[loganalysis] Full vs partial pattern matches

From: Brian Hatch (briat_private)
Date: Mon Aug 13 2001 - 10:58:09 PDT

  • Next message: Glenn Forbes Fleming Larratt: "Re: [loganalysis] Cisco ICMP logs"

    I'm curious about how many folks do their log analysis
    against full pattern matches.  For example, I have the
    following swatch rules to eliminate some standard ignorable
    events in syslogd output:
    
    
    ignore = /^.{15} hostname -- MARK --$/
    ignore = /^.{15} hostname sshd\[\d+\]: Generating new 768 bit RSA key.$/
    ignore = /^.{15} hostname sshd\[\d+\]: RSA key generation complete.$/
    ....
    
    
    The '^' anchors the pattern at the beginning of the line, the '.{15}'
    catches the date, I explicitly match hostname (since this box doesn't
    accept remote syslog events, any that appeared here should set off
    big warning flags) and then match the remainder as fully as possible.
    
    I can already see from the emails to this list that folks are often
    using partial strings for their pattern matches.  This worries me
    because there are many cases where user controlled input is part of
    the logging information, which an attacker could use to insert
    'ignorable' strings into otherwise dangerous log entries.
    
    I haven't seen any nasty performance degradation due to explicitly
    matching full strings - or at least anchoring at the beginning and
    matching from there - but am wondering how many other folks follow
    this practice.
     
    
    
    --
    Brian Hatch                "Anything I can do to help?"
       Systems and             "Hmm. Short of dying, no,
       Security Engineer        can't think of a thing."
    www.hackinglinuxexposed.com
    
    Every message PGP signed
    
    
    



    This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 15:07:46 PDT