[gentoo-security] prelude-lml and log_prefix_regex

[gentoo-security] prelude-lml and log_prefix_regex

[Sheran Gunasekera]

Hi Chris,
Give this a go:
(?P<timestamp>.{15}).*?\>\s(?P<hostname>.*?)\s(?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?:)

I'm not using either Snort or Prelude, but I tried this on Python and I
think it
yields the results you require.  I wonder about only capturing the first 15
characters for the timestamp, though.  It comes up a bit short.  As I am
unsure
of the context it is being used, I cannot comment, but I would capture
at least
19 characters:

(?P<timestamp>.{19}).*?\>\s(?P<hostname>.*?)\s(?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?:)

Take care,
Sheran 
-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] prelude-lml and log_prefix_regex

[Chris]

Yeah, this did the trick :)
Thanks alot Sheran, now i'm able to get some sleep *smiling from one ear
to the other*

Greets, Chris






Sheran Gunasekera wrote:

>Hi Chris,
>Give this a go:
>(?P<timestamp>.{15}).*?\>\s(?P<hostname>.*?)\s(?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?:)
>
>I'm not using either Snort or Prelude, but I tried this on Python and I
>think it
>yields the results you require.  I wonder about only capturing the first 15
>characters for the timestamp, though.  It comes up a bit short.  As I am
>unsure
>of the context it is being used, I cannot comment, but I would capture
>at least
>19 characters:
>
>(?P<timestamp>.{19}).*?\>\s(?P<hostname>.*?)\s(?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?:)
>
>Take care,
>Sheran 
>  
>
-- 
gentoo-security@gentoo.org mailing list

RE: [gentoo-security] hosts.{allow,deny} vs. iptables.

[Łukasz C. Jokiel]

10/13/2005, "Giles Coochey" <giles.coochey@mirada-solutions.com>
napisał(a):

>Iptables is nice because it is at kernel level, if someone were to try
>to hack it so that your Iptables commands were ignored then they would
>need to be able to reboot the box, something that you would probably

Do I understand correctly that you claim that to undo the iptables you
need to reboot box ? Or maybe you claim something that you assume but do
not tell (non-vanilla hardened systemem) ?

>notice in a managed environment.
>
>Tcpd runs in userspace, so given root access is a lot easier to
>compromise the executable.

I don't get your point... If you give me root access - what's the
difference in r00ting the box via fake iptables or tcpd ? 

Anyway comparing iptables with tcpd is rather useless, they seem to
perform the same job but they fight on different fronts.

>
>NOTICE: This e-mail message and all attachments
>transmitted with it may contain legally privileged and
>confidential information intended solely for the use of
>the addressee. If the reader of this message is not the

Well, pretty much anybody can subs to this list. 

>intended recipient, you are hereby notified that any
>reading, dissemination, distribution, copying, or other
>use of this message or its attachments, hyperlinks, or
>any other files of any kind is strictly prohibited. If you
>have received this message in error, please notify the
>sender immediately by telephone (+44-1865-265500) or by
>a reply to this electronic mail message and delete this
>message and all copies and backups thereof.

And how can you enforce that ?

Excuse me but I think such notices are complete waste of space & time,
while attached to public mailing list. Please do not attach them, thank
you!

-- 
gentoo-security@gentoo.org mailing list

[gentoo-security] prelude-lml and log_prefix_regex

[Chris]

Hello listmembers,

i'm setting up a prelude/snort system and so far everything works quite
well, but i have absolutely no clue about regular expressions.
i tried to get it for a few hours now, but damn, this is really hard
stuff... :(
all i need is an expression for setting up the prelude-lml variable:
"log_prefix_regex" with my syslog-ng entries, but i don't get it, so i
thought i might ask if someone with the needed knowledge could help me out.

my logentries look like this:
    2005-10-15T10:01:20+0100 <auth.info> balmoral su(pam_unix)[741]:
session opened for user root by (uid=1000)

using this syslog-ng entry:
    template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n")

and prelude-lml want's to use this expression to extract the data:
    time-format = "%Y-%m-%dT%H:%M:%S"
    prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+)
(?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?"


all i get using this regex is the following error:
could not match log_prefix_regex against log entry:
2005-10-15T10:01:20+0100 <auth.info> balmoral su(pam_unix)[741]: session
opened for user root by (uid=1000)
the time-format was the only thing i could change accordingly and using
date "+%Y-%m-%dT%H:%M:%S" produces the used log-date.

so, if someone could create a working regular expression for me (or
gimme some other help), as slowly my brain begins to smoke while i'm
totally stuck, i would appreciate it very much.

greetings, chris


>  
>
-- 
gentoo-security@gentoo.org mailing list