From cclark at quadrantsec.com Fri May 4 22:16:57 2012 From: cclark at quadrantsec.com (Champ Clark III) Date: Fri, 04 May 2012 16:16:57 -0400 Subject: [Lognorm] Is liblognorm ( libee, libestr, etc) thread safe? Message-ID: <4FA43939.6040005@quadrantsec.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Does anyone know if liblognorm (and the associated libs) are considered "thread" safe. I need to move some normalization to a pthread, and was just curious. Any pointers would be great. - -- - - Champ Clark III (cclark at quadrantsec.com) Quadrant Information Security (http://quadrantsec.com) Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A GPG Key ID: 0381878A -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPpDk5AAoJENnmXt7Lmc3KDZgH/3nIqq6s5tKhY7GS7VdZexOW zT1o+E3VN7RtfTpm5jfbIgN04h5up/xER2/UApIrhavqoGf6Q1/uF+nIEsUy72IS c6I6u7Sh9LK7ZhtB6KdiTDpas+0BEpOnDsWe+bvdtLv4ikXpQxshbNiTrBm2FIbX edCIjVQR5OO8ABE6AqkN6f22ePUs62V73wGnura0sHcyle6iZ3Rv9UktxWGGHobF 8IvBa2R3csALlWI9mneoVQuXV68dm1M9WDm/F99jNKPXZpcQa8VPL+mkV5333z9p JSeCWgyFsdT6QzPnZVoa6iuOFIUqUoApwR51+Q6LZ/s1XD/vJduA32N9V+RdytI= =AuGA -----END PGP SIGNATURE----- From cclark at quadrantsec.com Fri May 4 22:35:17 2012 From: cclark at quadrantsec.com (Champ Clark III) Date: Fri, 04 May 2012 16:35:17 -0400 Subject: [Lognorm] Is liblognorm ( libee, libestr, etc) thread safe? In-Reply-To: <4FA43939.6040005@quadrantsec.com> References: <4FA43939.6040005@quadrantsec.com> Message-ID: <4FA43D85.30507@quadrantsec.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just tried it with/without mutexs, and this happens. [Switching to Thread 0xb6355b70 (LWP 4226)] ee_getBucketField (bucket=0xb42106f8, name=0xb4210458) at fieldbucket.c:112 112 if(!es_strcmp(name, node->field->name)) (gdb) bt #0 ee_getBucketField (bucket=0xb42106f8, name=0xb4210458) at fieldbucket.c:112 #1 0xb7f00a62 in ee_getEventField (event=0xb4210408, name=0xb4210458) at event.c:175 #2 0xb7ff07f8 in sagan_normalize_liblognorm (config=0xb8015038, debug=0xb8015028, syslog_msg=0xb80165a4 " error (unexpected RCODE REFUSED) resolving '180.70.7.107.in-addr.arpa/PTR/IN': 72.243.168.246#53") at sagan-liblognorm.c:127 #3 0xb7ffaedd in sagan_websense (SyslogPthread=0xb8016420) at preprocessors/sagan-websense.c:63 #4 0xb7ff06aa in sagan_preprocessor (SyslogPthread=0xb8016420) at sagan-preprocessor.c:45 #5 0xb7bcecf2 in start_thread () from /lib/libpthread.so.0 #6 0xb7afae0e in clone () from /lib/libc.so.6 On 5/4/12 4:16 PM, Champ Clark III wrote: > > Does anyone know if liblognorm (and the associated libs) are > considered "thread" safe. I need to move some normalization to a > pthread, and was just curious. Any pointers would be great. > > _______________________________________________ Lognorm mailing > list Lognorm at lists.adiscon.com > http://lists.adiscon.net/mailman/listinfo/lognorm - -- - - Champ Clark III (cclark at quadrantsec.com) Quadrant Information Security (http://quadrantsec.com) Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A GPG Key ID: 0381878A -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPpD2FAAoJENnmXt7Lmc3K4JUIAIYHViKrN7KxICc7zOBZWHKb +huvzhvMJcmFWxY68rkggv5lWvPawJf0sbzCF3Gc7TZEbPugpcd3IPx+DQS1d5SG YhMId21I+hYuGzDALa7VMno3ieZWzLzt2fQx0EpnmeFdu21LxDq+SN7HEopqL+Yy Rn7HAYEBHVpyrRKuAwIY8O7E/cgNaFCjjhWujkNlKHSk+kQJvYnOih4doK6+GgPc XPhCg2f9a4j5yYdZP+23F7kR09pYF2yeoiSCcoTPeWIygWJN42cUT9bejk/JuchW AkkZNma1nXtL5u9UZnYLr+r9G0iAkhl0cVX3a4Ny/kVAYeU7VMAInJC6YdWLCNo= =z3SD -----END PGP SIGNATURE----- From cclark at quadrantsec.com Fri May 4 22:37:16 2012 From: cclark at quadrantsec.com (Champ Clark III) Date: Fri, 04 May 2012 16:37:16 -0400 Subject: [Lognorm] Is liblognorm ( libee, libestr, etc) thread safe? In-Reply-To: <4FA43D85.30507@quadrantsec.com> References: <4FA43939.6040005@quadrantsec.com> <4FA43D85.30507@quadrantsec.com> Message-ID: <4FA43DFC.70408@quadrantsec.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Argh - sorry to bombard the list! I should point out, this is after about 10/15 minutes of running. It's not a immediate seg fault. On 5/4/12 4:35 PM, Champ Clark III wrote: > Just tried it with/without mutexs, and this happens. > > [Switching to Thread 0xb6355b70 (LWP 4226)] ee_getBucketField > (bucket=0xb42106f8, name=0xb4210458) at fieldbucket.c:112 112 > if(!es_strcmp(name, node->field->name)) (gdb) bt #0 > ee_getBucketField (bucket=0xb42106f8, name=0xb4210458) at > fieldbucket.c:112 #1 0xb7f00a62 in ee_getEventField > (event=0xb4210408, name=0xb4210458) at event.c:175 #2 0xb7ff07f8 > in sagan_normalize_liblognorm (config=0xb8015038, > debug=0xb8015028, syslog_msg=0xb80165a4 " error (unexpected RCODE > REFUSED) resolving '180.70.7.107.in-addr.arpa/PTR/IN': > 72.243.168.246#53") at sagan-liblognorm.c:127 #3 0xb7ffaedd in > sagan_websense (SyslogPthread=0xb8016420) at > preprocessors/sagan-websense.c:63 #4 0xb7ff06aa in > sagan_preprocessor (SyslogPthread=0xb8016420) at > sagan-preprocessor.c:45 #5 0xb7bcecf2 in start_thread () from > /lib/libpthread.so.0 #6 0xb7afae0e in clone () from > /lib/libc.so.6 > > > On 5/4/12 4:16 PM, Champ Clark III wrote: > >> Does anyone know if liblognorm (and the associated libs) are >> considered "thread" safe. I need to move some normalization to a >> pthread, and was just curious. Any pointers would be great. > >> _______________________________________________ Lognorm mailing >> list Lognorm at lists.adiscon.com >> http://lists.adiscon.net/mailman/listinfo/lognorm > > _______________________________________________ Lognorm mailing > list Lognorm at lists.adiscon.com > http://lists.adiscon.net/mailman/listinfo/lognorm - -- - - Champ Clark III (cclark at quadrantsec.com) Quadrant Information Security (http://quadrantsec.com) Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A GPG Key ID: 0381878A -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPpD38AAoJENnmXt7Lmc3KASQH/iVEhjA/QubLroUmEL+33ED2 Ja0DlV0TMt72CVFdcA10OonT74g9OzqitGCCbDkZxgC/uxtzZFqDoyIgSyfV4CVc +A2dGF6dOXFJAKQqJt5Keq1Vy2uC9fIJ8zjMlgMrJer1Y4dwwOQc//ATL6tE2KS+ A0P8+8ys1j1qyooIMzJmKFkGuvG88rxIoivwVEj3/yXD643ulN6GnUimpJuWfSUS qOC4mXcCnj34aDFRfGWOXvF4UiG9dhKfTay7QCosMcj6uojrS/AGO7hcTTGWPSsz g/2jjv7ekwoQCquorU9dMndirqUYUP+S4GcnRByJYkwtsJbFeubP73avGV0dHKI= =L7zu -----END PGP SIGNATURE----- From rgerhards at hq.adiscon.com Sat May 5 10:38:47 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Sat, 5 May 2012 10:38:47 +0200 Subject: [Lognorm] Is liblognorm ( libee, libestr, etc) thread safe? In-Reply-To: <4FA43939.6040005@quadrantsec.com> References: <4FA43939.6040005@quadrantsec.com> Message-ID: > Does anyone know if liblognorm (and the associated libs) are > considered "thread" safe. I need to move some normalization to a > pthread, and was just curious. Any pointers would be great. It is not thread-safe during the construction phase (sample db loading, parsing of the message), but otherwise should be. To diagnose, can you give it a try with valgrind's helgrind AND drd tools (use both as they have different strengths and problems ;)) ? That should bring up issues... Rainer From cclark at quadrantsec.com Sat May 5 17:59:03 2012 From: cclark at quadrantsec.com (Champ Clark III) Date: Sat, 05 May 2012 11:59:03 -0400 Subject: [Lognorm] Is liblognorm ( libee, libestr, etc) thread safe? In-Reply-To: References: <4FA43939.6040005@quadrantsec.com> Message-ID: <4FA54E47.7030702@quadrantsec.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That Rainer, I'm keeping the construction phase separate/isolated. I think I'm good there. I made some modification to the code and it's been running for the last 15 or so hours. I can reproduce the issue in certain situations, but I think this is something wrong with my code. Thanks for the quick answer and pointers. On 5/5/12 4:38 AM, Rainer Gerhards wrote: >> Does anyone know if liblognorm (and the associated libs) are >> considered "thread" safe. I need to move some normalization to >> a pthread, and was just curious. Any pointers would be great. > > It is not thread-safe during the construction phase (sample db > loading, parsing of the message), but otherwise should be. > > To diagnose, can you give it a try with valgrind's helgrind AND drd > tools (use both as they have different strengths and problems ;)) ? > That should bring up issues... > > Rainer _______________________________________________ Lognorm > mailing list Lognorm at lists.adiscon.com > http://lists.adiscon.net/mailman/listinfo/lognorm - -- - - Champ Clark III (cclark at quadrantsec.com) Quadrant Information Security (http://quadrantsec.com) Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A GPG Key ID: 0381878A -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPpU5HAAoJENnmXt7Lmc3K+xEH/3qT06/sL2CRANJ90OMf+Uzk QmRXCrR5aHHfR8GlMwah6zTS7Ao6dcT99+/KAb+NoCHOL3fnPIaXFigVuLOn/yA/ Xw6RC7mXPkelIhjD2BSa0BxGs84w3sez6oYtzFzee3rZwl1gxmAs3zz110+xKkpg /cTa9Qdl/URGkj1BCA3Vtz4dCgodk4qMwqj9pf+m/H37HG4UXJlsylcV22yzLuPJ lepNMUc5w+V5yOATzrfg6B/AGreHEW40iPeVqRY3q7PLnA2TZHxkqFzbohLU8ChA SWMfPkcZXO8ODckv4GwKhpJflFZNGyL+A76Ok83WG7TsNALQt2eAZxaQmHf6vH0= =Fe6k -----END PGP SIGNATURE----- From jlay at slave-tothe-box.net Fri May 25 20:33:15 2012 From: jlay at slave-tothe-box.net (James Lay) Date: Fri, 25 May 2012 12:33:15 -0600 Subject: [Lognorm] Special characters revisited Message-ID: Hey all! So...here's where I'm at. Here's my rulebase: prefix= rule=: %-:word% request discarded from %src-ip:ipv4%/%src-port:number% to %-:word%:%dst-ip:ipv4%/%dst-port:number% Sample firewall hit (quotes added for clarity): " TCP request discarded from 96.18.101.250/1077 to Interface:my_ip/443" and my result: [cee at 115 originalmsg=" TCP request discarded from 96.18.101.250/1077 to Interface:my_ip/443" unparsed-data=""] I've tried the below (thinking the : would be included in word) rule=: %-:word% request discarded from %src-ip:ipv4%/%src-port:number% to %-:word%%dst-ip:ipv4%/%dst-port:number% And I get the same result. I've also tried: rule=: %-:word% request discarded from %src-ip:ipv4%/%src-port:number% to Interface:%dst-ip:ipv4%/%dst-port:number% And this works, so I'm pretty sure it's the : that is my issue. A full -vv below. Any thoughts on how to get this to go? Thanks all: James liblognorm: read sample line: 'prefix=' liblognorm: read sample line: 'rule=: %-:word% request discarded from %src-ip:ipv4%/%src-port:number% to %-:word%:%dst-ip:ipv4%/%dst-port:number%' liblognorm: sample line to add: ': %-:word% request discarded from %src-ip:ipv4%/%src-port:number% to %-:word%:%dst-ip:ipv4%/%dst-port:number%' liblognorm: addSampToTree 0 of 108 liblognorm: parsed literal: ' ' liblognorm: buildPTree: begin at 0x9308030, offs 0 liblognorm: case 3.1 liblognorm: addPTree: offs 0 liblognorm: setPrefix lenBuf 1, offs 0 liblognorm: addSampToTree 1 of 108 liblognorm: parsed field: '-' liblognorm: got new subtree 0x9308810 liblognorm: prev subtree 0x9308030 liblognorm: new subtree 0x9308810 liblognorm: addSampToTree 9 of 108 liblognorm: parsed literal: ' request discarded from ' liblognorm: buildPTree: begin at 0x9308810, offs 0 liblognorm: case 3.1 liblognorm: addPTree: offs 0 liblognorm: setPrefix lenBuf 24, offs 0 liblognorm: addSampToTree 33 of 108 liblognorm: parsed field: 'src-ip' liblognorm: got new subtree 0x9308ca0 liblognorm: prev subtree 0x9308810 liblognorm: new subtree 0x9308ca0 liblognorm: addSampToTree 46 of 108 liblognorm: parsed literal: '/' liblognorm: buildPTree: begin at 0x9308ca0, offs 0 liblognorm: case 3.1 liblognorm: addPTree: offs 0 liblognorm: setPrefix lenBuf 1, offs 0 liblognorm: addSampToTree 47 of 108 liblognorm: parsed field: 'src-port' liblognorm: got new subtree 0x9309110 liblognorm: prev subtree 0x9308ca0 liblognorm: new subtree 0x9309110 liblognorm: addSampToTree 64 of 108 liblognorm: parsed literal: ' to ' liblognorm: buildPTree: begin at 0x9309110, offs 0 liblognorm: case 3.1 liblognorm: addPTree: offs 0 liblognorm: setPrefix lenBuf 4, offs 0 liblognorm: addSampToTree 68 of 108 liblognorm: parsed field: '-' liblognorm: got new subtree 0x9309580 liblognorm: prev subtree 0x9309110 liblognorm: new subtree 0x9309580 liblognorm: addSampToTree 76 of 108 liblognorm: parsed literal: ':' liblognorm: buildPTree: begin at 0x9309580, offs 0 liblognorm: case 3.1 liblognorm: addPTree: offs 0 liblognorm: setPrefix lenBuf 1, offs 0 liblognorm: addSampToTree 77 of 108 liblognorm: parsed field: 'dst-ip' liblognorm: got new subtree 0x93099f0 liblognorm: prev subtree 0x9309580 liblognorm: new subtree 0x93099f0 liblognorm: addSampToTree 90 of 108 liblognorm: parsed literal: '/' liblognorm: buildPTree: begin at 0x93099f0, offs 0 liblognorm: case 3.1 liblognorm: addPTree: offs 0 liblognorm: setPrefix lenBuf 1, offs 0 liblognorm: addSampToTree 91 of 108 liblognorm: parsed field: 'dst-port' liblognorm: got new subtree 0x9309e60 liblognorm: prev subtree 0x93099f0 liblognorm: new subtree 0x9309e60 liblognorm: end addSampToTree 108 of 108 number of tree nodes: 7 To normalize: ' TCP request discarded from 96.18.101.250/1077 to Interface:my_ip/443' liblognorm: 0: prefix compare ' ', ' ' liblognorm: 1: prefix compare succeeded, still valid liblognorm: 1:trying parser for field '-': 0xb786c450 liblognorm: potential hit, trying subtree liblognorm: 4: prefix compare ' ', ' ' liblognorm: 5: prefix compare 'r', 'r' liblognorm: 6: prefix compare 'e', 'e' liblognorm: 7: prefix compare 'q', 'q' liblognorm: 8: prefix compare 'u', 'u' liblognorm: 9: prefix compare 'e', 'e' liblognorm: 10: prefix compare 's', 's' liblognorm: 11: prefix compare 't', 't' liblognorm: 12: prefix compare ' ', ' ' liblognorm: 13: prefix compare 'd', 'd' liblognorm: 14: prefix compare 'i', 'i' liblognorm: 15: prefix compare 's', 's' liblognorm: 16: prefix compare 'c', 'c' liblognorm: 17: prefix compare 'a', 'a' liblognorm: 18: prefix compare 'r', 'r' liblognorm: 19: prefix compare 'd', 'd' liblognorm: 20: prefix compare 'e', 'e' liblognorm: 21: prefix compare 'd', 'd' liblognorm: 22: prefix compare ' ', ' ' liblognorm: 23: prefix compare 'f', 'f' liblognorm: 24: prefix compare 'r', 'r' liblognorm: 25: prefix compare 'o', 'o' liblognorm: 26: prefix compare 'm', 'm' liblognorm: 27: prefix compare ' ', ' ' liblognorm: 28: prefix compare succeeded, still valid liblognorm: 28:trying parser for field 'src-ip': 0xb786bdb0 liblognorm: potential hit, trying subtree liblognorm: 41: prefix compare '/', '/' liblognorm: 42: prefix compare succeeded, still valid liblognorm: 42:trying parser for field 'src-port': 0xb786c510 liblognorm: potential hit, trying subtree liblognorm: 46: prefix compare ' ', ' ' liblognorm: 47: prefix compare 't', 't' liblognorm: 48: prefix compare 'o', 'o' liblognorm: 49: prefix compare ' ', ' ' liblognorm: 50: prefix compare succeeded, still valid liblognorm: 50:trying parser for field '-': 0xb786c450 liblognorm: potential hit, trying subtree liblognorm: 74 returns -1 liblognorm: 50 nonmatch, backtracking required, left=-1 liblognorm: 50 no field, trying subtree char 'I': (nil) liblognorm: 50 returns -1 liblognorm: 42 nonmatch, backtracking required, left=-1 liblognorm: 42 no field, trying subtree char '1': (nil) liblognorm: 42 returns -1 liblognorm: 28 nonmatch, backtracking required, left=-1 liblognorm: 28 no field, trying subtree char '9': (nil) liblognorm: 28 returns -1 liblognorm: 1 nonmatch, backtracking required, left=-1 liblognorm: 1 no field, trying subtree char 'T': (nil) liblognorm: 1 returns -1 liblognorm: final result for normalizer: left -1, endNode 0x9309580 normalized: '[cee at 115 originalmsg=" TCP request discarded from 96.18.101.250/1077 to Interface:my_ip/443" unparsed-data=""]' [cee at 115 originalmsg=" TCP request discarded from 96.18.101.250/1077 to Interface:my_ip/443" unparsed-data=""] From jlay at slave-tothe-box.net Fri May 25 20:44:13 2012 From: jlay at slave-tothe-box.net (James Lay) Date: Fri, 25 May 2012 12:44:13 -0600 Subject: [Lognorm] Special characters revisited In-Reply-To: References: Message-ID: <09e54deeee391553381e6c7f8dfb4f7f@192.168.1.253> On Fri, 25 May 2012 12:33:15 -0600, James Lay wrote: > Hey all! > > So...here's where I'm at. Here's my rulebase: > > prefix= > rule=: %-:word% request discarded from > %src-ip:ipv4%/%src-port:number% to > %-:word%:%dst-ip:ipv4%/%dst-port:number% > > > Sample firewall hit (quotes added for clarity): > > " TCP request discarded from 96.18.101.250/1077 to > Interface:my_ip/443" > > and my result: > > [cee at 115 originalmsg=" TCP request discarded from 96.18.101.250/1077 > to Interface:my_ip/443" unparsed-data=""] > > I've tried the below (thinking the : would be included in word) > rule=: %-:word% request discarded from > %src-ip:ipv4%/%src-port:number% to > %-:word%%dst-ip:ipv4%/%dst-port:number% > > And I get the same result. > > I've also tried: > rule=: %-:word% request discarded from > %src-ip:ipv4%/%src-port:number% to > Interface:%dst-ip:ipv4%/%dst-port:number% > > And this works, so I'm pretty sure it's the : that is my issue. A > full -vv below. Any thoughts on how to get this to go? Thanks all: > > James > > liblognorm: read sample line: 'prefix=' > liblognorm: read sample line: 'rule=: %-:word% request discarded from > %src-ip:ipv4%/%src-port:number% to > %-:word%:%dst-ip:ipv4%/%dst-port:number%' > liblognorm: sample line to add: ': %-:word% request discarded from > %src-ip:ipv4%/%src-port:number% to > %-:word%:%dst-ip:ipv4%/%dst-port:number%' > > liblognorm: addSampToTree 0 of 108 > liblognorm: parsed literal: ' ' > liblognorm: buildPTree: begin at 0x9308030, offs 0 > liblognorm: case 3.1 > liblognorm: addPTree: offs 0 > liblognorm: setPrefix lenBuf 1, offs 0 > liblognorm: addSampToTree 1 of 108 > liblognorm: parsed field: '-' > liblognorm: got new subtree 0x9308810 > liblognorm: prev subtree 0x9308030 > liblognorm: new subtree 0x9308810 > liblognorm: addSampToTree 9 of 108 > liblognorm: parsed literal: ' request discarded from ' > liblognorm: buildPTree: begin at 0x9308810, offs 0 > liblognorm: case 3.1 > liblognorm: addPTree: offs 0 > liblognorm: setPrefix lenBuf 24, offs 0 > liblognorm: addSampToTree 33 of 108 > liblognorm: parsed field: 'src-ip' > liblognorm: got new subtree 0x9308ca0 > liblognorm: prev subtree 0x9308810 > liblognorm: new subtree 0x9308ca0 > liblognorm: addSampToTree 46 of 108 > liblognorm: parsed literal: '/' > liblognorm: buildPTree: begin at 0x9308ca0, offs 0 > liblognorm: case 3.1 > liblognorm: addPTree: offs 0 > liblognorm: setPrefix lenBuf 1, offs 0 > liblognorm: addSampToTree 47 of 108 > liblognorm: parsed field: 'src-port' > liblognorm: got new subtree 0x9309110 > liblognorm: prev subtree 0x9308ca0 > liblognorm: new subtree 0x9309110 > liblognorm: addSampToTree 64 of 108 > liblognorm: parsed literal: ' to ' > liblognorm: buildPTree: begin at 0x9309110, offs 0 > liblognorm: case 3.1 > liblognorm: addPTree: offs 0 > liblognorm: setPrefix lenBuf 4, offs 0 > liblognorm: addSampToTree 68 of 108 > liblognorm: parsed field: '-' > liblognorm: got new subtree 0x9309580 > liblognorm: prev subtree 0x9309110 > liblognorm: new subtree 0x9309580 > liblognorm: addSampToTree 76 of 108 > liblognorm: parsed literal: ':' > liblognorm: buildPTree: begin at 0x9309580, offs 0 > liblognorm: case 3.1 > liblognorm: addPTree: offs 0 > liblognorm: setPrefix lenBuf 1, offs 0 > liblognorm: addSampToTree 77 of 108 > liblognorm: parsed field: 'dst-ip' > liblognorm: got new subtree 0x93099f0 > liblognorm: prev subtree 0x9309580 > liblognorm: new subtree 0x93099f0 > liblognorm: addSampToTree 90 of 108 > liblognorm: parsed literal: '/' > liblognorm: buildPTree: begin at 0x93099f0, offs 0 > liblognorm: case 3.1 > liblognorm: addPTree: offs 0 > liblognorm: setPrefix lenBuf 1, offs 0 > liblognorm: addSampToTree 91 of 108 > liblognorm: parsed field: 'dst-port' > liblognorm: got new subtree 0x9309e60 > liblognorm: prev subtree 0x93099f0 > liblognorm: new subtree 0x9309e60 > liblognorm: end addSampToTree 108 of 108 > number of tree nodes: 7 > To normalize: ' TCP request discarded from 96.18.101.250/1077 to > Interface:my_ip/443' > liblognorm: 0: prefix compare ' ', ' ' > liblognorm: 1: prefix compare succeeded, still valid > liblognorm: 1:trying parser for field '-': 0xb786c450 > liblognorm: potential hit, trying subtree > liblognorm: 4: prefix compare ' ', ' ' > liblognorm: 5: prefix compare 'r', 'r' > liblognorm: 6: prefix compare 'e', 'e' > liblognorm: 7: prefix compare 'q', 'q' > liblognorm: 8: prefix compare 'u', 'u' > liblognorm: 9: prefix compare 'e', 'e' > liblognorm: 10: prefix compare 's', 's' > liblognorm: 11: prefix compare 't', 't' > liblognorm: 12: prefix compare ' ', ' ' > liblognorm: 13: prefix compare 'd', 'd' > liblognorm: 14: prefix compare 'i', 'i' > liblognorm: 15: prefix compare 's', 's' > liblognorm: 16: prefix compare 'c', 'c' > liblognorm: 17: prefix compare 'a', 'a' > liblognorm: 18: prefix compare 'r', 'r' > liblognorm: 19: prefix compare 'd', 'd' > liblognorm: 20: prefix compare 'e', 'e' > liblognorm: 21: prefix compare 'd', 'd' > liblognorm: 22: prefix compare ' ', ' ' > liblognorm: 23: prefix compare 'f', 'f' > liblognorm: 24: prefix compare 'r', 'r' > liblognorm: 25: prefix compare 'o', 'o' > liblognorm: 26: prefix compare 'm', 'm' > liblognorm: 27: prefix compare ' ', ' ' > liblognorm: 28: prefix compare succeeded, still valid > liblognorm: 28:trying parser for field 'src-ip': 0xb786bdb0 > liblognorm: potential hit, trying subtree > liblognorm: 41: prefix compare '/', '/' > liblognorm: 42: prefix compare succeeded, still valid > liblognorm: 42:trying parser for field 'src-port': 0xb786c510 > liblognorm: potential hit, trying subtree > liblognorm: 46: prefix compare ' ', ' ' > liblognorm: 47: prefix compare 't', 't' > liblognorm: 48: prefix compare 'o', 'o' > liblognorm: 49: prefix compare ' ', ' ' > liblognorm: 50: prefix compare succeeded, still valid > liblognorm: 50:trying parser for field '-': 0xb786c450 > liblognorm: potential hit, trying subtree > liblognorm: 74 returns -1 > liblognorm: 50 nonmatch, backtracking required, left=-1 > liblognorm: 50 no field, trying subtree char 'I': (nil) > liblognorm: 50 returns -1 > liblognorm: 42 nonmatch, backtracking required, left=-1 > liblognorm: 42 no field, trying subtree char '1': (nil) > liblognorm: 42 returns -1 > liblognorm: 28 nonmatch, backtracking required, left=-1 > liblognorm: 28 no field, trying subtree char '9': (nil) > liblognorm: 28 returns -1 > liblognorm: 1 nonmatch, backtracking required, left=-1 > liblognorm: 1 no field, trying subtree char 'T': (nil) > liblognorm: 1 returns -1 > liblognorm: final result for normalizer: left -1, endNode 0x9309580 > normalized: '[cee at 115 originalmsg=" TCP request discarded from > 96.18.101.250/1077 to Interface:my_ip/443" unparsed-data=""]' > [cee at 115 originalmsg=" TCP request discarded from 96.18.101.250/1077 > to Interface:my_ip/443" unparsed-data=""] > > _______________________________________________ > Lognorm mailing list > Lognorm at lists.adiscon.com > http://lists.adiscon.net/mailman/listinfo/lognorm An interesting tidbit...with the below: " TCP request discarded from 96.18.101.250/1077 to 1234:my_ip/443" and rule=: %-:word% request discarded from %src-ip:ipv4%/%src-port:number% to %-:number%:%dst-ip:ipv4%/%dst-port:number% This works and correctly processes. Hope that helps. James