我目前正在尝试为Sophos Firewall的防火墙日志创建一个模式。
我想出了这个:
<ruleset name="sophos" id='10001'>
<pattern></pattern>
<rules>
<rule provider="doesntmatter" class='10001' id='10001'>
<patterns>
<pattern>@ESTRING::action=@"@ESTRING:s0:@" fwrule="@NUMBER:i0:@" @ESTRING::srcip=@"@IPv4:i1:@" dstip="@IPv4:i2:@" @ESTRING::srcport@"@NUMBER:i3:@" dstport="@NUMBER:i4:@"</pattern>
</patterns>
</rule>
</rules>
我使用的示例消息是:
05:03-09:26:10 rim-utm-01-2 ulogd[8750]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="118" initf="eth0.666" outitf="ppp2" srcmac="*A MAC*" dstmac="*A MAC*" srcip="*IP*" dstip="*IP*" proto="17" length="105" tos="0x00" prec="0x00" ttl="127" srcport="50946" dstport="161"
我尝试将其与pdbtool匹配。这是输出:
Missing ESTRING parser parameters; type='ESTRING'
MESSAGE=05:03-09:26:10 rim-utm-01-2 ulogd[8750]: id=2001 severity=info sys=SecureNet sub=packetfilter name=Packet
.classifier.class=unknown
TAGS=.classifier.unknown