File of config
To: nxlog-ce-users@lists.sourceforge.net
From: antoniocuest...@hotmail.com
Subject: Nxlog module
Date: Fri, 13 May 2016 04:16:09 +0200
Hi, I'm student and newbie with nxlog . How would be a rule which detects me
are making multiple responses of ICMP from the same IP in which there are
diferent IPs? A sample file: 05/10-16:36:30.859038 216.58.201.131 ->
192.168.20.151ICMP TTL:128 TOS:0x0 ID:33169 IpLen:20 DgmLen:84Type:0 Code:0
ID:20089 Seq:2 ECHO
REPLY=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
05/10-16:36:31.861001 216.58.201.131 -> 192.168.20.151ICMP TTL:128 TOS:0x0
ID:33170 IpLen:20 DgmLen:84Type:0 Code:0 ID:20089 Seq:3 ECHO
REPLY=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
05/10-16:36:32.862880 216.58.201.131 -> 192.168.20.151ICMP TTL:128 TOS:0x0
ID:33171 IpLen:20 DgmLen:84Type:0 Code:0 ID:20089 Seq:4 ECHO REPLY
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
05/10-16:36:33.864879 216.58.201.20 -> 192.168.20.151ICMP TTL:128 TOS:0x0
ID:33172 IpLen:20 DgmLen:84Type:0 Code:0 ID:20089 Seq:5 ECHO
REPLY=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
05/10-16:36:34.866876 216.58.201.20 -> 192.168.20.151ICMP TTL:128 TOS:0x0
ID:33173 IpLen:20 DgmLen:84Type:0 Code:0 ID:20089 Seq:6 ECHO
REPLY=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
05/10-16:36:35.868668 216.58.201.131 -> 192.168.20.151ICMP TTL:128 TOS:0x0
ID:33174 IpLen:20 DgmLen:84Type:0 Code:0 ID:20089 Seq:7 ECHO REPLY
I had thought of a rule " Thresholded " but I don’t know if I have to use
contexts. Sorry for the translation. I’m Spanish. I do this: <Input in4>
Module im_file
File "/home/antonio/Descargas/sn"
SavePos TRUE
ReadFromLast TRUE
Exec if ($raw_event =~ /^(\(.+)/) { \
$Message = $2; \
$raw_event = $Message; \
}
</Input>
<Output out4>
Module om_file
File "/home/antonio/Descargas/nx"
</Output>
<Processor evcorr>
Module pm_evcorr
<Thresholded>
Condition $Message =~ /^\d{2}\\\d{2}-\d{2}:\d{2}:\d{2}\.\d+
((?:\d{1,3}\.){3}\d{1,3}) -> (?:\d{1,3}\.){3}\d{1,3}.*?\nICMP.*?\n.*?ECHO
REPLY/
Threshold 3
Interval 60
Exec log_info("20 ECHO REPLY packets from host $1");
</Thresholded>
</Processor>
<Route 2>
Path in4 => evcorr => out4
</Route> But this Only copy the text in4 in the out4. And i want that when
detect write in out4: “20 ECHO REPLY packets from host $1” Thanksss! 😊
<Input in4>
Module im_file
File "/home/antonio/Descargas/sn"
SavePos TRUE
ReadFromLast TRUE
Exec if ($raw_event =~ /^(\(.+)/) { \
$Message = $2; \
$raw_event = $Message; \
}
</Input>
<Output out4>
Module om_file
File "/home/antonio/Descargas/nx"
</Output>
<Processor evcorr>
Module pm_evcorr
<Thresholded>
Condition $Message =~ /^\d{2}\\\d{2}-\d{2}:\d{2}:\d{2}\.\d+
((?:\d{1,3}\.){3}\d{1,3}) -> (?:\d{1,3}\.){3}\d{1,3}.*?\nICMP.*?\n.*?ECHO
REPLY/
Threshold 3
Interval 60
Exec log_info("20 ECHO REPLY packets from host $1");
</Thresholded>
</Processor>
<Route 2>
Path in4 => evcorr => out4
</Route>------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
