On Wed, Mar 6, 2013 at 2:48 PM, Jean-Pierre Zurbrugg <[email protected]> wrote: > Sry for the late reply. I've been trying to test and noticed that I had > indeed left out a freaking "," as you suggested. > > Btw, I stumbled upon a difficulty while trying to test all this on a VM: > > Try this test log on your lab and confirm if "action" returns a "d": > Mar 6 14:43:33 172.16.1.2 %ASA-3-710003: TCP access denied by ACL from > 1.1.1.1/52652 to OUTSIDE:2.2.2.2/22 > > It returned a "d" in my case. To fix it I went ahead and added a space in > the following decoder entry for pix(RED text): > > <decoder name="pix-fw2"> > <parent>pix</parent> > <type>firewall</type> > <prematch offset="after_parent">^3-710003|^7-710002|^7-710005</prematch> > <regex offset="after_parent">^(\S+): (\S+) \w+ (\w+) \.+from </regex> > <regex>(\S+)/(\S+) to \w+:(\S+)/(\S+)</regex> > <order>id, protocol, action, srcip, srcport, dstip, dstport</order> > </decoder> > > ======================= > Aside from that I'll continue testing on my end since I seem to have another > mistake somewhere.... > > Btw Dan, I'm testing a snorby script that works similar than ossec2mysql.pl > that I'd like to give it another week's worth of testing in my prod > environment before sharing it with everyone. > https://groups.google.com/forum/?fromgroups=#!searchin/ossec-list/snorby/ossec-list/e6hfIQA3AWA/XJemc5kNLKgJ > > How should I send the changes over to you? pastebin or a simple paste here > in google groups ? > >
Pastebin is so horrible for sharing code. Attaching it to a message, or initiating a pull request on bitbucket are much much easier. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
