> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Champ Clark III [Softwink] > Sent: Friday, October 08, 2010 6:57 PM > To: rsyslog-users > Subject: Re: [rsyslog] liblognorm > > > http://cee.mitre.org/ > > Yep.. I've read through that. I was looking for something more > "meaty". :) >
I understand, but right now I cannot provide more due to NDA's. I am even going on a border when I begin to write the class definitions (and so I will check with Mitre first). > > That sounds good. The only thing that I am pretty sure about is that > - at > > some stage - we must support *multiple* files. That is because I > envision > > that some may be pulled from a global repository but some local-only > may also > > exist. I think it is easier to manage those if they can be kept in > different > > files. > > That's a interesting concept, and pretty much how we do it with > Sagan/Snort. In the Sagan configuration file, you have lines like > this: > > include $RULE_PATH/rsync.rules > include $RULE_PATH/samba.rules > include $RULE_PATH/sendmail.rules > > If you don't use "sendmail", you can "# out" that rule. > There's not much need to "monitor" for things that you don't expect to > see. > The same could apply to liblognorm ... That way, you could also > include > "local" definitions. Yup > > Here's how I'm looking to use something like liblognorm. I'd > actually already started on some simple parsers, but would rather see > something like liblognorm (keeps from re-inventing the wheel, and > useful for many projects). > > Take the following "openssh.rules" line: > > alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] > Authentication failure for root"; content: "Authentication failure for > root"; classtype: unsuccessful-admin;program: sshd; threshold:type > limit, track by_src, count 5, seconds 300; parse_ip_simple; > parse_port_simple; reference: > url,wiki.softwink.com/bin/view/Main/5000017; sid: 5000017; rev:1;) > > Note the parse_ip_simple and parse_port_simple. Those are my > current, simple, parsers to pull IP address and TCP source port > information (when applicable). Replace those calls with the > liblognorm. That's the goal, across many different log sets (Cisco, > Fortigate firewalls, Linux boxes) that I'm looking for. > > Basically, "ip_parse_simple" becomes a rule flag I can pass to > liblognorm, which "tells" liblognorm", "this is a openssh message" > and > "extract the source IP address and source port". > > Does that seem on track? Sorry for the rant.... Exactly the same idea. Maybe we can share some of the code! Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
