Hi,
If you don't need the original log you can either use drop() or send to
om_null.
To save the alerts you should add another route with im_internal =>
om_file or use file_write() instead of log_info().
Regards,
Botond
On Fri, 13 May 2016 13:09:24 +0200
Antonio Cuesta García <antoniocuest...@hotmail.com> wrote:
>
> Hi, Boti.
>
> I've been trying all day to work but it is impossible nxlog do what I want.
> Nxlog only thing that does is to copy what comes in one file to another. I
> only want you when there is an ICMP message that comes from the same IP
> address is detected 20 times and report to another file.
>
> I attached the configuration file (nxlog.conf), the file which is read
> entries ICMP (sn) and the file that has generated me my , that is a copy of
> input (nx).
>
> If you could help me in something, I would appreciate.
>
> Antonio.
>
>
> > Message: 4
> > Date: Fri, 13 May 2016 10:24:35 +0200
> > From: Botond Botyanszki <b...@nxlog.org>
> > Subject: Re: [nxlog-ce-users] Nxlog module
> > To: nxlog-ce-users@lists.sourceforge.net
> > Message-ID: <20160513102435.73d6c...@nxlog.org>
> > Content-Type: text/plain; charset=UTF-8
> >
> > Antonio,
> >
> > You will need to parse the IP address first:
> > Exec if $Message =~ /^\d{2}\\\d{2}-\d{2}:\d{2}:\d{2}\.\d+
> > ((?:\d{1,3}\.){3}\d{1,3})/ $IP = $1;
> >
> > The $IP field can (should) be used as the context in the Thresholded rule:
> >
> > ??? <Thresholded>?
> > ????? ??? ?Condition? ...
> > ????? ??? ?Threshold? 3?
> > ????? ??? ?Interval?? 60?
> > Context $IP
> > ????? ??? ?Exec?? ? ??log_info("3 ECHO REPLY packets from host " + $IP);?
> > ??? </Thresholded>?
> >
> > Note that this still does not check whether there are multiple ICMP
> > responses from the same IP to _different_ IPs.
> > For that you'd need to parse the destination IP and perhaps use set_var()
> > and get_var() in the rule to add this check.
> >
> > Regards,
> > Botond
> >
> > On Fri, 13 May 2016 04:16:09 +0200
> > Antonio Cuesta Garc?a <antoniocuest...@hotmail.com> wrote:
> >
> > > Hi, I'm student and newbie with nxlog . How would be a rule which
> > > detects me are making multiple responses of ICMP from the same IP in
> > > which there are diferent IPs?
> > >
> > > A sample file:
> > >
> > > 05/10-16:36:30.859038 216.58.201.131 -> 192.168.20.151
> > > ICMP TTL:128 TOS:0x0 ID:33169 IpLen:20 DgmLen:84
> > > Type:0? Code:0? ID:20089? Seq:2? ECHO REPLY
> > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > >
> > > 05/10-16:36:31.861001 216.58.201.131 -> 192.168.20.151
> > > ICMP TTL:128 TOS:0x0 ID:33170 IpLen:20 DgmLen:84
> > > Type:0? Code:0? ID:20089? Seq:3? ECHO REPLY
> > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > >
> > > 05/10-16:36:32.862880 216.58.201.131 -> 192.168.20.151
> > > ICMP TTL:128 TOS:0x0 ID:33171 IpLen:20 DgmLen:84
> > > Type:0? Code:0 ?ID:20089? Seq:4? ECHO REPLY
> > >
> > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > >
> > > 05/10-16:36:33.864879 216.58.201.20 -> 192.168.20.151
> > > ICMP TTL:128 TOS:0x0 ID:33172 IpLen:20 DgmLen:84
> > > Type:0? Code:0? ID:20089? Seq:5? ECHO REPLY
> > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > >
> > > 05/10-16:36:34.866876 216.58.201.20 -> 192.168.20.151
> > > ICMP TTL:128 TOS:0x0 ID:33173 IpLen:20 DgmLen:84
> > > Type:0? Code:0? ID:20089? Seq:6? ECHO REPLY
> > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > >
> > > 05/10-16:36:35.868668 216.58.201.131 -> 192.168.20.151
> > > ICMP TTL:128 TOS:0x0 ID:33174 IpLen:20 DgmLen:84
> > > Type:0? Code:0? ID:20089? Seq:7? ECHO REPLY
> > >
> > >
> > > I had thought of a rule " Thresholded " but I don?t know? if I have to
> > > use contexts.
> > >
> > > Sorry for the translation. I?m Spanish.
> > >
> > >
> > >
> > > I do this:
> > >
> > > <Input in4>?
> > > ??? Module?? ?im_file?
> > > ??? File?? ?"/home/antonio/Descargas/sn"?
> > > ??? SavePos?? ?TRUE
> > > ??? ReadFromLast TRUE
> > > ??? Exec?? ?if ($raw_event =~ /^(\(.+)/) { \
> > > ??????????????????? $Message = $2;??? \
> > > ??????????????????? $raw_event = $Message;???????? \
> > > ??????????????? }?
> > > </Input>?
> > > ?
> > > ?
> > > <Output out4>?
> > > ??? Module?? ?om_file?
> > > ??? File?? ?"/home/antonio/Descargas/nx"?
> > > </Output>?
> > > ?
> > > <Processor evcorr>?
> > > ??? Module?? ??? pm_evcorr?
> > > ?
> > > ??? <Thresholded>?
> > > ????? ??? ?Condition? $Message =~ /^\d{2}\\\d{2}-\d{2}:\d{2}:\d{2}\.\d+
> > > ((?:\d{1,3}\.){3}\d{1,3}) ->
> > > (?:\d{1,3}\.){3}\d{1,3}.*?\nICMP.*?\n.*?ECHO REPLY/ Threshold? 3
> > > Interval?? 60 Exec?? ? ?? ?? log_info("20 ECHO REPLY packets from host
> > > $1"); </Thresholded>?
> > > ?
> > > </Processor>?
> > > ?
> > > <Route 2>?
> > > ??? Path?? ?in4 => evcorr => out4?
> > > </Route>
> > >
> > >
> > > But this Only copy the text in4 in the out4. And i want that when
> > > detect write in out4: ?20 ECHO REPLY packets from host $1?
> > >
> > > Thanksss! ?
>
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
