[logs] regexless parsing, again?
Jason Haar
Jason.Haar at trimble.co.nz
Tue Sep 18 15:27:24 PDT 2007
Daniel Cid wrote:
> How do I do with ossec? Well, first, I divide the
> process in two: log decoding and then "classification"
> or rule matching. Second, instead of thousands of
> regexes for every log, I build a decoding/rule tree,
> limiting the number of checks per log.
>
How does your sshd example differ from a regex like
sshd.*(login failure|access denied|I am a hacker)
I realise that
sshd.*login failure
sshd.*access denied
sshd.*I am a hacker
would be slower - but shouldn't "better written global regex" equate to
your idea of separation? I guess I'm thinking that most modern regex
"engines" will automatically create internal "trees" for well written
regex rules.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the LogAnalysis
mailing list