Denis Dimick | 1 Nov 16:53 2007
Picon

Newbe Log check questions

I'm a newbe to logcheck and need some help writing a rule.

Here's the output I'm trying to  block:

Nov  1 09:11:52 m0n0wall ipmon[79]: 09:11:52.330133 xl0 <at> 100:3 p 192.168.2.201 ,1900 -> 239.255.255.250,1900 PR udp len 20 291 K-S IN

And here's my rule in /etc/logcheck/violations.ignore.d/local-m0n0

^\w{3} [ :0-9]{11} m0n0wall ipmon\[[0-9]+\]: [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6} xl0 <at> 100:3 p 0-9]\.[0-9]\.[0-9]\.[0-9],1900 -> [0-9]\.[0-9]\.[0-9]\.[0-9],1900 PR udp le9n 20 291 K-S IN$

The rule is on one line in the single file (it's the only rule in the file)

I've tested it using:

sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep '^\w{3} [ :0-9]{11} m0n0wall ipmon\[[0-9]+\]: [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6} xl0 <at> 100:3 p 0-9]\.[0-9]\.[0-9]\.[0-9],1900 -> [0-9]\.[0-9]\.[0-9]\.[0-9],1900 PR udp le9n 20 291 K-S IN$'

and it prints out the data I wish to block.

Anyone have any ideas?

Thanks,

Denis

_______________________________________________
Logcheck-users mailing list
Logcheck-users@...
http://lists.alioth.debian.org/mailman/listinfo/logcheck-users
Ross Boylan | 1 Nov 18:20 2007
Picon

Re: Newbe Log check questions

On Thu, 2007-11-01 at 09:53 -0600, Denis Dimick wrote:
> I'm a newbe to logcheck and need some help writing a rule.
> 
> Here's the output I'm trying to  block:
> 
> Nov  1 09:11:52 m0n0wall ipmon[79]: 09:11:52.330133 xl0  <at> 100:3 p
> 192.168.2.201,1900 -> 239.255.255.250,1900 PR udp len 20 291 K-S IN
> 
> And here's my rule in /etc/logcheck/violations.ignore.d/local-m0n0
violations only refers to items caught by the "serious" filters.
Probably you should put the file in ignore.d.server or one of the other
ignore.d.* directories, depending on what level you think should have
this filtered out.
> 
> ^\w{3} [ :0-9]{11} m0n0wall ipmon\[[0-9]+\]:
> [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6} xl0  <at> 100:3 p
> 0-9]\.[0-9]\.[0-9]\.[0-9],1900 -> [0-9]\.[0-9]\.[0-9]\.[0-9],1900 PR
> udp le9n 20 291 K-S IN$ 
> 
> The rule is on one line in the single file (it's the only rule in the
> file)
> 
> I've tested it using:
> 
> sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep '^\w{3} [ :0-9]{11}
> m0n0wall ipmon\[[0-9]+\]: [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6} xl0
>  <at> 100:3 p 0-9]\.[0-9]\.[0-9]\.[0-9],1900 ->
> [0-9]\.[0-9]\.[0-9]\.[0-9],1900 PR udp le9n 20 291 K-S IN$'
> 
> and it prints out the data I wish to block.

> Anyone have any ideas?
> 
> Thanks,
> 
> Denis
> 
> _______________________________________________
> Logcheck-users mailing list
> Logcheck-users@...
> http://lists.alioth.debian.org/mailman/listinfo/logcheck-users
Denis Dimick | 1 Nov 18:50 2007
Picon

Re: Newbe Log check questions

It turned out the the rule was fine, however for some reason the file wants to see a CR/LF at the end of the rule, even if it's the only rule.

Thanks,

Denis

On 11/1/07, Ross Boylan <ross-YbDJF1Zl/N8xQuJyf64Pog@public.gmane.org> wrote:
On Thu, 2007-11-01 at 09:53 -0600, Denis Dimick wrote:
> I'm a newbe to logcheck and need some help writing a rule.
>
> Here's the output I'm trying to  block:
>
> Nov  1 09:11:52 m0n0wall ipmon[79]: 09:11: 52.330133 xl0 <at> 100:3 p
> 192.168.2.201,1900 -> 239.255.255.250,1900 PR udp len 20 291 K-S IN
>
> And here's my rule in /etc/logcheck/violations.ignore.d/local-m0n0
violations only refers to items caught by the "serious" filters.
Probably you should put the file in ignore.d.server or one of the other
ignore.d.* directories, depending on what level you think should have
this filtered out.
>
> ^\w{3} [ :0-9]{11} m0n0wall ipmon\[[0-9]+\]:
> [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6} xl0 <at> 100:3 p
> 0-9]\.[0-9]\.[0-9]\.[0-9],1900 -> [0-9]\.[0-9]\.[0-9]\.[0-9],1900 PR
> udp le9n 20 291 K-S IN$
>
> The rule is on one line in the single file (it's the only rule in the
> file)
>
> I've tested it using:
>
> sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep '^\w{3} [ :0-9]{11}
> m0n0wall ipmon\[[0-9]+\]: [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6} xl0
> <at> 100:3 p 0-9]\.[0-9]\.[0-9]\.[0-9],1900 ->
> [0-9]\.[0-9]\.[0-9]\.[0-9],1900 PR udp le9n 20 291 K-S IN$'
>
> and it prints out the data I wish to block.

> Anyone have any ideas?
>
> Thanks,
>
> Denis
>
> _______________________________________________
> Logcheck-users mailing list
> Logcheck-users-XbBxUvOt3X2LieD7tvxI8l/i77bcL1HB@public.gmane.org
> http://lists.alioth.debian.org/mailman/listinfo/logcheck-users

_______________________________________________
Logcheck-users mailing list
Logcheck-users@...
http://lists.alioth.debian.org/mailman/listinfo/logcheck-users
Denis Dimick | 1 Nov 22:45 2007
Picon

Rule question for port 80 - outgoing

I'm trying now two write a rule that will filter out all outgoing port 80 requests from users.

How do I make a list of the variables I'd like to search for?

XXX.XXX.XXX.XXX,80 PR tcp len 20 52 -AF IN
XXX.XXX.XXX.XXX,80 PR tcp len 20 52 -AR IN
XXX.XXX.XXX.XXX,80 PR tcp len 20 52 -S K-S IN

the AR, AF and S-K are the three I'd like to search for.

Here's a bit of code I've got running for the K-S.

[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3},80 PR tcp len [0-9]{2} [0-9]{2} -S K-S IN$


Thanks,

Denis

_______________________________________________
Logcheck-users mailing list
Logcheck-users@...
http://lists.alioth.debian.org/mailman/listinfo/logcheck-users

Gmane