This website is best viewed using the Adobe Flash Player version 10.0.0 or greater.

Snort & Syslog Intrusion Detection and Correlation

Aanval Home - @aanval on Twitter - Aanval on Facebook

Cisco PIX example expressions

The following regular expression examples may be used and applied for any syslog device if modified appropriately.

Listed examples will assume this syslog message structure as input. Modify as necessary.

<161>%PIX-5-305555: Built dynamic UDP translation from inside:192.168.1.2/11087 to outside:10.10.10.4/3308

Matches the entire syslog string; useful for full payload matching.

.*

Matches IP address (numbers 0 through 9 and the .) after "inside:" using a standard look-behind expression:

(?<=inside:)[0-9.]+

Matches the port number (numbers 0 through 9 and the .) after the / and IP address following "inside:"

((?<=inside:)[0-9.\/]+)~~((?<=\/)[0-9]+)

* Notice that because variable length look-behind is not supported, we are piping the output of the first expression to the second expression using "~~", which is interpreted by Aanval. This is not standard regular expression behavior but was necessary to overcome the lack of variable length look-behind in various scripting languages.


Miscellaneous example expressions
The following regular expression examples may be used and applied for any syslog device if modified appropriately.

Listed examples will assume this syslog message structure as input. Modify as necessary.

<133>Aug 3 14:18:21 10.10.10.77 alarmtool: Halifax-Internet-External,samsys,172.199.22.119,10.10.9.121,43305,22,6,TCP:SSH-SCAN-ATTEMPT,2009-08-03,14:18:17

Matches the date.

((?<=>))\w+\x20\d+

Matches the time.

((?<=\d\x20))\d+:\d+:\d+

Matches the source IP address.

((?<=[,]))(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})

Matches destination IP address.

((?<=[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}][,]))+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}

Matches the source port.

((?<=\d,))\d+((?=,))

Matches the destination port.

((?<=\d,))\d+((?=,\d,)|(?=,\d\d,))

Matches the entire syslog string; useful for full payload matching.

.*

Matches the event name.

((?<=[,]))+([A-Z0-9\-\+\:]+)(?=\,200\d\-\d)

Matches the protocol.

((?<=[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}]\s))+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}


Aanval by Tactical FLEX - http://www.tacticalflex.com/ - 800-921-2584

The Aanval Intrusion Detection and Correlation Console is a web-based snort and syslog gui for management, reporting and analysis.
Logos and trademarks are property of their respective owners.