[Lognorm] Issues with :'s in fields (?)

Tue Nov 8 08:40:23 CET 2011

Champ,

I'll try to have a look later today. But as a general suggestion, it may be
useful to try such things out with the "normalize" program from liblognorm.
You can feed it the rule base (or a single rule ;)) and the actual message.
If you call normalize with -vv, you'll get a verbose output that tells you
how the actual matching process takes place.

As a side-note, I hope I will have some time to look at the normalizing tools
over the next couple of weeks. Maybe not that many hours per day, but
hopefully a bit every day (or every other ;)).

rainer

> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of Champ Clark III [Quadrant
> Information Security]
> Sent: Monday, November 07, 2011 10:36 PM
> To: lognorm
> Subject: [Lognorm] Issues with :'s in fields (?)
> 
> 
> 	Howdy all,
> 
> 	I'm noticing a strange issue when I'm having to deal with
> Sonicwall logs.  Here's the run down.
> 
> The log lines look like this:
> 
> id=firewall sn=001111111111 time="2011-11-07 21:23:04 UTC"
> fw=192.168.1.1 pri=3 c=4 m=14 msg="Web site access denied" n=0
> src=10.110.14.117:54426:X0: dst=216.163.137.68:80:X1:
> dstname=www.playboy.com arg=/ code=4 Category="Pornography"
> 
> 	I'm trying to parse the src-ip/dst-ip & src-port/dst-port.  Those
> are
> the most important to me.  This is the rule I'm using (no prefix as of
> yet):
> 
> rule=: id=%id:word% sn=%sn:word% time="%time:char-to:\x22%"
> fw=%fw:ipv4% pri=%pri:number% c=%c:number% m=%m:number% msg="%msg:char-
> to:\x22%" n=%n:number% src=%src-ip:ipv4%:%src-
> port:number%:%inteface:word%: dst=%dst-ip:ipv4%:%interface:word%:
> dstname=%website:word% arg=%arg:word% code=%code:number%
> Category="%cat:char-to:\x22%"
> 
> 	When I run it,  with liblognorm debugging,  I get:
> 
> [*] Normalize output: [cee at 115 originalmsg=" id=firewall
> sn=001111111111 time=\"2011-11-07 21:22:24 UTC\" fw=192.168.1.1 pri=3
> c=4 m=14 msg=\"Web site access denied\" n=0 src=10.110.14.117:24423:X0:
> dst=216.163.137.68:80:X1: dstname=www.playboy.com arg=/ code=4
> Category=\"Pornography\" " unparsed-data=" dst=216.163.137.68:80:X1:
> dstname=www.playboy.com arg=/ code=4 Category=\"Pornography\" "]
> 
> 	No matter how I move around the rule,  the "dst=" always comes
> back unparsed.  I'll look at it more tonight,  but my thought is that
> the :'s fields might be messing things up.  What do you think?  Thanks.
> 
> 	Oh - Rainer,  I'll test out that new liblognorm feature ASAP.
> 
> --
> 
>    Champ Clark III | Quadrant Information Security | 904-253-7856
>                       http://www.quadrantsec.com
> 
> 
> GPG Key ID: 0B30A6A7
> Key fingerprint = A154 17D5 F16D 8C09 69FA  618B 3877 B04C 0B30 A6A7
> If it wasn't for C, we'd be using BASI, PASAL and OBOL.