Re: [Denyhosts-user] finding a regex to capture snort output

Sat, 30 Dec 2006 21:15:50 -0800 

René Berber wrote:
> René Berber wrote:
> 
> [snip]
>> I can tell you not to lose your time with "The Regex Coach", it is supposed 
>> to
> [snip]
>> "RegexBuddy".  It has a demo time limit, so it can be tested.
> [snip]
> 
> Found a test tool:
> 
> $ pcretest
> PCRE version 7.0 18-Dec-2006
> 
>   re> /.* \[Sender snort\] \[PID -?\d+\] .* attempt.*P\} (?P<host>\S+):.*/
> data> [Time 2006.12.30 03:44:59 UTC] [Facility authpriv] [Sender snort] [PID 
> -1]
> [Message [1:2050:9\] MS-SQL version overflow attempt [Classification: Misc
> activity\] [Priority: 3\]: {UDP} 61.187.94.122:4613 -> 1.2.3.4:1434] [Level 1]
> [UID -2] [GID -2] [Host our-little-emac]
>  0: [Time 2006.12.30 03:44:59 UTC] [Facility authpriv] [Sender snort] [PID -1]
> [Message [1:2050:9] MS-SQL version overflow attempt [Classification: Misc
> activity] [Priority: 3]: {UDP} 61.187.94.122:4613 -> 1.2.3.4:1434] [Level 1]
> [UID -2] [GID -2] [Host our-little-emac]
>  1: 61.187.94.122
> 
> So the regex I sent before does match the log, and the IP (the result means it
> matches the whole line (match 0) and it matches the named pattern (match 1)).
> 
> pcretest is part of PCRE http://www.pcre.org/
> 
> I couldn't make the version I had (6.6) to even accept my regex, it complained
> about a syntax error on the named match part.  But the latest version does 
> work.


Very nice, thank you! I was in the process of porting Phil Schwartz' 
kodos package over to the fink project (which I might finish anyway).

I don't get a syntax error with your expression. Let's see if it 
triggers DH. I'll keep you posted about how well the regex works and 
I'll check out the pcre tool also.

Thanks again,
Robert


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user

Reply via email to