Hey all!
So...been battling trying to get some asa stuff to fly. As I'm
testing
things, I think I need some help in understanding more on how
liblognorm
works. Here's the rules below:
Normalize-rulebase:
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASA] TCP EXTERNAL
BLOCK"; program: TEST; content: TCP; normalize: asa; classtype:
bad-unknown; sid: 6000006; rev:1;)
Rule:
prefix=
rule=: TCP
There is a space at the end of the TCP. That being shown, here's what
happens when I test this:
echo "1.1.1.1|local0|warning|warning|84|2011-11-21|15:03:02|TEST| TCP
"
> sagan.fifo
[*] Normalize output: [cee@115 originalmsg=" TCP " unparsed-data=""]
I've tried:
echo "1.1.1.1|local0|warning|warning|84|2011-11-21|15:03:02|TEST| TCP"
>
sagan.fifo
echo "1.1.1.1|local0|warning|warning|84|2011-11-21|15:03:02|TEST|TCP"
>
sagan.fifo
echo "1.1.1.1|local0|warning|warning|84|2011-11-21|15:03:02|TEST|TCP "
>
sagan.fifo
None of which work.
[*] Normalize output: [cee@115 originalmsg=" TCP" unparsed-data=""]
[*] Normalize output: [cee@115 originalmsg="TCP" unparsed-data="TCP"]
[*] Normalize output: [cee@115 originalmsg="TCP " unparsed-data="TCP
"]
My question is, why not, and where is the issue? Why would a simple
word like this not match? Even changing "TCP" in the rulebase to
%-:word% gives me the same output. What could I be missing here?
Thank
you.
James

<quadrant.png>
Champ Clark III
(office) 904.253.7856(mobile) 850.443.2440(SOC) 800.538.9357 ext 101
<quadrant.png>