Closed cryptix closed 9 years ago
Thanks @cryptix!
Unfortunately the scanner is not able to handle IPv6 addresses yet because of the various formats it can take. I haven't settled on a good way to parse it without hammering the scanner performance. I am trying a few things and hope to get something done soon.
go run ./sequence.go scan -m "Feb 06 13:37:00 box sshd[4388]: Accepted publickey for cryptix from dead:beef:1234:5678:223:32ff:feb1:2e50 port 58251 ssh2: RSA de:ad:be:ef:74:a6:bb:45:45:52:71:de:b2:12:34:56"
# 0: { Field="%funknown%", Type="%time%", Value="Feb 06 13:37:00", K=false, V=false }
# 1: { Field="%funknown%", Type="%literal%", Value="box", K=false, V=false }
# 2: { Field="%funknown%", Type="%literal%", Value="sshd", K=false, V=false }
# 3: { Field="%funknown%", Type="%literal%", Value="[", K=false, V=false }
# 4: { Field="%funknown%", Type="%integer%", Value="4388", K=false, V=false }
# 5: { Field="%funknown%", Type="%literal%", Value="]", K=false, V=false }
# 6: { Field="%funknown%", Type="%literal%", Value=":", K=false, V=false }
# 7: { Field="%funknown%", Type="%literal%", Value="Accepted", K=false, V=false }
# 8: { Field="%funknown%", Type="%literal%", Value="publickey", K=false, V=false }
# 9: { Field="%funknown%", Type="%literal%", Value="for", K=false, V=false }
# 10: { Field="%funknown%", Type="%literal%", Value="cryptix", K=false, V=false }
# 11: { Field="%funknown%", Type="%literal%", Value="from", K=false, V=false }
# 12: { Field="%funknown%", Type="%ipv6%", Value="dead:beef:1234:5678:223:32ff:feb1:2e50", K=false, V=false }
# 13: { Field="%funknown%", Type="%literal%", Value="port", K=false, V=false }
# 14: { Field="%funknown%", Type="%integer%", Value="58251", K=false, V=false }
# 15: { Field="%funknown%", Type="%literal%", Value="ssh2", K=false, V=false }
# 16: { Field="%funknown%", Type="%literal%", Value=":", K=false, V=false }
# 17: { Field="%funknown%", Type="%literal%", Value="RSA", K=false, V=false }
# 18: { Field="%funknown%", Type="%literal%", Value="de:ad:be:ef:74:a6:bb:45:45:52:71:de:b2:12:34:56", K=false, V=false }
Hi,
i tried to add a rule for this log message from sshd.
but i get
Error (sequence: no pattern matched for this message)
.I can't match the address nor the fingerprint because they are tokanized too much.
Here is what
sequence scan -m
returns for the message:I would like to see this:
kind regards,