I'm curious about how many folks do their log analysis
against full pattern matches. For example, I have the
following swatch rules to eliminate some standard ignorable
events in syslogd output:
ignore = /^.{15} hostname -- MARK --$/
ignore = /^.{15} hostname sshd\[\d+\]: Generating new 768 bit RSA key.$/
ignore = /^.{15} hostname sshd\[\d+\]: RSA key generation complete.$/
....
The '^' anchors the pattern at the beginning of the line, the '.{15}'
catches the date, I explicitly match hostname (since this box doesn't
accept remote syslog events, any that appeared here should set off
big warning flags) and then match the remainder as fully as possible.
I can already see from the emails to this list that folks are often
using partial strings for their pattern matches. This worries me
because there are many cases where user controlled input is part of
the logging information, which an attacker could use to insert
'ignorable' strings into otherwise dangerous log entries.
I haven't seen any nasty performance degradation due to explicitly
matching full strings - or at least anchoring at the beginning and
matching from there - but am wondering how many other folks follow
this practice.
--
Brian Hatch "Anything I can do to help?"
Systems and "Hmm. Short of dying, no,
Security Engineer can't think of a thing."
www.hackinglinuxexposed.com
Every message PGP signed
This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 15:07:46 PDT