LogAnalysis
[logs] regexless parsing, again? Sep 13 2007 06:56PM
Anton Chuvakin (anton chuvakin org) (3 replies)
Re: [logs] regexless parsing, again? Sep 17 2007 07:30PM
Daniel Cid (danielcid yahoo com br) (3 replies)
Re: [logs] regexless parsing, again? Sep 18 2007 10:27PM
Jason Haar (Jason Haar trimble co nz) (1 replies)
Daniel Cid wrote:
> How do I do with ossec? Well, first, I divide the
> process in two: log decoding and then "classification"
> or rule matching. Second, instead of thousands of
> regexes for every log, I build a decoding/rule tree,
> limiting the number of checks per log.
>
How does your sshd example differ from a regex like

sshd.*(login failure|access denied|I am a hacker)

I realise that

sshd.*login failure
sshd.*access denied
sshd.*I am a hacker

would be slower - but shouldn't "better written global regex" equate to
your idea of separation? I guess I'm thinking that most modern regex
"engines" will automatically create internal "trees" for well written
regex rules.

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] regexless parsing, again? Sep 19 2007 01:01AM
Daniel Cid (dcid ossec net)
Re: [logs] regexless parsing, again? Sep 17 2007 09:44PM
Tom Le (dottom gmail com)
Re: [logs] regexless parsing, again? Sep 17 2007 09:38PM
Tom Le (dottom gmail com)
Re: [logs] regexless parsing, again? Sep 14 2007 01:28AM
Raffael Marty (rmarty splunk com) (1 replies)
Re: [logs] regexless parsing, again? Sep 14 2007 04:11PM
Marcus J. Ranum (mjr ranum com)
RE: [logs] regexless parsing, again? Sep 14 2007 01:13AM
Desai, Ashish (Ashish Desai fmr com)


 

Privacy Statement
Copyright 2010, SecurityFocus