[Lognorm] Sonicwall Normalization tests & other....
Champ Clark III [Softwink]
champ at softwink.com
Thu Jan 13 19:13:29 CET 2011
> It just occured to me that you can use char-to! Minimal doc:
> http://www.liblognorm.com/files/manual/sampledatabase.htm
Ah! :)
rule=: msg="%alert:char-to:\x22%" sid=%sid:number% ipscat=%proto:word% ipspri=%ipspri:number% n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word%
The above worked perfect. One thought, It might be beneficial
to make a "%field:quotestring" (or something similar). Basically, it'd
do exactly what char-to does, but with a pre-set field (x22 in my
case). My thinking is that it'll make rules "easier" to write. Ie -
msg="%alert:quotestring%" "looks" nicer. I could be wrong on this. Of
course then you'd probably want to have several "preset" values.. ie
" ' : ( )
Hmmph.. Might be easier to just stay with char-to. This is
interesting because I thought char-to did something different. Very
nice Rainer.
On a side note, syslog-ng supports a $MSGONLY so my old problem
it moot. ($MSG by defaults includes the program... hrmph).
--
Champ Clark III | Softwink, Inc | 800-538-9357 x 101
http://www.softwink.com
GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20110113/0d6a7ddd/attachment.pgp>
More information about the Lognorm
mailing list