need help with pattern, get .classifier.class=unknown
Hi all, i use the net screen pattern the ruleset: <ruleset name="NetScreen" id='1001'> <pattern>fw</pattern> <rules> <rule provider="ELSA" class='1001' id='1001'> <patterns> <pattern>NetScreen device_id=@ESTRING:s0: @@ESTRING:: @start_time="@ESTRING::"@ duration=@ESTRING:: @policy_id=@ESTRING:i0: @service=@ESTRING:s1: @proto=@ESTRING:: @src zone=@ESTRING:s2: @dst zone=@ESTRING:s3: @action=@ESTRING:s4: @sent=@ESTRING:: @rcvd=@ESTRING:: @src=@ESTRING:i1: @dst=@ESTRING:i2: @src_port=@ESTRING:i3: @dst_port=@ESTRING:i4: @session_id=@ESTRING:: @reason=Traffic Denied</pattern> </patterns> <examples> <example> <test_message program="NetScreen deny">NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied</test_message> <!-- device --> <test_value name="s0">fw</test_value> <!-- policy id--> <test_value name="i0">10005</test_value> <!-- service --> <test_value name="s1">http</test_value> <!-- src zone --> <test_value name="s2">OUT</test_value> <!-- dst zone --> <test_value name="s3">IN</test_value> <!-- action --> <test_value name="s4">Deny</test_value> <!-- src --> <test_value name="i1">192.168.0.1</test_value> <!-- dst --> <test_value name="i2">192.168.1.1</test_value> <!-- src_port --> <test_value name="i3">51271</test_value> <!-- dst_port--> <test_value name="i4">80</test_value> </example> </examples> </rule> </rules> </ruleset> but i get this error : /usr/local/syslog-ng/bin/pdbtool match -c -D -v -p /usr/local/elsa/node/conf/patterndb.xml -P fw -M "NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied" Pattern matching part: NetScreen device_id=@ESTRING:s0=fw@@ESTRING:None=[Root]system-notification-00257(traffic):@start_time=2012-10-02 Matching part: NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time= Values: MESSAGE=NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time=2012-10-02 PROGRAM=fw .classifier.class=unknown Any help here thanks Stefan
Hi, On 02/14/2013 03:26 PM, Stefan Sabolowitsch wrote:
Hi all, i use the net screen pattern
the ruleset:
<ruleset name="NetScreen" id='1001'> <pattern>fw</pattern> <rules> <rule provider="ELSA" class='1001' id='1001'> <patterns> <pattern>NetScreen device_id=@ESTRING:s0: @@ESTRING:: @start_time="@ESTRING::"@ duration=@ESTRING:: @policy_id=@ESTRING:i0: @service=@ESTRING:s1: @proto=@ESTRING:: @src zone=@ESTRING:s2: @dst zone=@ESTRING:s3: @action=@ESTRING:s4: @sent=@ESTRING:: @rcvd=@ESTRING:: @src=@ESTRING:i1: @dst=@ESTRING:i2: @src_port=@ESTRING:i3: @dst_port=@ESTRING:i4: @session_id=@ESTRING:: @reason=Traffic Denied</pattern> </patterns> <examples> <example> <test_message program="NetScreen deny">NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied</test_message> <!-- device --> <test_value name="s0">fw</test_value> <!-- policy id--> <test_value name="i0">10005</test_value> <!-- service --> <test_value name="s1">http</test_value> <!-- src zone --> <test_value name="s2">OUT</test_value> <!-- dst zone --> <test_value name="s3">IN</test_value> <!-- action --> <test_value name="s4">Deny</test_value> <!-- src --> <test_value name="i1">192.168.0.1</test_value> <!-- dst --> <test_value name="i2">192.168.1.1</test_value> <!-- src_port --> <test_value name="i3">51271</test_value> <!-- dst_port--> <test_value name="i4">80</test_value> </example> </examples> </rule> </rules> </ruleset>
but i get this error :
/usr/local/syslog-ng/bin/pdbtool match -c -D -v -p /usr/local/elsa/node/conf/patterndb.xml -P fw -M "NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied" The problem should lie here, you are using the same quotation char in the shell as in the message to be matched, so it is swallowed by bash. Try using single quotes and it should work like this:
blint@lyra:~$ pdbtool match -c -D -v -p /tmp/netscreen.xml -P fw -M 'NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied' Pattern matching part: NetScreen device_id=@ESTRING:s0=fw@@ESTRING:None=[Root]system-notification-00257(traffic):@start_time="@ESTRING:None=2012-10-02 09:46:20@ duration=@ESTRING:None=0@policy_id=@ESTRING:i0=10005@service=@ESTRING:s1=http@proto=@ESTRING:None=6@src zone=@ESTRING:s2=OUT@dst zone=@ESTRING:s3=IN@action=@ESTRING:s4=Deny@sent=@ESTRING:None=0@rcvd=@ESTRING:None=40@src=@ESTRING:i1=192.168.0.1@dst=@ESTRING:i2=192.168.1.1@src_port=@ESTRING:i3=51271@dst_port=@ESTRING:i4=80@session_id=@ESTRING:None=0@reason=Traffic Denied Matching part: NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied Values: MESSAGE=NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied PROGRAM=fw .classifier.class=1001 .classifier.rule_id=1001 s0=fw i0=10005 s1=http s2=OUT s3=IN s4=Deny i1=192.168.0.1 i2=192.168.1.1 i3=51271 i4=80 TAGS=
Pattern matching part: NetScreen device_id=@ESTRING:s0=fw@@ESTRING:None=[Root]system-notification-00257(traffic):@start_time=2012-10-02 Matching part: NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time= Values: MESSAGE=NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time=2012-10-02 PROGRAM=fw .classifier.class=unknown
Any help here thanks Stefan ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Balint
Ahhh, big thank :) Stefan Am 14.02.2013 um 15:32 schrieb Balint Kovacs <balint.kovacs@balabit.com> :
Hi,
On 02/14/2013 03:26 PM, Stefan Sabolowitsch wrote:
Hi all, i use the net screen pattern
the ruleset:
<ruleset name="NetScreen" id='1001'> <pattern>fw</pattern> <rules> <rule provider="ELSA" class='1001' id='1001'> <patterns> <pattern>NetScreen device_id=@ESTRING:s0: @@ESTRING:: @start_time="@ESTRING::"@ duration=@ESTRING:: @policy_id=@ESTRING:i0: @service=@ESTRING:s1: @proto=@ESTRING:: @src zone=@ESTRING:s2: @dst zone=@ESTRING:s3: @action=@ESTRING:s4: @sent=@ESTRING:: @rcvd=@ESTRING:: @src=@ESTRING:i1: @dst=@ESTRING:i2: @src_port=@ESTRING:i3: @dst_port=@ESTRING:i4: @session_id=@ESTRING:: @reason=Traffic Denied</pattern> </patterns> <examples> <example> <test_message program="NetScreen deny">NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied</test_message> <!-- device --> <test_value name="s0">fw</test_value> <!-- policy id--> <test_value name="i0">10005</test_value> <!-- service --> <test_value name="s1">http</test_value> <!-- src zone --> <test_value name="s2">OUT</test_value> <!-- dst zone --> <test_value name="s3">IN</test_value> <!-- action --> <test_value name="s4">Deny</test_value> <!-- src --> <test_value name="i1">192.168.0.1</test_value> <!-- dst --> <test_value name="i2">192.168.1.1</test_value> <!-- src_port --> <test_value name="i3">51271</test_value> <!-- dst_port--> <test_value name="i4">80</test_value> </example> </examples> </rule> </rules> </ruleset>
but i get this error :
/usr/local/syslog-ng/bin/pdbtool match -c -D -v -p /usr/local/elsa/node/conf/patterndb.xml -P fw -M "NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied" The problem should lie here, you are using the same quotation char in the shell as in the message to be matched, so it is swallowed by bash. Try using single quotes and it should work like this:
blint@lyra:~$ pdbtool match -c -D -v -p /tmp/netscreen.xml -P fw -M 'NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied' Pattern matching part: NetScreen device_id=@ESTRING:s0=fw@@ESTRING:None=[Root]system-notification-00257(traffic):@start_time="@ESTRING:None=2012-10-02 09:46:20@ duration=@ESTRING:None=0@policy_id=@ESTRING:i0=10005@service=@ESTRING:s1=http@proto=@ESTRING:None=6@src zone=@ESTRING:s2=OUT@dst zone=@ESTRING:s3=IN@action=@ESTRING:s4=Deny@sent=@ESTRING:None=0@rcvd=@ESTRING:None=40@src=@ESTRING:i1=192.168.0.1@dst=@ESTRING:i2=192.168.1.1@src_port=@ESTRING:i3=51271@dst_port=@ESTRING:i4=80@session_id=@ESTRING:None=0@reason=Traffic Denied Matching part: NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied Values: MESSAGE=NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied PROGRAM=fw .classifier.class=1001 .classifier.rule_id=1001 s0=fw i0=10005 s1=http s2=OUT s3=IN s4=Deny i1=192.168.0.1 i2=192.168.1.1 i3=51271 i4=80 TAGS=
Pattern matching part: NetScreen device_id=@ESTRING:s0=fw@@ESTRING:None=[Root]system-notification-00257(traffic):@start_time=2012-10-02 Matching part: NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time= Values: MESSAGE=NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time=2012-10-02 PROGRAM=fw .classifier.class=unknown
Any help here thanks Stefan ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Balint
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Balint Kovacs
-
Stefan Sabolowitsch