List Info

Thread: regex for this checkpoint logs
regex for this checkpoint logs
country flaguser name
United States		 2007-08-29 02:35:17 
All,

I need your assistance, i have been able to figure my way
around regex, but can anyone help me giving me the direction
to write the regex for the following checkpoing log. If i
will be able to figure it out I may be able to contribute
into the checkpoint rules. I am managing several checkpoint
FWs:

I am ready to pull my hair out, I can delimit records by
space but would like to delimit by pipe "|" so i
can capture better data (such as "TCP packet out of
state"

Your help will greatly appreciated

Aug 24 16:30:18 Cobra fw1-loggrabber[2943]:
loc=5270|time=24Aug200716:31:18|action=drop|orig=10.6.1.1|i/
f_dir=inbound|i/f_name=LNE10019|has_accounting=0|uuid=<00
000000,00000000,00000000,00000000>|product=VPN-1 &
FireWall-1|__policy_id_tag=product=VPN-1
&FireWall-1[db_tag=;mgmt=Chilly-Main-fw;date=1187335194;policy_name=Standard]|
src=68.6.19.3|s_port=25|dst=10.6.1.100|service=53603|tcp_fla
gs=RST|proto=tcp|TCPpacket out of state=First packet isn't
SYN


Sample Smart Defence:
Jun 1 00:50:28 Cobra fw1-loggrabber[4613]:
loc=2255|time=2007-06-0101:46:29|action=monitor|orig=10.6.1.
1|i/f_dir=inbound|i/f_name=LNE10019|has_accounting=0|uuid=&l
t;00000000,00000000,00000000,00000000>|product=SmartDefen
se|__policy_id_tag=product=VPN-1
&FireWall-1[db_tag=;mgmt=felcor-rampart;date=1180466913;policy_name=4-12-06]|s
rc=10.50.1.103|s_port=2331|dst=10.1.1.19|service=135|proto=t
cp|attack=DCE-RPC EnforcementViolation|Attack Info=UUID is
not allowed through the Rule Base|DCE-RPC Interface
UUID=00000640-0000-002b-0000-002ce3514235|DCE-RPC Interface
UUID-1=00000640-0000-002b-0000-002ce3514235|DCE-RPC
Interface
UUID-2=00000640-0000-002b-0000-002ce3514235|DCE-RPC
Interface UUID-3=00000640-0000-002b-0000-002ce3514235 

Check Point Firewall-1 Policy Installed 
Jun 26 06:56:18 Cobra fw1-loggrabber[22431]:
loc=684452|time=2007-06-2606:56:17|action=ctl|orig=10.6.1.1|
i/f_dir=inbound|i/f_name=LNE10019|has_accounting=0|uuid=<
00000000,00000000,00000000,00000000>|sys_msgs=installed
Bae1Bae2

_______________________________________________
Prelude-user site list
Prelude-userprelude-ids.org
http://www.prelude-ids.org/mailman/listinfo/prelude-user
Re: regex for this checkpoint logs
country flaguser name
France		 2007-08-31 08:49:33 
Le mercredi 29 août 2007 à 03:35 -0400, Arthur Chilipweli
a écrit :
> I need your assistance, i have been able to figure my
way around
> regex, but can anyone help me giving me the direction
to write the
> regex for the following checkpoing log. If i will be
able to figure it
> out I may be able to contribute into the checkpoint
rules. I am
> managing several checkpoint FWs:
> 
> I am ready to pull my hair out, I can delimit records
by space but
> would like to delimit by pipe "|" so i can
capture better data (such
> as "TCP packet out of state"

Hi Arthur,

It'd be more easier answering this problem if you could
provide us with
sample non working regexp. 

First thing that comme to mind would be that you didn't
escape the |
character properly (since it is interpreted by PCRE), you
need to escape
it with a backslash.

Regards,

-- 
Yoann Vandoorselaere | Responsable R&D / CTO |
PreludeIDS Technologies
Tel: +33 (0)8 70 70 21 58                  Fax: +33(0)4 78
42 21 58
http://www.prelude-ids.com


_______________________________________________
Prelude-user site list
Prelude-userprelude-ids.org
http://www.prelude-ids.org/mailman/listinfo/prelude-user
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )