Post reply

Most efficient parsing of Juniper syslogs in SQL?

  • November 2, 2010 at 5:51 am

    #230617

    Hello,

    Im about to start investigating how to do the follow, but any direction would be much appreciated so I dont end up wasting my time looking at the wrong thing.

    Basically we receive syslogs from a server (approx 50-100 every min) of which one of the fields is called "Message"

    Here is an example of the value of the "Message" field

    " 1 2010-11-02T11:32:24 1.1.1.1 Jnpr Syslog 6168 1 [syslog@juniper.net dayId="20101102" recordId="6" timeRecv="2010/11/02 11:32:24" timeGen="2010/11/02 11:32:23" domain="" devDomVer2="0" device_ip="1.1.1.1" cat="Predefined" attack="SYSLOG:CP-SYSLOGD-ESC" srcZn="NULL" srcIntf="eth3" srcAddr="1.1.1.1" srcPort="32769" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="1.1.1.1" dstPort="514" natDstAddr="NULL" natDstPort="0" protocol="UDP" ruleDomain="" ruleVer="191" policy="IDP FSI v2" rulebase="IDS" ruleNo="4" action="NONE" severity="MINOR" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="yes" varEnum="31" misc="'interface=eth3'" user="NULL" app="NULL" uri="NULL"]"

    I would like to be able to query based on each of the values, eg protocol, action, attack etc. So my questions is what would be the most efficient way to parse 50-100 every minute of the above mesages into individual fields?

    Many Thanks,

    Peter

  • November 2, 2010 at 11:21 am

    #1245572

    I would simply do this with a separate .net program. I have seen (and used) a third party syslog parser and loader program as well but it also did inserts one at a time. At 100 per minute that methodology will work fine. At 100 or more times that you need to use bulk insert for best performance on large amounts of data.

    The probability of survival is inversely proportional to the angle of arrival.

  • November 3, 2010 at 8:46 am

    #1246043

    Yea, i've been trying to play around and watch performance. I've spoken with our dev team and they say a simple c# program may be best.

    FYI its for taking the Message field sent by Syslog from a Juniper IDP unit. Its a little crude but works none the less... beware 70000 rows took over 10mins to process :s

    SELECT TOP 1000

    SUBSTRING(message,PATINDEX('% dayID="%',message)+8,PATINDEX('%" recordID=%',message)-(PATINDEX('% dayID="%',message)+8)) as 'dayID',

    SUBSTRING(message,PATINDEX('% recordID="%',message)+11,PATINDEX('%" timeRecv=%',message)-(PATINDEX('% recordID="%',message)+11)) as 'recordID',

    SUBSTRING(message,PATINDEX('% timeRecv="%',message)+11,PATINDEX('%" timeGen=%',message)-(PATINDEX('% timeRecv="%',message)+11)) as 'timeRecv',

    SUBSTRING(message,PATINDEX('% timeGen="%',message)+10,PATINDEX('%" domain=%',message)-(PATINDEX('% timeGen="%',message)+10)) as 'timeGen',

    SUBSTRING(message,PATINDEX('% domain="%',message)+9,PATINDEX('%" devDomVer2=%',message)-(PATINDEX('% domain="%',message)+9)) as 'domain',

    SUBSTRING(message,PATINDEX('% devDomVer2="%',message)+13,PATINDEX('%" device_ip=%',message)-(PATINDEX('% devDomVer2="%',message)+13)) as 'devDomVer2',

    SUBSTRING(message,PATINDEX('% device_ip="%',message)+12,PATINDEX('%" cat=%',message)-(PATINDEX('% device_ip="%',message)+12)) as 'device_ip',

    SUBSTRING(message,PATINDEX('% cat="%',message)+6,PATINDEX('%" attack=%',message)-(PATINDEX('% cat="%',message)+6)) as 'cat',

    SUBSTRING(message,PATINDEX('% attack="%',message)+9,PATINDEX('%" srcZn=%',message)-(PATINDEX('% attack="%',message)+9)) as 'attack',

    SUBSTRING(message,PATINDEX('% srcZn="%',message)+8,PATINDEX('%" srcIntf=%',message)-(PATINDEX('% srcZn="%',message)+8)) as 'srcZn',

    REPLACE((SUBSTRING(message,PATINDEX('% srcIntf="%',message)+10,PATINDEX('%" srcAddr=%',message)-(PATINDEX('% srcIntf="%',message)+10))),'','') as 'srcIntf',

    SUBSTRING(message,PATINDEX('% srcAddr="%',message)+10,PATINDEX('%" srcPort=%',message)-(PATINDEX('% srcAddr="%',message)+10)) as 'srcAddr',

    SUBSTRING(message,PATINDEX('% srcPort="%',message)+10,PATINDEX('%" natSrcAddr=%',message)-(PATINDEX('% srcPort="%',message)+10)) as 'srcPort',

    SUBSTRING(message,PATINDEX('% natSrcAddr="%',message)+13,PATINDEX('%" natSrcPort=%',message)-(PATINDEX('% natSrcAddr="%',message)+13)) as 'natSrcAddr',

    SUBSTRING(message,PATINDEX('% natSrcPort="%',message)+13,PATINDEX('%" dstZn=%',message)-(PATINDEX('% natSrcPort="%',message)+13)) as 'natSrcPort',

    SUBSTRING(message,PATINDEX('% dstZn="%',message)+8,PATINDEX('%" dstIntf=%',message)-(PATINDEX('% dstZn="%',message)+8)) as 'dstZn',

    SUBSTRING(message,PATINDEX('% dstIntf="%',message)+10,PATINDEX('%" dstAddr=%',message)-(PATINDEX('% dstIntf="%',message)+10)) as 'dstIntf',

    SUBSTRING(message,PATINDEX('% dstAddr="%',message)+10,PATINDEX('%" dstPort=%',message)-(PATINDEX('% dstAddr="%',message)+10)) as 'dstAddr',

    SUBSTRING(message,PATINDEX('% dstPort="%',message)+10,PATINDEX('%" natDstAddr=%',message)-(PATINDEX('% dstPort="%',message)+10)) as 'dstPort',

    SUBSTRING(message,PATINDEX('% natDstAddr="%',message)+13,PATINDEX('%" natDstPort=%',message)-(PATINDEX('% natDstAddr="%',message)+13)) as 'natDstAddr',

    SUBSTRING(message,PATINDEX('% natDstPort="%',message)+13,PATINDEX('%" protocol=%',message)-(PATINDEX('% natDstPort="%',message)+13)) as 'natDstPort',

    SUBSTRING(message,PATINDEX('% protocol="%',message)+11,PATINDEX('%" ruleDomain=%',message)-(PATINDEX('% protocol="%',message)+11)) as 'protocol',

    SUBSTRING(message,PATINDEX('% ruleDomain="%',message)+13,PATINDEX('%" ruleVer=%',message)-(PATINDEX('% ruleDomain="%',message)+13)) as 'ruleDomain',

    SUBSTRING(message,PATINDEX('% ruleVer="%',message)+10,PATINDEX('%" policy=%',message)-(PATINDEX('% ruleVer="%',message)+10)) as 'ruleVer',

    SUBSTRING(message,PATINDEX('% policy="%',message)+9,PATINDEX('%" rulebase=%',message)-(PATINDEX('% policy="%',message)+9)) as 'policy',

    SUBSTRING(message,PATINDEX('% rulebase="%',message)+11,PATINDEX('%" ruleNo=%',message)-(PATINDEX('% rulebase="%',message)+11)) as 'rulebase',

    SUBSTRING(message,PATINDEX('% ruleNo="%',message)+9,PATINDEX('%" action=%',message)-(PATINDEX('% ruleNo="%',message)+9)) as 'ruleNo',

    SUBSTRING(message,PATINDEX('% action="%',message)+9,PATINDEX('%" severity=%',message)-(PATINDEX('% action="%',message)+9)) as 'action',

    SUBSTRING(message,PATINDEX('% severity="%',message)+11,PATINDEX('%" alert=%',message)-(PATINDEX('% severity="%',message)+11)) as 'severity',

    SUBSTRING(message,PATINDEX('% alert="%',message)+8,PATINDEX('%" elaspedTime=%',message)-(PATINDEX('% alert="%',message)+8)) as 'alert',

    SUBSTRING(message,PATINDEX('% elaspedTime="%',message)+14,PATINDEX('%" inbytes=%',message)-(PATINDEX('% elaspedTime="%',message)+14)) as 'elaspedTime',

    SUBSTRING(message,PATINDEX('% elaspedTime="%',message)+14,PATINDEX('%" inbytes=%',message)-(PATINDEX('% elaspedTime="%',message)+14)) as 'elaspedTime',

    SUBSTRING(message,PATINDEX('% inbytes="%',message)+10,PATINDEX('%" outbytes=%',message)-(PATINDEX('% inbytes="%',message)+10)) as 'inbytes',

    SUBSTRING(message,PATINDEX('% outbytes="%',message)+11,PATINDEX('%" totBytes=%',message)-(PATINDEX('% outbytes="%',message)+11)) as 'outbytes',

    SUBSTRING(message,PATINDEX('% totBytes="%',message)+11,PATINDEX('%" inPak=%',message)-(PATINDEX('% totBytes="%',message)+11)) as 'totBytes',

    SUBSTRING(message,PATINDEX('% inPak="%',message)+8,PATINDEX('%" outPak=%',message)-(PATINDEX('% inPak="%',message)+8)) as 'inPak',

    SUBSTRING(message,PATINDEX('% outPak="%',message)+9,PATINDEX('%" totPak=%',message)-(PATINDEX('% outPak="%',message)+9)) as 'outPak',

    SUBSTRING(message,PATINDEX('% totPak="%',message)+9,PATINDEX('%" repCount=%',message)-(PATINDEX('% totPak="%',message)+9)) as 'totPak',

    SUBSTRING(message,PATINDEX('% repCount="%',message)+11,PATINDEX('%" packetData=%',message)-(PATINDEX('% repCount="%',message)+11)) as 'repCount',

    SUBSTRING(message,PATINDEX('% packetData="%',message)+13,PATINDEX('%" varEnum=%',message)-(PATINDEX('% packetData="%',message)+13)) as 'packetData',

    SUBSTRING(message,PATINDEX('% varEnum="%',message)+10,PATINDEX('%" misc=%',message)-(PATINDEX('% varEnum="%',message)+10)) as 'varEnum',

    REPLACE(SUBSTRING(message,PATINDEX('% misc="%',message)+7,PATINDEX('%" user=%',message)-(PATINDEX('% misc="%',message)+7)),'','') as 'misc',

    SUBSTRING(message,PATINDEX('% user="%',message)+7,PATINDEX('%" app=%',message)-(PATINDEX('% user="%',message)+7)) as 'user',

    SUBSTRING(message,PATINDEX('% app="%',message)+6,PATINDEX('%" uri=%',message)-(PATINDEX('% app="%',message)+6)) as 'app',

    SUBSTRING(message,PATINDEX('% uri="%',message)+6,PATINDEX('%"]%',message)-(PATINDEX('% uri="%',message)+6)) as 'uri'

    FROM dbo.SysLog

  • November 3, 2010 at 9:03 am

    #1246068

    Yeah, that methodology won't cut it. If the the volume of this syslog data is really high a C++ program running native is the way parse and pump this stuff into SQL Server.

    The probability of survival is inversely proportional to the angle of arrival.

  • November 3, 2010 at 3:54 pm

    #1246316

    If you don't want to or can't go third party or .Net, a Tally Table splitter could be the way to go here with some pretty high efficiencies. Any chance of you attaching a file of stuff you'd like to split? See the first link in my signature line for the best way to format the data to make life easy on me. Thanks.

    --Jeff Moden

    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • November 4, 2010 at 4:19 am

    #1246440

    sturner (11/3/2010)

    Yeah, that methodology won't cut it. If the the volume of this syslog data is really high a C++ program running native is the way parse and pump this stuff into SQL Server.

    Yea but the problem is getting our dev team at the moment as they are very busy and I know nothing about C++ etc.

    Jeff Moden (11/3/2010)

    If you don't want to or can't go third party or .Net, a Tally Table splitter could be the way to go here with some pretty high efficiencies. Any chance of you attaching a file of stuff you'd like to split? See the first link in my signature line for the best way to format the data to make life easy on me. Thanks.

    Hi Jeff,

    Im not quite sure what you are asking (I've read the post in your sig), I would print out a table but as theres only 1 column I dont see what difference in formatting there would be? Sorry if I'm missing the point here.

    This is the "Message" column shown in the previous post

    1 2010-11-04T09:50:55 1.1.1.1 Jnpr Syslog 6168 1 [syslog@juniper.net dayId="20101104" recordId="6" timeRecv="2010/11/04 09:50:55" timeGen="2010/11/04 09:50:52" domain="" devDomVer2="0" device_ip="1.1.1.1" cat="Predefined" attack="TCP:AUDIT:C2S-OLD-ESTB" srcZn="NULL" srcIntf="eth5" srcAddr="1.1.1.1" srcPort="43508" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="1.1.1.1" dstPort="80" natDstAddr="NULL" natDstPort="0" protocol="TCP" ruleDomain="" ruleVer="192" policy="IDP FSI v2" rulebase="IDS" ruleNo="6" action="NONE" severity="INFO" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no" varEnum="16" misc="'interface=eth5'" user="NULL" app="NULL" uri="NULL"]

    1 2010-11-04T09:50:54 1.1.1.1 Jnpr Syslog 6168 1 [syslog@juniper.net dayId="20101104" recordId="6" timeRecv="2010/11/04 09:50:54" timeGen="2010/11/04 09:50:53" domain="" devDomVer2="0" device_ip="1.1.1.1" cat="Predefined" attack="SYSLOG:CP-SYSLOGD-ESC" srcZn="NULL" srcIntf="eth3" srcAddr="1.1.1.1" srcPort="32769" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="1.1.1.1" dstPort="514" natDstAddr="NULL" natDstPort="0" protocol="UDP" ruleDomain="" ruleVer="191" policy="IDP FSI v2" rulebase="IDS" ruleNo="4" action="NONE" severity="MINOR" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="yes" varEnum="31" misc="'interface=eth3'" user="NULL" app="NULL" uri="NULL"]

    1 2010-11-04T09:50:53 1.1.1.1 Jnpr Syslog 6168 1 [syslog@juniper.net dayId="20101104" recordId="6" timeRecv="2010/11/04 09:50:53" timeGen="2010/11/04 09:50:49" domain="" devDomVer2="0" device_ip="1.1.1.1" cat="Predefined" attack="SYSLOG:CP-SYSLOGD-ESC" srcZn="NULL" srcIntf="eth3" srcAddr="1.1.1.1" srcPort="32769" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="1.1.1.1" dstPort="514" natDstAddr="NULL" natDstPort="0" protocol="UDP" ruleDomain="" ruleVer="191" policy="IDP FSI v2" rulebase="IDS" ruleNo="4" action="NONE" severity="MINOR" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="2" packetData="yes" varEnum="31" misc="'interface=eth3'" user="NULL" app="NULL" uri="NULL"]

    1 2010-11-04T09:50:51 1.1.1.1 Jnpr Syslog 6168 1 [syslog@juniper.net dayId="20101104" recordId="6" timeRecv="2010/11/04 09:50:51" timeGen="2010/11/04 09:50:50" domain="" devDomVer2="0" device_ip="1.1.1.1" cat="Predefined" attack="TCP:AUDIT:C2S-OLD-ESTB" srcZn="NULL" srcIntf="eth5" srcAddr="1.1.1.1" srcPort="43508" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="1.1.1.1" dstPort="80" natDstAddr="NULL" natDstPort="0" protocol="TCP" ruleDomain="" ruleVer="192" policy="IDP FSI v2" rulebase="IDS" ruleNo="6" action="NONE" severity="INFO" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no" varEnum="16" misc="'interface=eth5'" user="NULL" app="NULL" uri="NULL"]

    1 2010-11-04T09:50:49 1.1.1.1 Jnpr Syslog 6168 1 [syslog@juniper.net dayId="20101104" recordId="6" timeRecv="2010/11/04 09:50:49" timeGen="2010/11/04 09:50:48" domain="" devDomVer2="0" device_ip="1.1.1.1" cat="Predefined" attack="SYSLOG:CP-SYSLOGD-ESC" srcZn="NULL" srcIntf="eth3" srcAddr="1.1.1.1" srcPort="32769" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="1.1.1.1" dstPort="514" natDstAddr="NULL" natDstPort="0" protocol="UDP" ruleDomain="" ruleVer="191" policy="IDP FSI v2" rulebase="IDS" ruleNo="4" action="NONE" severity="MINOR" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="yes" varEnum="31" misc="'interface=eth3'" user="NULL" app="NULL" uri="NULL"]

    1 2010-11-04T09:50:48 1.1.1.1 Jnpr Syslog 6168 1 [syslog@juniper.net dayId="20101104" recordId="6" timeRecv="2010/11/04 09:50:48" timeGen="2010/11/04 09:50:44" domain="" devDomVer2="0" device_ip="1.1.1.1" cat="Predefined" attack="SYSLOG:CP-SYSLOGD-ESC" srcZn="NULL" srcIntf="eth3" srcAddr="1.1.1.1" srcPort="32769" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="1.1.1.1" dstPort="514" natDstAddr="NULL" natDstPort="0" protocol="UDP" ruleDomain="" ruleVer="191" policy="IDP FSI v2" rulebase="IDS" ruleNo="4" action="NONE" severity="MINOR" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="3" packetData="yes" varEnum="31" misc="'interface=eth3'" user="NULL" app="NULL" uri="NULL"]

    1 2010-11-04T09:50:47 1.1.1.1 Jnpr Syslog 6168 1 [syslog@juniper.net dayId="20101104" recordId="6" timeRecv="2010/11/04 09:50:47" timeGen="2010/11/04 09:50:46" domain="" devDomVer2="0" device_ip="1.1.1.1" cat="Predefined" attack="DNS:REQUEST:REVERSE-LOOKUP" srcZn="NULL" srcIntf="eth3" srcAddr="1.1.1.1" srcPort="7463" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="1.1.1.1" dstPort="53" natDstAddr="NULL" natDstPort="0" protocol="UDP" ruleDomain="" ruleVer="192" policy="IDP FSI v2" rulebase="IDS" ruleNo="6" action="NONE" severity="INFO" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no" varEnum="31" misc="'interface=eth3'" user="NULL" app="NULL" uri="NULL"]

    Heres some code to recreate the table as it comes in from syslog, is this what you need? -

    CREATE TABLE [dbo].[TestSyslog](

    [Message] [varchar](1024) NULL

    ) ON [PRIMARY]

    GO

    INSERT [dbo].[TestSyslog](

    Message

    )

    SELECT

    ' 1 2010-11-04T09:50:55 1.1.1.1 Jnpr Syslog 6168 1 [syslog@juniper.net dayId="20101104" recordId="6" timeRecv="2010/11/04 09:50:55" timeGen="2010/11/04 09:50:52" domain="" devDomVer2="0" device_ip="1.1.1.1" cat="Predefined" attack="TCP:AUDIT:C2S-OLD-ESTB" srcZn="NULL" srcIntf="eth5" srcAddr="1.1.1.1" srcPort="43508" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="1.1.1.1" dstPort="80" natDstAddr="NULL" natDstPort="0" protocol="TCP" ruleDomain="" ruleVer="192" policy="IDP FSI v2" rulebase="IDS" ruleNo="6" action="NONE" severity="INFO" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no" varEnum="16" misc="''interface=eth5''" user="NULL" app="NULL" uri="NULL"]'

    UNION SELECT

    ' 1 2010-11-04T09:50:54 1.1.1.1 Jnpr Syslog 6168 1 [syslog@juniper.net dayId="20101104" recordId="6" timeRecv="2010/11/04 09:50:54" timeGen="2010/11/04 09:50:53" domain="" devDomVer2="0" device_ip="1.1.1.1" cat="Predefined" attack="SYSLOG:CP-SYSLOGD-ESC" srcZn="NULL" srcIntf="eth3" srcAddr="1.1.1.1" srcPort="32769" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="1.1.1.1" dstPort="514" natDstAddr="NULL" natDstPort="0" protocol="UDP" ruleDomain="" ruleVer="191" policy="IDP FSI v2" rulebase="IDS" ruleNo="4" action="NONE" severity="MINOR" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="yes" varEnum="31" misc="''interface=eth3''" user="NULL" app="NULL" uri="NULL"]'

    UNION SELECT

    ' 1 2010-11-04T09:50:53 1.1.1.1 Jnpr Syslog 6168 1 [syslog@juniper.net dayId="20101104" recordId="6" timeRecv="2010/11/04 09:50:53" timeGen="2010/11/04 09:50:49" domain="" devDomVer2="0" device_ip="1.1.1.1" cat="Predefined" attack="SYSLOG:CP-SYSLOGD-ESC" srcZn="NULL" srcIntf="eth3" srcAddr="1.1.1.1" srcPort="32769" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="1.1.1.1" dstPort="514" natDstAddr="NULL" natDstPort="0" protocol="UDP" ruleDomain="" ruleVer="191" policy="IDP FSI v2" rulebase="IDS" ruleNo="4" action="NONE" severity="MINOR" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="2" packetData="yes" varEnum="31" misc="''interface=eth3''" user="NULL" app="NULL" uri="NULL"]'

    UNION SELECT

    ' 1 2010-11-04T09:50:51 1.1.1.1 Jnpr Syslog 6168 1 [syslog@juniper.net dayId="20101104" recordId="6" timeRecv="2010/11/04 09:50:51" timeGen="2010/11/04 09:50:50" domain="" devDomVer2="0" device_ip="1.1.1.1" cat="Predefined" attack="TCP:AUDIT:C2S-OLD-ESTB" srcZn="NULL" srcIntf="eth5" srcAddr="1.1.1.1" srcPort="43508" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="1.1.1.1" dstPort="80" natDstAddr="NULL" natDstPort="0" protocol="TCP" ruleDomain="" ruleVer="192" policy="IDP FSI v2" rulebase="IDS" ruleNo="6" action="NONE" severity="INFO" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no" varEnum="16" misc="''interface=eth5''" user="NULL" app="NULL" uri="NULL"]'

    UNION SELECT

    ' 1 2010-11-04T09:50:49 1.1.1.1 Jnpr Syslog 6168 1 [syslog@juniper.net dayId="20101104" recordId="6" timeRecv="2010/11/04 09:50:49" timeGen="2010/11/04 09:50:48" domain="" devDomVer2="0" device_ip="1.1.1.1" cat="Predefined" attack="SYSLOG:CP-SYSLOGD-ESC" srcZn="NULL" srcIntf="eth3" srcAddr="1.1.1.1" srcPort="32769" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="1.1.1.1" dstPort="514" natDstAddr="NULL" natDstPort="0" protocol="UDP" ruleDomain="" ruleVer="191" policy="IDP FSI v2" rulebase="IDS" ruleNo="4" action="NONE" severity="MINOR" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="yes" varEnum="31" misc="''interface=eth3''" user="NULL" app="NULL" uri="NULL"]'

    UNION SELECT

    ' 1 2010-11-04T09:50:48 1.1.1.1 Jnpr Syslog 6168 1 [syslog@juniper.net dayId="20101104" recordId="6" timeRecv="2010/11/04 09:50:48" timeGen="2010/11/04 09:50:44" domain="" devDomVer2="0" device_ip="1.1.1.1" cat="Predefined" attack="SYSLOG:CP-SYSLOGD-ESC" srcZn="NULL" srcIntf="eth3" srcAddr="1.1.1.1" srcPort="32769" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="1.1.1.1" dstPort="514" natDstAddr="NULL" natDstPort="0" protocol="UDP" ruleDomain="" ruleVer="191" policy="IDP FSI v2" rulebase="IDS" ruleNo="4" action="NONE" severity="MINOR" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="3" packetData="yes" varEnum="31" misc="''interface=eth3''" user="NULL" app="NULL" uri="NULL"]'

    UNION SELECT

    ' 1 2010-11-04T09:50:47 1.1.1.1 Jnpr Syslog 6168 1 [syslog@juniper.net dayId="20101104" recordId="6" timeRecv="2010/11/04 09:50:47" timeGen="2010/11/04 09:50:46" domain="" devDomVer2="0" device_ip="1.1.1.1" cat="Predefined" attack="DNS:REQUEST:REVERSE-LOOKUP" srcZn="NULL" srcIntf="eth3" srcAddr="1.1.1.1" srcPort="7463" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="1.1.1.1" dstPort="53" natDstAddr="NULL" natDstPort="0" protocol="UDP" ruleDomain="" ruleVer="192" policy="IDP FSI v2" rulebase="IDS" ruleNo="6" action="NONE" severity="INFO" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no" varEnum="31" misc="''interface=eth3''" user="NULL" app="NULL" uri="NULL"]'

    Thanks folks

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply