'[prelude-cvslog] r10077 - in prelude-lml/trunk: .'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       prelude-cvslog
Subject:    [prelude-cvslog] r10077 - in prelude-lml/trunk: .
From:       noreply () prelude-ids ! org
Date:       2007-11-29 15:10:01
Message-ID: 20071129151001.A5A57E359AB () mail ! prelude-ids ! org
[Download RAW message or body]

Author: toady
Date: 2007-11-29 16:09:59 +0100 (Thu, 29 Nov 2007)
New Revision: 10077

Added:
   prelude-lml/trunk/plugins/pcre/ruleset/asterisk.rules
Modified:
   prelude-lml/trunk/plugins/pcre/ruleset/Makefile.am
   prelude-lml/trunk/plugins/pcre/ruleset/pcre.rules
   prelude-lml/trunk/prelude-lml.conf.in
Log:
(feature): Asterisk log format and new ruleset for SIP REGISTER method

Modified: prelude-lml/trunk/plugins/pcre/ruleset/Makefile.am
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/Makefile.am	2007-11-28 21:32:42 UTC (rev \
                10076)
+++ prelude-lml/trunk/plugins/pcre/ruleset/Makefile.am	2007-11-29 15:09:59 UTC (rev \
10077) @@ -4,6 +4,7 @@
 	apc-emu.rules		\
 	arbor.rules		\
 	arpwatch.rules		\
+	asterisk.rules		\
 	bonding.rules		\
 	cacti-thold.rules	\
 	checkpoint.rules	\

Added: prelude-lml/trunk/plugins/pcre/ruleset/asterisk.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/asterisk.rules	                        \
                (rev 0)
+++ prelude-lml/trunk/plugins/pcre/ruleset/asterisk.rules	2007-11-29 15:09:59 UTC \
(rev 10077) @@ -0,0 +1,40 @@
+#####
+#
+# Copyright (C) 2007 Sebastien Tricaud <stricaud at inl dot fr>
+# All Rights Reserved
+#
+# This file is part of the Prelude-LML program.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; see the file COPYING.  If not, write to
+# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+#####
+
+#Nov 29 09:44:15 NOTICE[23701] chan_sip.c: Registration from \
'<sip:dmc@asterisk-server>' failed for '192.168.33.180' - Wrong password \
+regex=Registration from '<sip:(\S*)>' failed for '(\S+)' - (.*)$; \ + \
classification.text=$3; \ + id=6000; \
+ revision=1; \
+ analyzer(0).name=Asterisk; \
+ analyzer(0).manufacturer=Digium; \
+ analyzer(0).class=Private Branch Exchange; \
+ assessment.impact.severity=medium; \
+ assessment.impact.completion=failed; \
+ assessment.impact.type=user; \
+ assessment.impact.description=SIP user could not be registered by the SIP server; \
+ source(0).node.address(0).address=$2; \
+ target(0).service.name=sip; \
+ target(0).user.user_id(0).type=original-user; \
+ target(0).user.user_id(0).name=$1; \
+ last;

Modified: prelude-lml/trunk/plugins/pcre/ruleset/pcre.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/pcre.rules	2007-11-28 21:32:42 UTC (rev \
                10076)
+++ prelude-lml/trunk/plugins/pcre/ruleset/pcre.rules	2007-11-29 15:09:59 UTC (rev \
10077) @@ -58,6 +58,7 @@
 regex=EMU;				include = apc-emu.rules;
 regex=(anomaly|since|firstSeen);	include = arbor.rules;
 regex=arpwatch;				include = arpwatch.rules;
+regex=chan_sip.c;                       include = asterisk.rules;
 regex=CactiTholdLog;			include = cacti-thold.rules;
 regex=product:;				include = checkpoint.rules;
 regex=%\S+-\d+-\S+;			include = cisco-asa.rules; \

Modified: prelude-lml/trunk/prelude-lml.conf.in
===================================================================
--- prelude-lml/trunk/prelude-lml.conf.in	2007-11-28 21:32:42 UTC (rev 10076)
+++ prelude-lml/trunk/prelude-lml.conf.in	2007-11-29 15:09:59 UTC (rev 10077)
@@ -76,7 +76,15 @@
 prefix-regex = "^(?P<hostname>\S+) \S+ \S+ \[(?P<timestamp>.{20}) [+-].{4}\] "
 file = /var/log/apache2/access_log
 
+#
+# Sample configuration for asterisk:
+#
+#[format=asterisk]
+#time-format = "%b %d %H:%M:%S"
+#prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+) \
(?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])? (\S*): )?" +#file = \
/var/log/asterisk/messages  
+
 #
 # Specifies the maximum difference, in seconds, between
 # the interval of two logfiles' rotation. If this difference 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic