On Fri, Mar 16, 2012 at 1:43 PM, dan (ddp) <[email protected]> wrote:
> On Thu, Mar 15, 2012 at 6:58 AM, C. L. Martinez <[email protected]> wrote:
>> Hi all,
>>
>> I have configured this decoder:
>>
>> <decoder name="custom-decoder">
>> <prematch>^\w+ \d+ \d+:\d+:\d+ RT_FLOW: </prematch>
>> </decoder>
>>
>> <decoder name="custom-decoder-action">
>> <parent>custom-decoder</parent>
>
>
>> <type>firewall</type>
>
> ^ This is causing problems for me.
> # cat /tmp/xxx | /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf
> 2012/03/16 08:40:14 ossec-testrule: INFO: Reading local decoder file.
> 2012/03/16 08:40:14 ossec-testrule: INFO: Started (pid: 18256).
> ossec-testrule: Type one log per line.
>
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Mar 15 10:45:45 172.31.0.2 Mar 15 11:45:45
> RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset:
> 10.196.0.8/58378->22.1.2.3/53 dns-udp 22.1.3.4/34622->22.1.2.3/53 r1
> None 17 DNS trust untrust 6552 1(82) 1(458) 60'
> hostname: '172.31.0.2'
> program_name: '(null)'
> log: 'Mar 15 11:45:45 RT_FLOW: RT_FLOW_SESSION_CLOSE: session
> closed unset: 10.196.0.8/58378->22.1.2.3/53 dns-udp
> 22.1.3.4/34622->22.1.2.3/53 r1 None 17 DNS trust untrust 6552 1(82)
> 1(458) 60'
>
> **Phase 2: Completed decoding.
> decoder: 'custom-decoder'
> action: 'unset'
> srcip: '10.196.0.8'
> dstip: '22.1.2.3'
> dstport: '53'
> extra_data: 'dns-udp'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '4100'
> Level: '0'
> Description: 'Firewall rules grouped.'
> #
>
> Removing the <type>firewall</type> I get:
>
> # cat /tmp/xxx | /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf
> 2012/03/16 08:41:59 ossec-testrule: INFO: Reading local decoder file.
> 2012/03/16 08:41:59 ossec-testrule: INFO: Started (pid: 22384).
> ossec-testrule: Type one log per line.
>
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Mar 15 10:45:45 172.31.0.2 Mar 15 11:45:45
> RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset:
> 10.196.0.8/58378->22.1.2.3/53 dns-udp 22.1.3.4/34622->22.1.2.3/53 r1
> None 17 DNS trust untrust 6552 1(82) 1(458) 60'
> hostname: '172.31.0.2'
> program_name: '(null)'
> log: 'Mar 15 11:45:45 RT_FLOW: RT_FLOW_SESSION_CLOSE: session
> closed unset: 10.196.0.8/58378->22.1.2.3/53 dns-udp
> 22.1.3.4/34622->22.1.2.3/53 r1 None 17 DNS trust untrust 6552 1(82)
> 1(458) 60'
>
> **Phase 2: Completed decoding.
> decoder: 'custom-decoder'
> action: 'unset'
> srcip: '10.196.0.8'
> dstip: '22.1.2.3'
> dstport: '53'
> extra_data: 'dns-udp'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '100201'
> Level: '14'
> Description: 'weeeee ooooooh weeeeeee ooooooh (emergency vehicle
> noises)'
> **Alert to be generated.
>
>
> I'm not sure why you're getting different results.
Maybe the problem is my rules configuration under ossec.conf??:
<rules>
<include>rules_config.xml</include>
<include>my_custfw_rules.xml</include>
</rules>
i have only this options loaded ...
