[Lognorm] Matching problem
Champ Clark III [Quadrant]
cclark at quadrantsec.com
Mon Oct 31 00:36:47 CET 2011
Hello Liblognorm list!
I've looked over this problem. I've posted about it, and think I have it working. Heres the post (scroll to the bottom)
http://groups.google.com/group/sagan-users/browse_thread/thread/57f771ecbbe7984b
Normalization rules are at:
https://github.com/beave/sagan-rules/blob/master/linux-kernel-normalize.rulebase
On Oct 28, 2011, at 2:24 PM, James Lay wrote:
> Hey all!
>
> So..I've posted this on the Sagan mailling list, but I was told here might
> be good as well since it's related to liblognorm. Here's the scoop below:
>
> I've tried various version of the below...I just can't seem to get a match
> on this. I've tried making almost everything that can have a possible
> variable reflect it. as well as moving stuff into prefix= just to see what
> happens...it's just not matching. Any one have any ideas? Thanks.
>
> James
>
> raw syslog entry:
> Oct 28 11:13:48 gateway kernel: [110475.092235] New,invalid IN=ppp0
> OUT= MAC= SRC=70.56.158.130 DST=my_ext_ip LEN=60 TOS=0x10 PREC=0x00
> TTL=60 ID=55693 DF PROTO=TCP SPT=59786 DPT=23 WINDOW=14600 RES=0x00
> SYN URGP=0
>
> normalize rule:
> prefix=[%garbage:number%.%garbage:number%] New,invalid IN=%int:word%
> OUT= MAC=
> rule=: SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%len:number% TOS=
> %tos:number% PREC=%prec:word% TTL=%ttl:number% ID=%garbage:number% DF
> PROTO=%proto:word% SPT=%src-port:number% DPT=%dst-port:number% WINDOW=
> %garbage:number% RES=%res:word% SYN URGP=%ugrp:number%
>
> normalize debug:
> [*] Normalize output: [cee at 115 originalmsg="[110475.092235\] New
> \,invalid IN=ppp0 OUT= MAC= SRC=70.56.158.130 DST=my_ext_ip LEN=60
> TOS=0x10 PREC=0x00 TTL=60 ID=55693 DF PROTO=TCP SPT=59786 DPT=23
> WINDOW=14600 RES=0x00 SYN URGP=0 " unparsed-data="SRC=70.56.158.130
> DST=my_ext_ip LEN=60 TOS=0x10 PREC=0x00 TTL=60 ID=55693 DF PROTO=TCP
> SPT=59786 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 "]
>
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
Champ Clark III
(office) 904.253.7856
(mobile) 850.443.2440
(SOC) 800.538.9357 ext 101
cclark at quadrantsec.com
www.quadrantsec.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20111030/ee159e47/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: quadrant.png
Type: image/png
Size: 17273 bytes
Desc: not available
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20111030/ee159e47/attachment-0001.png>
More information about the Lognorm
mailing list