[Lognorm] Matching problem

Rainer Gerhards rgerhards at hq.adiscon.com
Mon Oct 31 10:34:01 CET 2011 

I'll go through it in more detail soon. Just let me add the comment that
these things already come with name-value pairs. I wonder if it would make
sense to have special rules that just say (in a sense): "grab these already
existing N/V pairs and be done with them". That of course has the subtle
problem that there is little text less to prevent false positives.

rainer
> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of Champ Clark III [Quadrant]
> Sent: Monday, October 31, 2011 12:37 AM
> To: lognorm
> Subject: Re: [Lognorm] Matching problem
> 
> Hello Liblognorm list!
> 
> I've looked over this problem.  I've posted about it,  and think I have
> it working.  Heres the post (scroll to the bottom)
> 
> http://groups.google.com/group/sagan-
> users/browse_thread/thread/57f771ecbbe7984b
> 
> Normalization rules are at:
> 
> https://github.com/beave/sagan-rules/blob/master/linux-kernel-
> normalize.rulebase
> 
> 
> 
> On Oct 28, 2011, at 2:24 PM, James Lay wrote:
> 
> 
> 	Hey all!
> 
> 	So..I've posted this on the Sagan mailling list, but I was told
> here might
> 	be good as well since it's related to liblognorm.  Here's the
> scoop below:
> 
> 	I've tried various version of the below...I just can't seem to
> get a match
> 	on this.  I've tried making almost everything that can have a
> possible
> 	variable reflect it. as well as moving stuff into prefix= just to
> see what
> 	happens...it's just not matching.  Any one have any ideas?
> Thanks.
> 
> 	James
> 
> 	raw syslog entry:
> 	Oct 28 11:13:48 gateway kernel: [110475.092235] New,invalid
> IN=ppp0
> 	OUT= MAC= SRC=70.56.158.130 DST=my_ext_ip LEN=60 TOS=0x10
> PREC=0x00
> 	TTL=60 ID=55693 DF PROTO=TCP SPT=59786 DPT=23 WINDOW=14600
> RES=0x00
> 	SYN URGP=0
> 
> 	normalize rule:
> 	prefix=[%garbage:number%.%garbage:number%] New,invalid
> IN=%int:word%
> 	OUT= MAC=
> 	rule=: SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%len:number% TOS=
> 	%tos:number% PREC=%prec:word% TTL=%ttl:number%
> ID=%garbage:number% DF
> 	PROTO=%proto:word% SPT=%src-port:number% DPT=%dst-port:number%
> WINDOW=
> 	%garbage:number% RES=%res:word% SYN URGP=%ugrp:number%
> 
> 	normalize debug:
> 	[*] Normalize output: [cee at 115 originalmsg="[110475.092235\] New
> 	\,invalid IN=ppp0 OUT= MAC= SRC=70.56.158.130 DST=my_ext_ip
> LEN=60
> 	TOS=0x10 PREC=0x00 TTL=60 ID=55693 DF PROTO=TCP SPT=59786 DPT=23
> 	WINDOW=14600 RES=0x00 SYN URGP=0 " unparsed-
> data="SRC=70.56.158.130
> 	DST=my_ext_ip LEN=60 TOS=0x10 PREC=0x00 TTL=60 ID=55693 DF
> PROTO=TCP
> 	SPT=59786 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 "]
> 
> 	_______________________________________________
> 	Lognorm mailing list
> 	Lognorm at lists.adiscon.com
> 	http://lists.adiscon.net/mailman/listinfo/lognorm
> 
> 
> 
> 
> 
> Champ Clark III
> (office) 904.253.7856
> 
> (mobile) 850.443.2440
> (SOC) 800.538.9357 ext 101
> cclark at quadrantsec.com
> www.quadrantsec.com

More information about the Lognorm mailing list