written capture filters for wireshark; those
>> pick up
>> only the packets I want, but, they log the whole packet, not just the
>> information I am looking for. Does anyone on the list have any
>> experience
>> with this type of thing?
>>
>>
>
> IPTables will do this, look into the LOG function. I would
> occasionally do this same thing for troubleshooting purposes.
>
> Josh
>
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list
-----
Eric F Crist
Secure Computing Networks