[Lognorm] Simple tests seem not to work
Lay, James
james.lay at wincofoods.com
Tue Nov 22 16:31:50 CET 2011
Hey all!
So...been battling trying to get some asa stuff to fly. As I'm testing
things, I think I need some help in understanding more on how liblognorm
works. Here's the rules below:
Normalize-rulebase:
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASA] TCP EXTERNAL
BLOCK"; program: TEST; content: TCP; normalize: asa; classtype:
bad-unknown; sid: 6000006; rev:1;)
Rule:
prefix=
rule=: TCP
There is a space at the end of the TCP. That being shown, here's what
happens when I test this:
echo "1.1.1.1|local0|warning|warning|84|2011-11-21|15:03:02|TEST| TCP "
> sagan.fifo
[*] Normalize output: [cee at 115 originalmsg=" TCP " unparsed-data=""]
I've tried:
echo "1.1.1.1|local0|warning|warning|84|2011-11-21|15:03:02|TEST| TCP" >
sagan.fifo
echo "1.1.1.1|local0|warning|warning|84|2011-11-21|15:03:02|TEST|TCP" >
sagan.fifo
echo "1.1.1.1|local0|warning|warning|84|2011-11-21|15:03:02|TEST|TCP " >
sagan.fifo
None of which work.
[*] Normalize output: [cee at 115 originalmsg=" TCP" unparsed-data=""]
[*] Normalize output: [cee at 115 originalmsg="TCP" unparsed-data="TCP"]
[*] Normalize output: [cee at 115 originalmsg="TCP " unparsed-data="TCP "]
My question is, why not, and where is the issue? Why would a simple
word like this not match? Even chaning "TCP" in the rulebase to
%-:word% gives me the same output. What could I be missing here? Thank
you.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20111122/5eb2f28c/attachment.htm>
More information about the Lognorm
mailing list