Simple tests seem not to work

33 views
Skip to first unread message

DigiAngel

unread,
Nov 22, 2011, 10:35:21 AM11/22/11
to sagan-users
Cross posted in liblognorm mailing list:

Hey all!

So...been battling trying to get some asa stuff to fly. As I'm
testing
things, I think I need some help in understanding more on how
liblognorm
works. Here's the rules below:

Normalize-rulebase:
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASA] TCP EXTERNAL
BLOCK"; program: TEST; content: TCP; normalize: asa; classtype:
bad-unknown; sid: 6000006; rev:1;)

Rule:
prefix=
rule=: TCP

There is a space at the end of the TCP. That being shown, here's what
happens when I test this:

echo "1.1.1.1|local0|warning|warning|84|2011-11-21|15:03:02|TEST| TCP
"
> sagan.fifo

[*] Normalize output: [cee@115 originalmsg=" TCP " unparsed-data=""]

I've tried:

echo "1.1.1.1|local0|warning|warning|84|2011-11-21|15:03:02|TEST| TCP"
>
sagan.fifo

echo "1.1.1.1|local0|warning|warning|84|2011-11-21|15:03:02|TEST|TCP"
>
sagan.fifo

echo "1.1.1.1|local0|warning|warning|84|2011-11-21|15:03:02|TEST|TCP "
>
sagan.fifo

None of which work.

[*] Normalize output: [cee@115 originalmsg=" TCP" unparsed-data=""]

[*] Normalize output: [cee@115 originalmsg="TCP" unparsed-data="TCP"]

[*] Normalize output: [cee@115 originalmsg="TCP " unparsed-data="TCP
"]

My question is, why not, and where is the issue? Why would a simple
word like this not match? Even changing "TCP" in the rulebase to
%-:word% gives me the same output. What could I be missing here?
Thank
you.

James

Champ Clark III [Quadrant]

unread,
Nov 23, 2011, 12:37:51 PM11/23/11
to sagan...@googlegroups.com
You might want to try the liblognorm "normalize" command for testing.  I'm going to be playing with liblognorm this week,  I'll let you know what i find.  I know that liblognorm just was updated as well.  That might have changed things (?)

Digital X

unread,
Nov 23, 2011, 2:03:45 PM11/23/11
to sagan...@googlegroups.com
Thanks Champ….any documentation on that command?  

James

Champ Clark III [Quadrant]

unread,
Nov 23, 2011, 3:16:10 PM11/23/11
to sagan...@googlegroups.com
I believe you do "normalize -r {normalize rulebase file} < log file

or

echo "my syslog data" | normalize -r {normalize rulebase}

I know I've seen Rainer's documentation for this before,  but cant recall where.

<quadrant.png>

<quadrant.png>

Digital X

unread,
Nov 23, 2011, 5:42:28 PM11/23/11
to sagan...@googlegroups.com
Yea…I found it here:


Under "The Normalizer" section.

Caveat is, either your syslog output needs to NOT have date, time, host, and program, or you have to build that into your normalize rulebase…otherwise it won't match.

Still mucking with it….I suspect I'll be able to hammer through it tomorrow.  Thanks Champ.
Reply all
Reply to author
Forward
0 new messages