> http://cee.mitre.org/
Yep.. I've read through that. I was looking for something more
"meaty". :)
> That sounds good. The only thing that I am pretty sure about is that - at
> some stage - we must support *multiple* files. That is because I envision
> that some may be pulled from a global repository but some local-only may also
> exist. I think it is easier to manage those if they can be kept in different
> files.
That's a interesting concept, and pretty much how we do it with
Sagan/Snort. In the Sagan configuration file, you have lines like
this:
include $RULE_PATH/rsync.rules
include $RULE_PATH/samba.rules
include $RULE_PATH/sendmail.rules
If you don't use "sendmail", you can "# out" that rule.
There's not much need to "monitor" for things that you don't expect to see.
The same could apply to liblognorm ... That way, you could also include
"local" definitions.
Here's how I'm looking to use something like liblognorm. I'd
actually already started on some simple parsers, but would rather see
something like liblognorm (keeps from re-inventing the wheel, and
useful for many projects).
Take the following "openssh.rules" line:
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Authentication
failure for root"; content: "Authentication failure for root"; classtype:
unsuccessful-admin;program: sshd; threshold:type limit, track by_src, count 5,
seconds 300; parse_ip_simple; parse_port_simple; reference:
url,wiki.softwink.com/bin/view/Main/5000017; sid: 5000017; rev:1;)
Note the parse_ip_simple and parse_port_simple. Those are my
current, simple, parsers to pull IP address and TCP source port
information (when applicable). Replace those calls with the
liblognorm. That's the goal, across many different log sets (Cisco,
Fortigate firewalls, Linux boxes) that I'm looking for.
Basically, "ip_parse_simple" becomes a rule flag I can pass to
liblognorm, which "tells" liblognorm", "this is a openssh message" and
"extract the source IP address and source port".
Does that seem on track? Sorry for the rant....
> Looks like we are in business ;) I need to digest what I have read today, but
> it looks like I will begin to create some skeleton code next week, starting
> with the build system and followed by some important definitions (e.g. for
> tags, fields and so on). Feedback on the organization of this material is
> also appreciated. I'll populate the public git as soon as I have some lines
> of code ;)
No problem. These things take time :)
--
Champ Clark III | Softwink, Inc | 800-538-9357 x 101
http://www.softwink.com
GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.
pgpdrIrkAPOco.pgp
Description: PGP signature
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
