[prev in list] [next in list] [prev in thread] [next in thread]
List: prelude-cvslog
Subject: [prelude-cvslog] r10077 - in prelude-lml/trunk: .
From: noreply () prelude-ids ! org
Date: 2007-11-29 15:10:01
Message-ID: 20071129151001.A5A57E359AB () mail ! prelude-ids ! org
[Download RAW message or body]
Author: toady
Date: 2007-11-29 16:09:59 +0100 (Thu, 29 Nov 2007)
New Revision: 10077
Added:
prelude-lml/trunk/plugins/pcre/ruleset/asterisk.rules
Modified:
prelude-lml/trunk/plugins/pcre/ruleset/Makefile.am
prelude-lml/trunk/plugins/pcre/ruleset/pcre.rules
prelude-lml/trunk/prelude-lml.conf.in
Log:
(feature): Asterisk log format and new ruleset for SIP REGISTER method
Modified: prelude-lml/trunk/plugins/pcre/ruleset/Makefile.am
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/Makefile.am 2007-11-28 21:32:42 UTC (rev \
10076)
+++ prelude-lml/trunk/plugins/pcre/ruleset/Makefile.am 2007-11-29 15:09:59 UTC (rev \
10077) @@ -4,6 +4,7 @@
apc-emu.rules \
arbor.rules \
arpwatch.rules \
+ asterisk.rules \
bonding.rules \
cacti-thold.rules \
checkpoint.rules \
Added: prelude-lml/trunk/plugins/pcre/ruleset/asterisk.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/asterisk.rules \
(rev 0)
+++ prelude-lml/trunk/plugins/pcre/ruleset/asterisk.rules 2007-11-29 15:09:59 UTC \
(rev 10077) @@ -0,0 +1,40 @@
+#####
+#
+# Copyright (C) 2007 Sebastien Tricaud <stricaud at inl dot fr>
+# All Rights Reserved
+#
+# This file is part of the Prelude-LML program.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; see the file COPYING. If not, write to
+# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+#####
+
+#Nov 29 09:44:15 NOTICE[23701] chan_sip.c: Registration from \
'<sip:dmc@asterisk-server>' failed for '192.168.33.180' - Wrong password \
+regex=Registration from '<sip:(\S*)>' failed for '(\S+)' - (.*)$; \ + \
classification.text=$3; \ + id=6000; \
+ revision=1; \
+ analyzer(0).name=Asterisk; \
+ analyzer(0).manufacturer=Digium; \
+ analyzer(0).class=Private Branch Exchange; \
+ assessment.impact.severity=medium; \
+ assessment.impact.completion=failed; \
+ assessment.impact.type=user; \
+ assessment.impact.description=SIP user could not be registered by the SIP server; \
+ source(0).node.address(0).address=$2; \
+ target(0).service.name=sip; \
+ target(0).user.user_id(0).type=original-user; \
+ target(0).user.user_id(0).name=$1; \
+ last;
Modified: prelude-lml/trunk/plugins/pcre/ruleset/pcre.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/pcre.rules 2007-11-28 21:32:42 UTC (rev \
10076)
+++ prelude-lml/trunk/plugins/pcre/ruleset/pcre.rules 2007-11-29 15:09:59 UTC (rev \
10077) @@ -58,6 +58,7 @@
regex=EMU; include = apc-emu.rules;
regex=(anomaly|since|firstSeen); include = arbor.rules;
regex=arpwatch; include = arpwatch.rules;
+regex=chan_sip.c; include = asterisk.rules;
regex=CactiTholdLog; include = cacti-thold.rules;
regex=product:; include = checkpoint.rules;
regex=%\S+-\d+-\S+; include = cisco-asa.rules; \
Modified: prelude-lml/trunk/prelude-lml.conf.in
===================================================================
--- prelude-lml/trunk/prelude-lml.conf.in 2007-11-28 21:32:42 UTC (rev 10076)
+++ prelude-lml/trunk/prelude-lml.conf.in 2007-11-29 15:09:59 UTC (rev 10077)
@@ -76,7 +76,15 @@
prefix-regex = "^(?P<hostname>\S+) \S+ \S+ \[(?P<timestamp>.{20}) [+-].{4}\] "
file = /var/log/apache2/access_log
+#
+# Sample configuration for asterisk:
+#
+#[format=asterisk]
+#time-format = "%b %d %H:%M:%S"
+#prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+) \
(?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])? (\S*): )?" +#file = \
/var/log/asterisk/messages
+
#
# Specifies the maximum difference, in seconds, between
# the interval of two logfiles' rotation. If this difference
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic