[Lognorm] Special characters revisited

Rainer Gerhards rgerhards at hq.adiscon.com
Wed Jul 4 18:29:13 CEST 2012 

> > So...here's where I'm at.  Here's my rulebase:
> >
> > prefix=
> > rule=: %-:word% request discarded from %src-ip:ipv4%/%src-port:number%
> > to %-:word%:%dst-ip:ipv4%/%dst-port:number%
> >
> >
> > Sample firewall hit (quotes added for clarity):
> >
> > " TCP request discarded from 96.18.101.250/1077 to Interface:my_ip/443"
> >
> > and my result:
> >
> > [cee at 115 originalmsg=" TCP request discarded from 96.18.101.250/1077 to
> > Interface:my_ip/443" unparsed-data=""]
> >
> > I've tried the below (thinking the : would be included in word)
> > rule=: %-:word% request discarded from %src-ip:ipv4%/%src-port:number%
> > to %-:word%%dst-ip:ipv4%/%dst-port:number%
> >
> > And I get the same result.
> >
> > I've also tried:
> > rule=: %-:word% request discarded from %src-ip:ipv4%/%src-port:number%
> > to Interface:%dst-ip:ipv4%/%dst-port:number%
> >
> > And this works, so I'm pretty sure it's the : that is my issue.  A full
> > -vv below.  Any thoughts on how to get this to go?  Thanks all:
> 
> The core problem is that the "word" syntax takes everyting up to the next SPACE
> as a word. So this is all part of the word: "Interface:my_ip/443" and this is also
> the reason why there is no data left for the other fields to parse. The "char-to"
> syntax was created to process characters up to a specific char. I am right now
> looking at the correct template, but thought I let you know the interim
> outcome.

This works for me:

prefix=
#rule=: %-:word% request discarded from %src-ip:ipv4%/%src-port:number% to %-:char-to::%:%dst-ip:ipv4%/%dst-port:number%
rule=: %-:word% request discarded from %src-ip:ipv4%/%src-port:number% to %-:char-to::%:%dst-ip:char-to:/%/%dst-port:number%

Note that the second line is commented out. It does not work because "my_ip" is not an IPv4 address. If you just anonymized the entry, that line should work. The third line accepts a string up to the slash character (and is also a nice example of different char-to syntaxes).

Note that the colon in char-to is kind of a hack -- it usually should be escaped, but I overlooked that case when implementing char-to. Please watch further release announcements closely, I may change that to the proper escaped form (without escape, it can be confusing to both humans and parsers...).

Sorry it took so long, I have to admit I lost track of the issue. I hope the answer is still useful for you.

Rainer

More information about the Lognorm mailing list