| [Article] ví dụ về drool rule trong graylog2 |
19/07/2013 12:31:19 (+0700) | #1 | 277590 |
vd_
Member
![[Minus]](/hvaonline/templates/viet/images/minus.gif "[Minus]") |
0 |
![[Plus]](/hvaonline/templates/viet/images/plus.gif "[Plus]")
|
|
Joined: 06/03/2010 03:05:09
Messages: 124
Offline
|
|
Graylog2 dùng làm log analysis rất khá. Tuy nhiên cài đặt mặc định không parse được các mẫu log thông dụng như access_log của apache httpd, modsecurity core rule set, Cisco ASA.
Gửi kèm đây là một số drool rule (xem graylog2-server.conf, phần rewrite log message) để tách field cho các mẫu log thông dụng.
Lưu ý các bạn sử dụng rule nhớ chỉnh lại facility cho đúng với cấu hình syslog thực tế.
Trang web http://www.regexplanet.com/advanced/java/index.html sẽ cực kỳ hữu ích cho các bạn viết regular expression tách field giống tui.
Code:
import org.graylog2.plugin.logmessage.LogMessage
import java.util.regex.Matcher
import java.util.regex.Pattern
rule "ModSecurity Logging to GELF"
// sample log line httpd: [error] [client a.b.c.d] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 2, SQLi=, XSS=): Request Missing an Accept Header"] [hostname "www"] [uri "/index.php"] [unique_id "UUl6i38AAA"]
when
m : LogMessage( facility == "local6", shortMessage matches "(?s).*ModSecurity:.*" )
then
Matcher matcher = Pattern.compile("\\[client (\\d+.\\d+.\\d+.\\d+)\\] .*?\\[id \"(.*?)\"\\] .*?\\[msg \"(.*?)\"\\]").matcher(m.getShortMessage());
if (matcher.find()) {
m.addAdditionalData("_SRC",matcher.group(1));
m.addAdditionalData("_modsec_id",matcher.group(2));
m.addAdditionalData("_modsec_msg",matcher.group(3));
}
end
rule "Parsing Snort to GELF"
//sample log line snort: [1:2402000:2907] ET DROP Dshield Block Listed Source [Classification: Misc Attack] [Priority: 2]: {TCP} a.b.c.d:24495 -> a.b.c.d:8081
when
m : LogMessage( facility == "local5" )
then
Matcher matcher = Pattern.compile("snort: +\\[(\\d+:\\d+:\\d+)\\] (.*?) \\[Classification:.*?\\] \\[Priority:.*?\\]: \\{(.*?)\\} (\\d+.\\d+.\\d+.\\d+):?(\\d*) -> (\\d+.\\d+.\\d+.\\d+):?(\\d*)").matcher(m.getShortMessage());
if (matcher.find()) {
m.addAdditionalData("_snort_id",matcher.group(1));
m.addAdditionalData("_snort_msg",matcher.group(2));
m.addAdditionalData("_PROTO",matcher.group(3));
m.addAdditionalData("_SRC",matcher.group(4));
m.addAdditionalData("_SPT",matcher.group(5));
m.addAdditionalData("_DST",matcher.group(6));
m.addAdditionalData("_DPT",matcher.group(7));
}
end
rule "Parsing access_log to GELF"
// sample log line httpd: a.b.c.d - - [21/Mar/2013:15:36:15 +0700] "GET /a/b.css.jsf?ln=primefaces-aristo HTTP/1.0" 304 - "http://www/index.jsf" "Mozilla/5.0 (Windows NT 5.1)" 1203 287
when
m : LogMessage( facility == "local4" )
then
Matcher matcher = Pattern.compile("httpd: +(\\d+.\\d+.\\d+.\\d+) .*?\"([A-Z]+) ([^\"]+) HTTP..?.?.?\" (\\d+) ([0-9-]+) \\\"([^\"]+)\\\" \\\"([^\"]+)\\\"").matcher(m.getShortMessage());
if (matcher.find()) {
m.addAdditionalData("_SRC",matcher.group(1));
m.addAdditionalData("_verb",matcher.group(2));
m.addAdditionalData("_request",matcher.group(3));
m.addAdditionalData("_status",matcher.group(4));
m.addAdditionalData("_referer",matcher.group(6));
m.addAdditionalData("_ua",matcher.group(7));
}
end
rule "Parsing core switch"
// sample log line 321533: Jun 26 08:11:17.164: %SEC-6-IPACCESSLOGP: list ACL1 denied udp a.b.c.d(6387) (TenGigabitEthernet1/1 x.y.z) -> a.b.c.d(137), 1 packet
when
m : LogMessage( shortMessage matches "(?s).*%SEC-6-IPACCESSLOGP.*" && facility == "local7" )
then
Matcher matcher = Pattern.compile("%SEC-6-IPACCESSLOGP: +list +([A-Za-z0-9\\-]+) +([a-zA-Z0-9]+) +([a-z]+) +(\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\) +\\(([A-Za-z0-9/]+) +([0-9a-z\\.]*)\\) +-> +(\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\), +(\\d+)").matcher(m.getShortMessage());
if (matcher.find()) {
m.addAdditionalData("_ACL",matcher.group(1));
m.addAdditionalData("_PERM",matcher.group(2));
m.addAdditionalData("_PROTO",matcher.group(3));
m.addAdditionalData("_SRC",matcher.group(4));
m.addAdditionalData("_SPT",matcher.group(5));
m.addAdditionalData("_INT",matcher.group(6));
m.addAdditionalData("_MAC",matcher.group(7));
m.addAdditionalData("_DST",matcher.group(8));
m.addAdditionalData("_DPT",matcher.group(9));
m.addAdditionalData("_COUNT",matcher.group(10));
}
end
rule "Parsing ASA log 106023 to GELF"
// sample SA-4-106023: Deny tcp src XXX:a.b.c.d/41258 dst YYY:a.b.c.d/1051 by access-group "XXXX"
when
m : LogMessage( facility == "local4" && shortMessage matches "(?s).*%ASA-[0-9]-106023:.*" )
then
#System.out.println("[m]"+m.getShortMessage()+"[/m]");
Matcher matcher = Pattern.compile("%ASA-([0-9])-([0-9]+): +Deny +([A-Za-z ]+) +src +([A-Za-z_0-9-]+):(\\d+\\.\\d+\\.\\d+\\.\\d+)/(\\d+) [A-Za-z ]+ ([A-Za-z_0-9-]+):(\\d+\\.\\d+\\.\\d+\\.\\d+)/(\\d+) by access-group \"([A-Za-z_0-9-]+)\"").matcher(m.getShortMessage());
if (matcher.find()) {
m.addAdditionalData("_LVL",matcher.group(1));
m.addAdditionalData("_MSGID",matcher.group(2));
m.addAdditionalData("_PROTO",matcher.group(3));
m.addAdditionalData("_SNAME",matcher.group(4));
m.addAdditionalData("_SRC",matcher.group(5));
m.addAdditionalData("_SPT",matcher.group(6));
m.addAdditionalData("_DNAME",matcher.group(7));
m.addAdditionalData("_DST",matcher.group(8));
m.addAdditionalData("_DPT",matcher.group(9));
m.addAdditionalData("_ACL",matcher.group(10));
}
end
rule "Parsing other ASA log to GELF"
when
m : LogMessage( facility == "local4" && shortMessage not matches "(?s)%ASA-[0-9]-(106023):.*" )
then
Matcher matcher = Pattern.compile("%ASA-([0-9])-([0-9]+): (.*)").matcher(m.getShortMessage());
if (matcher.find()) {
m.addAdditionalData("_LVL",matcher.group(1));
m.addAdditionalData("_MSGID",matcher.group(2));
m.addAdditionalData("_MSG",matcher.group(3));
}
end
|
|
|
 |
|
|
|
|
| Users currently in here |
|
1 Anonymous
|
|
Powered by JForum - Extended by HVAOnline
hvaonline.net | hvaforum.net | hvazone.net | hvanews.net | vnhacker.org
1999 - 2013 ©
v2012|0504|218|
|
|
![[Rule]](/hvaonline/templates/viet/images/icon_mini_rule.gif "[Rule]"){kind=icon}
![[Home]](/hvaonline/templates/viet/images/icon_mini_groups.gif "[Home]"){kind=icon}
![[Portal]](/hvaonline/templates/viet/images/icon_mini_portal.gif "[Portal]"){kind=icon}
![[Members]](/hvaonline/templates/viet/images/icon_mini_members.gif "[Members]"){kind=icon}
![[Statistics]](/hvaonline/templates/viet/images/icon_mini_stats.gif "[Statistics]"){kind=icon}
![[Search]](/hvaonline/templates/viet/images/icon_mini_search.gif "[Search]"){kind=icon}
![[Reading Room]](/hvaonline/templates/viet/images/icon_mini_book.gif "[Reading Room]"){kind=icon}
![[Register]](/hvaonline/templates/viet/images/icon_mini_register.gif "[Register]"){kind=icon}
Register![[Login]](/hvaonline/templates/viet/images/icon_mini_login.gif "[Login]"){kind=icon}
Login [
Thảo luận bảo mật
![[Profile]](/hvaonline/templates/viet/images/en_US/icon_profile.gif "[Profile]"){kind=icon}
![[PM]](/hvaonline/templates/viet/images/en_US/icon_pm.gif "[PM]"){kind=icon}
![[Up]](/hvaonline/templates/viet/images/en_US/icon_up.gif "[Up]"){kind=icon}
![[Print Copy]](/hvaonline/templates/viet/images/en_US/icon_print.gif "[Print Copy]"){kind=icon}
![[digg]](/hvaonline/templates/viet/images/digg.gif "[digg]")
![[delicious]](/hvaonline/templates/viet/images/delicious.gif "[delicious]")
![[google]](/hvaonline/templates/viet/images/google.gif "[google]")
![[yahoo]](/hvaonline/templates/viet/images/yahoo.gif "[yahoo]")
![[technorati]](/hvaonline/templates/viet/images/technorati.gif "[technorati]")
![[reddit]](/hvaonline/templates/viet/images/reddit.gif "[reddit]")
![[stumbleupon]](/hvaonline/templates/viet/images/stumbleupon.gif "[stumbleupon]")