<![CDATA[Messages posted by "vd_"]]> /hvaonline/posts/listByUser/216148.html JForum - http://www.jforum.net sử dụng OSSEC để theo dõi process /hvaonline/posts/preList/45670/280809.html#280809 /hvaonline/posts/preList/45670/280809.html#280809 GMT thông báo bằng sound khi ossec HIDS phát hiện bị tấn cộng /hvaonline/posts/preList/45516/280806.html#280806 /hvaonline/posts/preList/45516/280806.html#280806 GMT Cho mình hỏi về vấn đề Load Balancer 2 web với Apache /hvaonline/posts/preList/45293/279026.html#279026 /hvaonline/posts/preList/45293/279026.html#279026 GMT Cho mình hỏi về vấn đề Load Balancer 2 web với Apache /hvaonline/posts/preList/45293/279008.html#279008 /hvaonline/posts/preList/45293/279008.html#279008 GMT Đầu tư server Iptables /hvaonline/posts/preList/45211/278847.html#278847 /hvaonline/posts/preList/45211/278847.html#278847 GMT Nhờ tư vấn xây dựng hệ thống HA sử dụng LVS /hvaonline/posts/preList/45191/278846.html#278846 /hvaonline/posts/preList/45191/278846.html#278846 GMT Làm sao để thiết lập các WebServer trong Lan qua máy chủ Squid,Iptabl /hvaonline/posts/preList/44941/278845.html#278845 /hvaonline/posts/preList/44941/278845.html#278845 GMT Làm sao để thiết lập các WebServer trong Lan qua máy chủ Squid,Iptabl /hvaonline/posts/preList/44941/278589.html#278589 /hvaonline/posts/preList/44941/278589.html#278589 GMT Hỏi về Nginx và cách chống chọi với DDoS /hvaonline/posts/preList/45175/278551.html#278551 /hvaonline/posts/preList/45175/278551.html#278551 GMT Làm sao để thiết lập các WebServer trong Lan qua máy chủ Squid,Iptabl /hvaonline/posts/preList/44941/278542.html#278542 /hvaonline/posts/preList/44941/278542.html#278542 GMT Kiểm soát truy cập mạng trái phép với người dùng nội bộ có ý đồ xấu /hvaonline/posts/preList/45083/278189.html#278189 /hvaonline/posts/preList/45083/278189.html#278189 GMT Hỏi về thiết bị sms router kết hợp Mail Zimbra /hvaonline/posts/preList/45092/278187.html#278187 /hvaonline/posts/preList/45092/278187.html#278187 GMT Monitor a unix folder /hvaonline/posts/preList/45069/278186.html#278186 /hvaonline/posts/preList/45069/278186.html#278186 GMT Tự cấp chứng chỉ Certificate Authority (CA )cho https có được không? /hvaonline/posts/preList/45011/277846.html#277846 /hvaonline/posts/preList/45011/277846.html#277846 GMT Làm sao để thiết lập các WebServer trong Lan qua máy chủ Squid,Iptabl /hvaonline/posts/preList/44941/277774.html#277774 /hvaonline/posts/preList/44941/277774.html#277774 GMT Ứng dụng thực tế của hệ thống IDS/IPS /hvaonline/posts/preList/44972/277686.html#277686 /hvaonline/posts/preList/44972/277686.html#277686 GMT ví dụ về drool rule trong graylog2 http://www.regexplanet.com/advanced/java/index.html sẽ cực kỳ hữu ích cho các bạn viết regular expression tách field giống tui. Code:
import org.graylog2.plugin.logmessage.LogMessage

import java.util.regex.Matcher
import java.util.regex.Pattern

rule "ModSecurity Logging to GELF"

        // sample log line httpd: [error] [client a.b.c.d] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 2, SQLi=, XSS=): Request Missing an Accept Header"] [hostname "www"] [uri "/index.php"] [unique_id "UUl6i38AAA"]        

        when
            m : LogMessage( facility == "local6", shortMessage matches "(?s).*ModSecurity:.*" )
        then
        Matcher matcher = Pattern.compile("\\[client (\\d+.\\d+.\\d+.\\d+)\\] .*?\\[id \"(.*?)\"\\] .*?\\[msg \"(.*?)\"\\]").matcher(m.getShortMessage());
        if (matcher.find()) {
            m.addAdditionalData("_SRC",matcher.group(1));
            m.addAdditionalData("_modsec_id",matcher.group(2));
            m.addAdditionalData("_modsec_msg",matcher.group(3));
        }
end


rule "Parsing Snort to GELF"

    //sample log line snort: [1:2402000:2907] ET DROP Dshield Block Listed Source [Classification: Misc Attack] [Priority: 2]: {TCP} a.b.c.d:24495 -> a.b.c.d:8081

    when
        m : LogMessage( facility == "local5" )
    then
        Matcher matcher = Pattern.compile("snort: +\\[(\\d+:\\d+:\\d+)\\] (.*?) \\[Classification:.*?\\] \\[Priority:.*?\\]: \\{(.*?)\\} (\\d+.\\d+.\\d+.\\d+):?(\\d*) -> (\\d+.\\d+.\\d+.\\d+):?(\\d*)").matcher(m.getShortMessage());
        if (matcher.find()) {
            m.addAdditionalData("_snort_id",matcher.group(1));
            m.addAdditionalData("_snort_msg",matcher.group(2));
            m.addAdditionalData("_PROTO",matcher.group(3));
            m.addAdditionalData("_SRC",matcher.group(4));
            m.addAdditionalData("_SPT",matcher.group(5));
            m.addAdditionalData("_DST",matcher.group(6));
            m.addAdditionalData("_DPT",matcher.group(7));
        }

end

rule "Parsing access_log to GELF"
        // sample log line httpd: a.b.c.d - - [21/Mar/2013:15:36:15 +0700] "GET /a/b.css.jsf?ln=primefaces-aristo HTTP/1.0" 304 - "http://www/index.jsf" "Mozilla/5.0 (Windows NT 5.1)" 1203 287

    when
        m : LogMessage( facility == "local4" )
    then
        Matcher matcher = Pattern.compile("httpd: +(\\d+.\\d+.\\d+.\\d+) .*?\"([A-Z]+) ([^\"]+) HTTP..?.?.?\" (\\d+) ([0-9-]+) \\\"([^\"]+)\\\" \\\"([^\"]+)\\\"").matcher(m.getShortMessage());
        if (matcher.find()) {
            m.addAdditionalData("_SRC",matcher.group(1));
            m.addAdditionalData("_verb",matcher.group(2));
            m.addAdditionalData("_request",matcher.group(3));
            m.addAdditionalData("_status",matcher.group(4));
            m.addAdditionalData("_referer",matcher.group(6));
            m.addAdditionalData("_ua",matcher.group(7));
        }
end 

rule "Parsing core switch"
    // sample log line 321533: Jun 26 08:11:17.164: %SEC-6-IPACCESSLOGP: list ACL1 denied udp a.b.c.d(6387) (TenGigabitEthernet1/1 x.y.z) -> a.b.c.d(137), 1 packet

    when
        m : LogMessage( shortMessage matches "(?s).*%SEC-6-IPACCESSLOGP.*" && facility == "local7" )
    then

        Matcher matcher = Pattern.compile("%SEC-6-IPACCESSLOGP: +list +([A-Za-z0-9\\-]+) +([a-zA-Z0-9]+) +([a-z]+) +(\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\) +\\(([A-Za-z0-9/]+) +([0-9a-z\\.]*)\\) +-> +(\\d+.\\d+.\\d+.\\d+)\\((\\d+)\\), +(\\d+)").matcher(m.getShortMessage());
        if (matcher.find()) {
            m.addAdditionalData("_ACL",matcher.group(1));
            m.addAdditionalData("_PERM",matcher.group(2));
            m.addAdditionalData("_PROTO",matcher.group(3));
            m.addAdditionalData("_SRC",matcher.group(4));
            m.addAdditionalData("_SPT",matcher.group(5));
            m.addAdditionalData("_INT",matcher.group(6));
            m.addAdditionalData("_MAC",matcher.group(7));
            m.addAdditionalData("_DST",matcher.group(8));
            m.addAdditionalData("_DPT",matcher.group(9));
            m.addAdditionalData("_COUNT",matcher.group(10));

        }

end

rule "Parsing ASA log 106023 to GELF"
// sample SA-4-106023: Deny tcp src XXX:a.b.c.d/41258 dst YYY:a.b.c.d/1051 by access-group "XXXX"
    when
        m : LogMessage( facility == "local4" && shortMessage matches "(?s).*%ASA-[0-9]-106023:.*" )
    then
        #System.out.println("[m]"+m.getShortMessage()+"[/m]");
        Matcher matcher = Pattern.compile("%ASA-([0-9])-([0-9]+): +Deny +([A-Za-z ]+) +src +([A-Za-z_0-9-]+):(\\d+\\.\\d+\\.\\d+\\.\\d+)/(\\d+) [A-Za-z ]+ ([A-Za-z_0-9-]+):(\\d+\\.\\d+\\.\\d+\\.\\d+)/(\\d+) by access-group \"([A-Za-z_0-9-]+)\"").matcher(m.getShortMessage());
        if (matcher.find()) {
            m.addAdditionalData("_LVL",matcher.group(1));
            m.addAdditionalData("_MSGID",matcher.group(2));
            m.addAdditionalData("_PROTO",matcher.group(3));
            m.addAdditionalData("_SNAME",matcher.group(4));
            m.addAdditionalData("_SRC",matcher.group(5));
            m.addAdditionalData("_SPT",matcher.group(6));
            m.addAdditionalData("_DNAME",matcher.group(7));
            m.addAdditionalData("_DST",matcher.group(8));
            m.addAdditionalData("_DPT",matcher.group(9));
            m.addAdditionalData("_ACL",matcher.group(10));
        }
end 


rule "Parsing other ASA log to GELF"
    when
        m : LogMessage( facility == "local4" && shortMessage not matches "(?s)%ASA-[0-9]-(106023):.*" )
    then
        Matcher matcher = Pattern.compile("%ASA-([0-9])-([0-9]+): (.*)").matcher(m.getShortMessage());
        if (matcher.find()) {
            m.addAdditionalData("_LVL",matcher.group(1));
            m.addAdditionalData("_MSGID",matcher.group(2));
            m.addAdditionalData("_MSG",matcher.group(3));
        }
end
]]>
/hvaonline/posts/preList/44977/277590.html#277590 /hvaonline/posts/preList/44977/277590.html#277590 GMT
tìm kiếm ra 1 list file, edit bằng sed nội dung của các file tìm thấy? /hvaonline/posts/preList/44968/277589.html#277589 /hvaonline/posts/preList/44968/277589.html#277589 GMT Ứng dụng thực tế của hệ thống IDS/IPS /hvaonline/posts/preList/44972/277587.html#277587 /hvaonline/posts/preList/44972/277587.html#277587 GMT Hỏi về SSL /hvaonline/posts/preList/44176/273015.html#273015 /hvaonline/posts/preList/44176/273015.html#273015 GMT Cao thủ nào dò ra IP sever của apple giúp em /hvaonline/posts/preList/44165/272938.html#272938 /hvaonline/posts/preList/44165/272938.html#272938 GMT Làm thế nào để Apache lưu lại client IP thay vì IP của Nginx? /hvaonline/posts/preList/44103/272589.html#272589 /hvaonline/posts/preList/44103/272589.html#272589 GMT Đặt SnortSam ở chế độ inline hay passive /hvaonline/posts/preList/43993/272070.html#272070 /hvaonline/posts/preList/43993/272070.html#272070 GMT Đặt SnortSam ở chế độ inline hay passive /hvaonline/posts/preList/43993/272017.html#272017 /hvaonline/posts/preList/43993/272017.html#272017 GMT Regex trong rules ModSecurity /hvaonline/posts/preList/43935/271769.html#271769 /hvaonline/posts/preList/43935/271769.html#271769 GMT BASE trên Snort không hiển thị thông tin. /hvaonline/posts/preList/43893/271717.html#271717 /hvaonline/posts/preList/43893/271717.html#271717 GMT BASE trên Snort không hiển thị thông tin. /hvaonline/posts/preList/43893/271683.html#271683 /hvaonline/posts/preList/43893/271683.html#271683 GMT BASE trên Snort không hiển thị thông tin. /hvaonline/posts/preList/43893/271538.html#271538 /hvaonline/posts/preList/43893/271538.html#271538 GMT BASE trên Snort không hiển thị thông tin. /hvaonline/posts/preList/43893/271513.html#271513 /hvaonline/posts/preList/43893/271513.html#271513 GMT Cài nhiều server e mỏi tay qá /hvaonline/posts/preList/43884/271457.html#271457 /hvaonline/posts/preList/43884/271457.html#271457 GMT