markuskont · September 6, 2017 11:23
diff --git a/snoopy.rb b/snoopy.rb
 version=2

 include=/opt/liblognorm-rulebase/stdtypes.rb

 type=@ssh:%[
  {"type": "ipv4", "name":"src_ip"},
  {"type": "whitespace"},
  {"type": "number", "name":"src_port"},
  {"type": "whitespace"},
  {"type": "ipv4", "name":"dst_ip"},
  {"type": "whitespace"},
  {"type": "number", "name":"dst_port"},
 ]%
 type=@ssh:%[
  {"type": "literal", "text":"(undefined)"},
 ]%

 # [login:(unknown) ssh:((undefined)) username:root uid:0 group:root gid:0 sid:19935 tty:(none) cwd:/root filename:/bin/dmesg]: dmesg

 rule=:[login:%login:word% ssh:(%ssh:@ssh%) username:%username:word% uid:%uid:number% group:%group:word% gid:%gid:number% sid:%sid:number% tty:%tty:word% cwd:%cwd:word% filename:%filename:char-to:"]"%]: %cmd:rest%
	version=2

	include=/opt/liblognorm-rulebase/stdtypes.rb

	type=@ssh:%[
	{"type": "ipv4", "name":"src_ip"},
	{"type": "whitespace"},
	{"type": "number", "name":"src_port"},
	{"type": "whitespace"},
	{"type": "ipv4", "name":"dst_ip"},
	{"type": "whitespace"},
	{"type": "number", "name":"dst_port"},
	]%
	type=@ssh:%[
	{"type": "literal", "text":"(undefined)"},
	]%

	# [login:(unknown) ssh:((undefined)) username:root uid:0 group:root gid:0 sid:19935 tty:(none) cwd:/root filename:/bin/dmesg]: dmesg

	rule=:[login:%login:word% ssh:(%ssh:@ssh%) username:%username:word% uid:%uid:number% group:%group:word% gid:%gid:number% sid:%sid:number% tty:%tty:word% cwd:%cwd:word% filename:%filename:char-to:"]"%]: %cmd:rest%