[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] [Bug 85] New: decoder.xml - incorrect cisco regular expressions

To: ossec-dev@xxxxxxxxx
Subject: [ossec-dev] [Bug 85] New: decoder.xml - incorrect cisco regular expressions
From: ossec-bugzilla@xxxxxxxxxxxxxxxxxxxxxxxxxxx
Date: Fri, 5 Oct 2007 16:32:14 -0300
Authentication-results: mx.google.com; spf=pass (google.com: domain of ossec-bugzilla@xxxxxxxxxxxxxxxxxxxxxxxxxxx does not designate 209.85.146.179 as permitted sender) smtp.mail=ossec-dev+caf_=ossec-dev=googlegroups.com@xxxxxxxxx
Authentication-results: mx.google.com; spf=pass (google.com: domain of ossec-bugzilla@xxxxxxxxxxxxxxxxxxxxxxxxxxx designates 75.126.22.154 as permitted sender) smtp.mail=ossec-bugzilla@xxxxxxxxxxxxxxxxxxxxxxxxxxx

http://www.ossec.net/bugs/show_bug.cgi?id=85

           Summary: decoder.xml - incorrect cisco regular expressions
           Product: OSSEC
           Version: 1.3
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P4
         Component: ossec core
        AssignedTo: ossec-dev@xxxxxxxxx
        ReportedBy: t@xxxxxxxx


The list name of Cisco ACL is not restricted to a number. This patch corrects
that. It also expands the pattern to decode Cisco IOS logs that have timestamps
enabled.

<pre>
--- decoder.xml 2007-09-28 18:18:27.000000000 -0700
+++ decoder-ios.xml     2007-10-05 11:15:40.000000000 -0700
@@ -1370,7 +1370,7 @@

 <decoder name="cisco-ios">
   <program_name />
-  <prematch>^%\w+-\d-\w+: </prematch>
+  <prematch>^\p*\w\w\w \.\d \d\d:\d\d:\d\d\.*: %\w+-\d-\w+: |^\d+\D\d+\D:
%\w+-\d-\w+: </prematch>
 </decoder>


@@ -1385,7 +1385,7 @@
   <parent>cisco-ios</parent>
   <type>firewall</type>
   <prematch>^%SEC-6-IPACCESSLOGP: </prematch>
-  <regex offset="after_prematch">^list \d+ (\w+) (\w+) </regex>
+  <regex offset="after_prematch">^list \S+ (\w+) (\w+) </regex>
   <regex>(\S+)\((\d+)\) -> (\S+)\((\d+)\),</regex>
   <order>action, protocol, srcip, srcport, dstip, dstport</order>
 </decoder>

</pre>


-- 
Configure bugmail: http://www.ossec.net/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Follow-Ups:
- [ossec-dev] [Bug 85] decoder.xml - incorrect cisco regular expressions
  - From: ossec-bugzilla
- [ossec-dev] [Bug 85] decoder.xml - incorrect cisco regular expressions
  - From: ossec-bugzilla

Prev by Date: [ossec-dev] Ossec, prelude and chroot
Next by Date: [ossec-dev] [Bug 84] False positive
Previous by thread: [ossec-dev] Re: Ossec, prelude and chroot
Next by thread: [ossec-dev] [Bug 85] decoder.xml - incorrect cisco regular expressions
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.