With unsigned integers (at least under OpenBSD), the range of group ID values is 0-65535. If the ID could be expressed as an unsigned long, some clever ID values could be used to help hint at the reason for a log entry. For example...
0xxxxx = Port-based rule groups on external interface; xxxxx = port number with leading zeros suppressed (e.g. "head 22" would lead a rule group dealing with SSH) 1xxxxx = Port-based rule groups on internal interface; xxxxx = port number with leading zeros included (e.g. "head 100443" would lead a rule group dealing with HTTPS) 2nxxxx = Generic rule group where n represents interface and xxxx is an arbitrary number 4xxxxx = Port-based rule groups on DMZ interface; xxxxx = port number with leading zeros included (e.g. "head 300110" would lead a rule group dealing with POP3)
The values of 0, 1, and 4 aren't by accident. "0" looks like "O" as in "Outside". "1" looks like "I" as in "Inside". Finally, "D" (as in "DMZ") is the fourth letter of the (English) alphabet. Information encoded in the ID value in this way is, of course, available elsewhere within the log record, but a single numerical value is typically easier to parse. Just a thought...
Why stop there? Add a name table for groups and you can stay with the 16-bit ids.
Coding exercise left to the reader. :^)
-- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
