[Lognorm] Libnormalize issue
James Lay
jlay at slave-tothe-box.net
Wed Nov 2 16:19:42 CET 2011
Cross posted from sagan:
Well...here's the normalize rule:
rule=: Deny %iface1:word% %iface2:word% %unused1:number% %proto:word%
%unused2:number% %unused3:number% %src-ip:ipv4% %dst-ip:ipv4% %src-
prt:number% %dst-prt:number% offset %unused4:number% %unused5:number%
%unused6:number% win %unused7:number%
and from debug:
[*] Normalize output: [cee at 115 originalmsg=" Deny 0-Integra Firebox 78
udp 20 128 ext_ip ext_ip 137 137 (Unhandled External Packet-00)"
unparsed-data=" (Unhandled External Packet-00)"]
All entries in the db show the IP of the database host (not the same
as the system running sagan) as the src/dst, and the port as 514.
It's like normalize just isn't parsing anything at all. Any hints
where I could trouble shoot this?
Thank you.
James
More information about the Lognorm
mailing list