[syslog-ng] loop caused by syslog-ng filter

Adam Richter Sub-Zero-1 at gmx.at
Thu Mar 20 14:45:55 CET 2008 

Hi!

Not working! Syslog-ng filters for exactly the string: [Priority: 1]
and not as it is piped by the mail script: #priority 1# note the ":" !
Anyway I used your script --> same fault!!!
I have also used following script:


#!/bin/sh

echo AAA >> /tmp/schrott
date >> /tmp/schrott

There is no output like [Priority: 1]!!!
Then I did following: tail -f /tmp/schrott and got a loop too! The loop starts when syslog-ng recognices the first machting string [Priority: 1] and loops till I stop syslog-ng!!!


Sensor1:~# /etc/init.d/syslog-ng stop
Stopping system logging: syslog-ng.
Sensor1:~# tail -f /tmp/schrott
AAA
Do 20. Mär 14:29:12 CET 2008
AAA
Do 20. Mär 14:29:12 CET 2008
AAA
Do 20. Mär 14:29:12 CET 2008
AAA
Do 20. Mär 14:29:12 CET 2008
AAA
Do 20. Mär 14:29:12 CET 2008


I think it has something in common with this thread: 

https://lists.balabit.hu/pipermail/syslog-ng/2006-October/009454.html

Any other ideas? It´s very important!

German: Es handelt sich hier um meine Abschlussprüfung, und dies ist der letzte Fehler der Auftritt, ansonsten läuft das Projekt.

bye, Adam / Sub-Zero !
 

-------- Original-Nachricht --------
> Datum: Thu, 20 Mar 2008 10:32:31 +0100
> Von: "JUNG, Christian" <christian.jung at saarstahl.com>
> An: "Syslog-ng users\' and developers\' mailing list" <syslog-ng at lists.balabit.hu>
> Betreff: Re: [syslog-ng] loop caused by syslog-ng filter

> Hi Adam,
> 
> syslog-ng does the right thing :-).
> 
> It starts the program/script once and pipes on STDIN every log-message
> which matches the filter.
> 
> If your script is started, it will call mail and pipe "Alert, priority 1"
> to its STDIN and then exits. syslog-ng sees this and restarts it (version
> 2.0 or higher behave that way, see
> <http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch09s02.html#reference_destination_program>).
> 
> For you purpose this would be better:
> 
> ---8<---
> #!/bin/bash
> 
> while read LINE; do
> 	cat <<-EOF | mail -s "High Priority Snort Alert" Sub-Zero at xxx.de 
> 	Alert, Priority 1 
> 	$LINE
> 	EOF
> done
> ---8<---
> 
> 
> bye
> Chris
> 
> > 
> > -----Original Message-----
> > From: syslog-ng-bounces at lists.balabit.hu
> > [mailto:syslog-ng-bounces at lists.balabit.hu]On Behalf Of Adam Richter
> > Sent: Thursday, March 20, 2008 9:23 AM
> > To: syslog-ng at lists.balabit.hu
> > Subject: [syslog-ng] loop caused by syslog-ng filter
> > 
> > 
> > Hi!
> > 
> > First off, sorry for my poor english!
> > I have a problem with a loop caused by syslog-ng v. 2.0.8.  I 
> > have set up Snort as an IDS System. Snort writes its messages 
> > in unified-format to /var/log/snort/snort.alert and 
> > /var/log/snort/snort.log. There are two Barnyard processes 
> > which read the unified files and convert it to messages that 
> > syslog and MySQL understand. Syslog-ng  writes the messages 
> > to /var/log/auth.log. All this is working fine. Now, I want 
> > to set up a filter for Priority 1 alerts. This alert should 
> > be send to the Administrator.
> > 
> > I used following filter for syslog-ng:
> > 
> > source src {unix-stream("/dev/log"); internal();}; 
> > destination email{program("/usr/local/bin/alert_mail.sh");}; 
> > filter high {match("[Priority: 1]");}; 
> > log {source(src);filter(high); destination(email);};
> > 
> > 
> > The alert_mail.sh:
> > 
> > #!/bin/sh 
> > cat << EOF | mail -s "High Priority Snort Alert" Sub-Zero at xxx.de 
> > Alert, Priority 1 
> > EOF
> > 
> > 
> > Then I use Nessus to cause some alerts with Priority 1. I can 
> > see 4 alerts with the Priority 1 with BASE and in /var/log/auth.log.
> > 
> > Syslog-ng recognises the alert with Priority 1 and activates 
> > the script /usr/local/bin/alert_mail.sh
> > 
> > All this is working, but the script is restarted by syslog-ng 
> > again an again. 
> > 
> > Extract from /var/log/messages:
> > 
> > Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Child program 
> > exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', 
> > status='0'
> > Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Starting destination 
> > program; cmdline='/usr/local/bin/alert_mail.sh '
> > Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Closing log writer 
> > fd; fd='11'
> > Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Child program 
> > exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', 
> > status='0'
> > Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Starting destination 
> > program; cmdline='/usr/local/bin/alert_mail.sh '
> > Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Child program 
> > exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', 
> > status='0'
> > Mar 18 15:46:16 Sensor1 syslog-ng[5191]: Starting destination 
> > program; cmdline='/usr/local/bin/alert_mail.sh '
> > …
> > Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Child program 
> > exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', 
> > status='256'
> > Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Starting 
> > destination program; cmdline='/usr/local/bin/alert_mail.sh '
> > Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Child program 
> > exited, restarting; cmdline='/usr/local/bin/alert_mail.sh ', 
> > status='256'
> > Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Starting 
> > destination program; cmdline='/usr/local/bin/alert_mail.sh '
> > Mar 18 15:42:00 Sensor1 syslog-ng[17354]: Child program 
> > exited, restarting; 
> > 
> > …
> > 
> > 
> > I get thousands of mails per minute till I stop syslog-ng. 
> > 
> > Output of /var/log/auth.log(so y see that syslog-ng writes 
> > snort/barnyard messages correctly to auth.log):
> > 
> > Mar 19 13:56:54 src at Sensor1 barnyard: [1:1394:8] SHELLCODE 
> > x86 NOOP [Classification: Executable code was detected] 
> > [Priority: 1] {UDP} 172.25.1.152:4758 -> 172.28.100.10:137
> > Mar 19 13:57:13 src at Sensor1 barnyard: [1:1446:8] SMTP vrfy 
> > root [Classification: Attempted Information Leak] [Priority: 
> > 2] {TCP} 172.25.1.152:1085 -> 172.28.100.10:25
> > Mar 19 13:57:13 src at Sensor1 barnyard: [1:660:11] SMTP expn 
> > root [Classification: Attempted Information Leak] [Priority: 
> > 2] {TCP} 172.25.1.152:1085 -> 172.28.100.10:25
> > Mar 19 13:57:22 src at Sensor1 barnyard: [1:12626:2] Snort Alert 
> > [1:12626:0] [Classification: Decode of an RPC Query] 
> > [Priority: 2] {UDP} 172.25.1.152:1146 -> 172.28.100.10:111
> > Mar 19 13:57:22 src at Sensor1 barnyard: [1:585:9] RPC portmap 
> > sadmind request UDP [Classification: Decode of an RPC Query] 
> > [Priority: 2] {UDP} 172.25.1.152:1146 -> 172.28.100.10:111
> > Mar 19 13:57:24 src at Sensor1 barnyard: [1:566:6] POLICY 
> > PCAnywhere server response [Classification: Misc activity] 
> > [Priority: 3] {UDP} 172.25.1.152:1155 -> 172.28.100.10:5632
> > Mar 19 15:11:27 src at Sensor1 barnyard: [122:1:0] portscan: TCP 
> > Portscan [Classification: Unknown] [Priority: 3] {PROTO255} 
> > 172.25.1.152 -> 172.28.100.10
> > Mar 19 15:11:58 src at Sensor1 barnyard: [1:1420:13] SNMP trap 
> > tcp [Classification: Attempted Information Leak] [Priority: 
> > 2] {TCP} 172.25.1.152:4482 -> 172.28.100.10:162
> > Mar 19 15:11:58 src at Sensor1 barnyard: [1:1418:13] SNMP 
> > request tcp [Classification: Attempted Information Leak] 
> > [Priority: 2] {TCP} 172.25.1.152:4482 -> 172.28.100.10:161
> > Mar 19 15:12:05 src at Sensor1 barnyard: [1:1421:13] SNMP 
> > AgentX/tcp request [Classification: Attempted Information 
> > Leak] [Priority: 2] {TCP} 172.25.1.152:4482 -> 172.28.100.10:705
> > Mar 19 15:12:16 src at Sensor1 barnyard: [122:1:0] portscan: TCP 
> > Portscan [Classification: Unknown] [Priority: 3] {PROTO255} 
> > 172.25.1.152 -> 172.28.100.10
> > Mar 19 15:12:19 src at Sensor1 barnyard: [1:1394:8] SHELLCODE 
> > x86 NOOP [Classification: Executable code was detected] 
> > [Priority: 1] {UDP} 172.25.1.152:137 -> 172.28.100.10:137
> > Mar 19 15:12:20 src at Sensor1 barnyard: [1:1394:8] SHELLCODE 
> > x86 NOOP [Classification: Executable code was detected] 
> > [Priority: 1] {UDP} 172.25.1.152:137 -> 172.28.100.10:137
> > Mar 19 15:12:22 src at Sensor1 barnyard: [1:1394:8] SHELLCODE 
> > x86 NOOP [Classification: Executable code was detected] 
> > [Priority: 1] {UDP} 172.25.1.152:137 -> 172.28.100.10:137
> > 
> > 
> > I think it has something in common with this topic:
> > 
> > https://lists.balabit.hu/pipermail/syslog-ng/2006-October/009454.html
> > 
> > Thanks in advance!
> > 
> > Sub-Zero
> > 
> > 
> > -- 
> > GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen!
> > Jetzt dabei sein: http://www.shortview.de/?mc=sv_ext_mf@gmx
> > ______________________________________________________________
> > ________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation: 
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 

-- 
Psst! Geheimtipp: Online Games kostenlos spielen bei den GMX Free Games! 
http://games.entertainment.gmx.net/de/entertainment/games/free

More information about the syslog-ng mailing list