[Lognorm] Issues with :'s in fields (?)
Champ Clark III [Quadrant]
cclark at quadrantsec.com
Tue Nov 8 16:13:10 CET 2011
Ryan,
Just for fun, I added in the IDS sensors as well as Sagan into the Quadrant / Sagan interface. This will give you access to what
our IDS sensor is seeing, and what your Sonicwall firewalls are seeing.
On Nov 8, 2011, at 2:40 AM, Rainer Gerhards wrote:
> Champ,
>
> I'll try to have a look later today. But as a general suggestion, it may be
> useful to try such things out with the "normalize" program from liblognorm.
> You can feed it the rule base (or a single rule ;)) and the actual message.
> If you call normalize with -vv, you'll get a verbose output that tells you
> how the actual matching process takes place.
>
> As a side-note, I hope I will have some time to look at the normalizing tools
> over the next couple of weeks. Maybe not that many hours per day, but
> hopefully a bit every day (or every other ;)).
>
> rainer
>
>> -----Original Message-----
>> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
>> bounces at lists.adiscon.com] On Behalf Of Champ Clark III [Quadrant
>> Information Security]
>> Sent: Monday, November 07, 2011 10:36 PM
>> To: lognorm
>> Subject: [Lognorm] Issues with :'s in fields (?)
>>
>>
>> Howdy all,
>>
>> I'm noticing a strange issue when I'm having to deal with
>> Sonicwall logs. Here's the run down.
>>
>> The log lines look like this:
>>
>> id=firewall sn=001111111111 time="2011-11-07 21:23:04 UTC"
>> fw=192.168.1.1 pri=3 c=4 m=14 msg="Web site access denied" n=0
>> src=10.110.14.117:54426:X0: dst=216.163.137.68:80:X1:
>> dstname=www.playboy.com arg=/ code=4 Category="Pornography"
>>
>> I'm trying to parse the src-ip/dst-ip & src-port/dst-port. Those
>> are
>> the most important to me. This is the rule I'm using (no prefix as of
>> yet):
>>
>> rule=: id=%id:word% sn=%sn:word% time="%time:char-to:\x22%"
>> fw=%fw:ipv4% pri=%pri:number% c=%c:number% m=%m:number% msg="%msg:char-
>> to:\x22%" n=%n:number% src=%src-ip:ipv4%:%src-
>> port:number%:%inteface:word%: dst=%dst-ip:ipv4%:%interface:word%:
>> dstname=%website:word% arg=%arg:word% code=%code:number%
>> Category="%cat:char-to:\x22%"
>>
>> When I run it, with liblognorm debugging, I get:
>>
>> [*] Normalize output: [cee at 115 originalmsg=" id=firewall
>> sn=001111111111 time=\"2011-11-07 21:22:24 UTC\" fw=192.168.1.1 pri=3
>> c=4 m=14 msg=\"Web site access denied\" n=0 src=10.110.14.117:24423:X0:
>> dst=216.163.137.68:80:X1: dstname=www.playboy.com arg=/ code=4
>> Category=\"Pornography\" " unparsed-data=" dst=216.163.137.68:80:X1:
>> dstname=www.playboy.com arg=/ code=4 Category=\"Pornography\" "]
>>
>> No matter how I move around the rule, the "dst=" always comes
>> back unparsed. I'll look at it more tonight, but my thought is that
>> the :'s fields might be messing things up. What do you think? Thanks.
>>
>> Oh - Rainer, I'll test out that new liblognorm feature ASAP.
>>
>> --
>>
>> Champ Clark III | Quadrant Information Security | 904-253-7856
>> http://www.quadrantsec.com
>>
>>
>> GPG Key ID: 0B30A6A7
>> Key fingerprint = A154 17D5 F16D 8C09 69FA 618B 3877 B04C 0B30 A6A7
>> If it wasn't for C, we'd be using BASI, PASAL and OBOL.
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
Champ Clark III
(office) 904.253.7856
(mobile) 850.443.2440
(SOC) 800.538.9357 ext 101
cclark at quadrantsec.com
www.quadrantsec.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20111108/f91e94da/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: quadrant.png
Type: image/png
Size: 17273 bytes
Desc: not available
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20111108/f91e94da/attachment-0001.png>
More information about the Lognorm
mailing list