[Lognorm] Sonicwall Normalization tests & other....
Champ Clark III [Softwink]
champ at softwink.com
Thu Jan 13 19:34:13 CET 2011
Wow.. This is nice.. I was also able to do this (for UDP/TCP
port scans on the Sonicwall):
rule=: msg="Possible port scan detected" n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word% note="%ports-scanned:char-to:\x22%"
Went from about 10 (or so) liblognorm rules to 2. At the end of
the line (note=) would display multiple values (for example:
note="UDP scanned port list, 58797, 21923, 21405, 40539, 22739"
Of course, "note=" could have various values. I don't really
"need" this information (for input into the database), but it makes the
parsing extremely more flexable.
Oh, side note. When I reply to the list, I reply to the
sender directly. Do you want replies to go to the list?
--
Champ Clark III | Softwink, Inc | 800-538-9357 x 101
http://www.softwink.com
GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20110113/6ff38cea/attachment.pgp>
More information about the Lognorm
mailing list