On Fri, Mar 16, 2012 at 3:24 PM, dan (ddp) <[email protected]> wrote: > On Fri, Mar 16, 2012 at 9:58 AM, C. L. Martinez <[email protected]> wrote: >> On Fri, Mar 16, 2012 at 1:43 PM, dan (ddp) <[email protected]> wrote: >>> On Thu, Mar 15, 2012 at 6:58 AM, C. L. Martinez <[email protected]> >>> wrote: >>>> Hi all, >>>> >>>> I have configured this decoder: >>>> >>>> <decoder name="custom-decoder"> >>>> <prematch>^\w+ \d+ \d+:\d+:\d+ RT_FLOW: </prematch> >>>> </decoder> >>>> >>>> <decoder name="custom-decoder-action"> >>>> <parent>custom-decoder</parent> >>> >>> >>>> <type>firewall</type> >>> >>> ^ This is causing problems for me. >>> # cat /tmp/xxx | /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf >>> 2012/03/16 08:40:14 ossec-testrule: INFO: Reading local decoder file. >>> 2012/03/16 08:40:14 ossec-testrule: INFO: Started (pid: 18256). >>> ossec-testrule: Type one log per line. >>> >>> >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'Mar 15 10:45:45 172.31.0.2 Mar 15 11:45:45 >>> RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset: >>> 10.196.0.8/58378->22.1.2.3/53 dns-udp 22.1.3.4/34622->22.1.2.3/53 r1 >>> None 17 DNS trust untrust 6552 1(82) 1(458) 60' >>> hostname: '172.31.0.2' >>> program_name: '(null)' >>> log: 'Mar 15 11:45:45 RT_FLOW: RT_FLOW_SESSION_CLOSE: session >>> closed unset: 10.196.0.8/58378->22.1.2.3/53 dns-udp >>> 22.1.3.4/34622->22.1.2.3/53 r1 None 17 DNS trust untrust 6552 1(82) >>> 1(458) 60' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'custom-decoder' >>> action: 'unset' >>> srcip: '10.196.0.8' >>> dstip: '22.1.2.3' >>> dstport: '53' >>> extra_data: 'dns-udp' >>> >>> **Phase 3: Completed filtering (rules). >>> Rule id: '4100' >>> Level: '0' >>> Description: 'Firewall rules grouped.' >>> # >>> >>> Removing the <type>firewall</type> I get: >>> >>> # cat /tmp/xxx | /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf >>> 2012/03/16 08:41:59 ossec-testrule: INFO: Reading local decoder file. >>> 2012/03/16 08:41:59 ossec-testrule: INFO: Started (pid: 22384). >>> ossec-testrule: Type one log per line. >>> >>> >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'Mar 15 10:45:45 172.31.0.2 Mar 15 11:45:45 >>> RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset: >>> 10.196.0.8/58378->22.1.2.3/53 dns-udp 22.1.3.4/34622->22.1.2.3/53 r1 >>> None 17 DNS trust untrust 6552 1(82) 1(458) 60' >>> hostname: '172.31.0.2' >>> program_name: '(null)' >>> log: 'Mar 15 11:45:45 RT_FLOW: RT_FLOW_SESSION_CLOSE: session >>> closed unset: 10.196.0.8/58378->22.1.2.3/53 dns-udp >>> 22.1.3.4/34622->22.1.2.3/53 r1 None 17 DNS trust untrust 6552 1(82) >>> 1(458) 60' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'custom-decoder' >>> action: 'unset' >>> srcip: '10.196.0.8' >>> dstip: '22.1.2.3' >>> dstport: '53' >>> extra_data: 'dns-udp' >>> >>> **Phase 3: Completed filtering (rules). >>> Rule id: '100201' >>> Level: '14' >>> Description: 'weeeee ooooooh weeeeeee ooooooh (emergency vehicle >>> noises)' >>> **Alert to be generated. >>> >>> >>> I'm not sure why you're getting different results. >> >> Maybe the problem is my rules configuration under ossec.conf??: >> >> <rules> >> <include>rules_config.xml</include> >> <include>my_custfw_rules.xml</include> >> </rules> >> >> i have only this options loaded ... > > That makes sense. If you aren't running the default stuff you won't > see the default results. I don't think I changed anything other than > taking out the <type>. > > <decoder name="custom-decoder"> > <prematch>^\w+ \d+ \d+:\d+:\d+ RT_FLOW: </prematch> > </decoder> > > <decoder name="custom-decoder-action"> > <parent>custom-decoder</parent> > <prematch offset="after_parent">^RT_FLOW_SESSION_CLOSE: </prematch> > <regex offset="after_prematch">session closed (\w+): > (\d+.\d+.\d+.\d+)/\d+->(\d+.\d+.\d+.\d+)/(\d+) (\S+)</regex> > <order>action,srcip,dstip,dstport,extra_data</order> > </decoder> > > <rule id="100200" level="0"> > <decoded_as>custom-decoder</decoded_as> > </rule> > > <rule id="100201" level="14"> > <if_sid>100200</if_sid> > <action>unset</action> > <description>weeeee ooooooh weeeeeee ooooooh (emergency vehicle > noises)</description> > </rule>
Thanks Dan. Disabling <type> option only, all works as expected.
