[Lognorm] Libnormalize issue
Rainer Gerhards
rgerhards at hq.adiscon.com
Wed Nov 2 19:01:12 CET 2011
> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of James Lay
> Sent: Wednesday, November 02, 2011 4:20 PM
> To: lognorm at lists.adiscon.com
> Subject: [Lognorm] Libnormalize issue
>
> Cross posted from sagan:
>
> Well...here's the normalize rule:
> rule=: Deny %iface1:word% %iface2:word% %unused1:number% %proto:word%
> %unused2:number% %unused3:number% %src-ip:ipv4% %dst-ip:ipv4% %src-
> prt:number% %dst-prt:number% offset %unused4:number% %unused5:number%
> %unused6:number% win %unused7:number%
>
> and from debug:
> [*] Normalize output: [cee at 115 originalmsg=" Deny 0-Integra Firebox 78
> udp 20 128 ext_ip ext_ip 137 137 (Unhandled External Packet-00)"
> unparsed-data=" (Unhandled External Packet-00)"]
>
> All entries in the db show the IP of the database host (not the same
> as the system running sagan) as the src/dst, and the port as 514.
> It's like normalize just isn't parsing anything at all. Any hints
> where I could trouble shoot this?
The rule does not match, because "(Unhandled..." is not matching the sample.
So it did not extract any fields at all.
I'll elaborate a bit later why we need to have perfect matches. Think about
false positives...
rainer
>
> Thank you.
>
> James
>
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
More information about the Lognorm
mailing list