<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hello Liblognorm list!<div><br></div><div>I've looked over this problem. I've posted about it, and think I have it working. Heres the post (scroll to the bottom)</div><div><br></div><div><a href="http://groups.google.com/group/sagan-users/browse_thread/thread/57f771ecbbe7984b">http://groups.google.com/group/sagan-users/browse_thread/thread/57f771ecbbe7984b</a></div><div><br></div><div>Normalization rules are at:</div><div><br></div><div><a href="https://github.com/beave/sagan-rules/blob/master/linux-kernel-normalize.rulebase">https://github.com/beave/sagan-rules/blob/master/linux-kernel-normalize.rulebase</a></div><div><br></div><div><br></div><div><br><div><div>On Oct 28, 2011, at 2:24 PM, James Lay wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Hey all!<br><br>So..I've posted this on the Sagan mailling list, but I was told here might<br>be good as well since it's related to liblognorm. Here's the scoop below:<br><br>I've tried various version of the below...I just can't seem to get a match<br>on this. I've tried making almost everything that can have a possible<br>variable reflect it. as well as moving stuff into prefix= just to see what<br>happens...it's just not matching. Any one have any ideas? Thanks.<br><br>James<br><br>raw syslog entry:<br>Oct 28 11:13:48 gateway kernel: [110475.092235] New,invalid IN=ppp0<br>OUT= MAC= SRC=70.56.158.130 DST=my_ext_ip LEN=60 TOS=0x10 PREC=0x00<br>TTL=60 ID=55693 DF PROTO=TCP SPT=59786 DPT=23 WINDOW=14600 RES=0x00<br>SYN URGP=0<br><br>normalize rule:<br>prefix=[%garbage:number%.%garbage:number%] New,invalid IN=%int:word%<br>OUT= MAC=<br>rule=: SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%len:number% TOS=<br>%tos:number% PREC=%prec:word% TTL=%ttl:number% ID=%garbage:number% DF<br>PROTO=%proto:word% SPT=%src-port:number% DPT=%dst-port:number% WINDOW=<br>%garbage:number% RES=%res:word% SYN URGP=%ugrp:number%<br><br>normalize debug:<br>[*] Normalize output: [cee@115 originalmsg="[110475.092235\] New<br>\,invalid IN=ppp0 OUT= MAC= SRC=70.56.158.130 DST=my_ext_ip LEN=60<br>TOS=0x10 PREC=0x00 TTL=60 ID=55693 DF PROTO=TCP SPT=59786 DPT=23<br>WINDOW=14600 RES=0x00 SYN URGP=0 " unparsed-data="SRC=70.56.158.130<br>DST=my_ext_ip LEN=60 TOS=0x10 PREC=0x00 TTL=60 ID=55693 DF PROTO=TCP<br>SPT=59786 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 "]<br><br>_______________________________________________<br>Lognorm mailing list<br><a href="mailto:Lognorm@lists.adiscon.com">Lognorm@lists.adiscon.com</a><br>http://lists.adiscon.net/mailman/listinfo/lognorm<br></div></blockquote></div><br><div apple-content-edited="true">
<span><img height="61" width="182" id="10cea477-91b2-4187-8c7c-ec61d9d3b4ea" apple-width="yes" apple-height="yes" src="cid:90535ED9-584C-4246-BF96-4F5A5FC9A7FE@vistech.net"></span><br><br>Champ Clark III<br>(office) 904.253.7856<br><div>(mobile) 850.443.2440 </div><div>(SOC) 800.538.9357 ext 101</div><div><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><a href="mailto:cclark@quadrantsec.com">cclark@quadrantsec.com</a><br>www.quadrantsec.com</span><div><div>
</div>
</div></div></div><br></div></body></html>