[Lognorm] Issues with :'s in fields (?)

Tue Nov 8 16:34:02 CET 2011

Sorry that wasn't meant for the list.

On Tue, 8 Nov 2011 10:13:10 -0500, Champ Clark III [Quadrant] wrote:
> Ryan,
> Just for fun, I added in the IDS sensors as well as Sagan into the
> Quadrant / Sagan interface. This will give you access to what
> our IDS sensor is seeing, and what your Sonicwall firewalls are
> seeing.
>
> On Nov 8, 2011, at 2:40 AM, Rainer Gerhards wrote:
>
>> Champ,
>>
>> I'll try to have a look later today. But as a general suggestion, it
>> may be
>> useful to try such things out with the "normalize" program from
>> liblognorm.
>> You can feed it the rule base (or a single rule ;)) and the actual
>> message.
>> If you call normalize with -vv, you'll get a verbose output that
>> tells you
>> how the actual matching process takes place.
>>
>> As a side-note, I hope I will have some time to look at the
>> normalizing tools
>> over the next couple of weeks. Maybe not that many hours per day,
>> but
>> hopefully a bit every day (or every other ;)).
>>
>> rainer
>>
>>> -----Original Message-----
>>
>>> From: lognorm-bounces at lists.adiscon.com [1] [mailto:lognorm-
>> ists.adiscon.com">bounces at lists.adiscon.com] On Behalf Of Champ
>>> Clark III [Quadrant
>> nformation Security]
>> Sent: Monday, N
>>
>>> M
>> te">To: lognorm
>> [Lognorm] Issues with :'s in fields (?)
>> blockquote type="cite">
>> /blockquote>
>> ="cite"> Howdy all,
>> ite">
>>>
>> le-tab-span" style="white-space:pre"> iss
>> aving to deal with
>>
>>> e type="cite">Sonicwall logs. Here's the run down.
>> e="cite">
>> te">
>> look like this:
>>
>>>> id=firewall sn=001111111111 time="2011-11-07 21:23:04 UTC"
>> ite">fw=192.1
>>
>>> g="Web site access denied" n=0
>> type="cite">src=10.110.14.117:54426:X0: dst=216.163.137.68:80:X1:
>> type
>> me=www.playboy.com arg=/ co
>>
>>> hy"
>> r> clas
>> span" style="white-space:pre"> I'm tryi
>>
>>> st-ip & src-port/dst-port. Those
>> ="cite">are
>> "cite">the most important to me. This is the rule I'm using
>> of
>> yet
>>
>>> kquote type="cite">
>> %id:word% sn=%s
>>
>>> -to:x22%"
>>> fw=%fw:ipv4%
>> er% c=%c:number% m=%m:number% msg="%msg:char- ote
>> o:x22%" n=%n:number% src=%src-ip:ipv4%:%src-
>> e="cite">port:number%:%inteface:word%:
>>> dst=%dst-ip:ipv4%:%interface:word%:
>>> dstname=%website:word% a
>> code=%code:number%
>>
>>> e type=
>> ry="%cat:char-to:x22%"
>>>
>> e"> When I run
>>
>>> rm debugg
>> get:
>>
>> [*] Normal
>>
>>> gina
>> ewall
>>> sn=001111111111 time="2011-11-07 21:22:24 UTC" fw=192.168.1.1
>> lockquote> g="Web site access denied" n=0
>> src=10.110.14.117:24423:X0:
>> ype="cit
>>
>>> :X1: dstname=www.playboy.com arg=/ code=4
>> ckquote type="cite">Category
>>
>>> d-data=" dst=216.163.137.68:80:X1:
>> =www.playboy.com arg=/ code=4
>>
>>> "]
>>>
>>>>
>> ype="cite"> 'll
>> re tonight, but
>>
>>> /blockquote>the :'s fields might be messing things up. What do you
>>> think? Thanks.
>> ckquote type="cite"> te t
>> pan class="Apple-tab-span" style="white-space:pre"> l test out that
>> new liblognorm feature ASAP.
>> type="cite">
>> ="cite">--
>>>
>>>>
>> ="cite"> Champ Clark III
>>
>>> ecurity | 904-253-7856
>>> &nb
>> p; &nb
>>
>>> sp; ht
>> rantsec.com
>> te type="cite">
>>> GPG Key ID: 0B
>> lockquote>Key fingerprint = A154 17D5 F16D 8C09 69FA &nbs
>>
>>> A7
>>> If it wasn't for C, we'
>> SI, PASAL and OBOL.
>> _______
>>
>>> ____
>> br>Lognorm mailing list
>
> Champ Clark III
> (office) 904.253.7856
>
> (mobile) 850.443.2440
> (SOC) 800.538.9357 ext 101
> cclark at quadrantsec.com [2]
> www.quadrantsec.com
>
>
>
> Links:
> ------
> [1] mailto:lognorm-bounces at lists.adiscon.com
> [2] mailto:cclark at quadrantsec.com