add cl-interpol to LoGS?

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

add cl-interpol to LoGS?

Jim Prewett

Hi all,

I'm starting to make a lot of use of Edi Weitz' excellent cl-interpol
package (you have another winner, Edi!) in my LoGS rulesets.  I'm
wondering if its functionality is generally useful enough (the way that
cl-ppcre is) to warrant adding to LoGS.

I'm doing things like:

;; the regexp that defines the internal network
(defvar *internal-network-ipv4-regexp* "10.3.\\d+.\\d+")

;; there is no action, so throw away internal login messages
(rule named 'ignore-internal-logins-ipv4
          matching regexp
#?"sshd\\[\\d+\\]: Accepted publickey for .* from ${*internal-network-ipv4-regexp} port \\d+ ssh2")

That basically allows me to more easily share rulesets with other shops;
They can define their own *internal-network-ipv4-regexp* and use my rules.

What do you think?


James E. Prewett                    [hidden email] [hidden email]
Systems Team Leader           LoGS: 
Designated Security Officer         OpenPGP key: pub 1024D/31816D93    
HPC Systems Engineer III   UNM HPC  505.277.8210

LoGS-devel mailing list
[hidden email]