I was working all day with regular expressions to get a new child decoder
of bro-ids working. Nothing seemed to work so I tried one of the tested and
tried decoders to check if the childs are processed at all.
It turns out, they aren't...
I'm using version 2.7.
As you can see in the output below I took the example log line as mentioned
in the decoder.xml file.
The decoder child that should get a username doesn't get triggered.
Decoder code:
<decoder name="pam-user">
<parent>pam</parent>
<prematch>^session \w+ </prematch>
<regex offset="after_prematch">^for user (\S+)</regex>
<order>user</order>
</decoder>
Test output:
root@mgt-ossec-01:/var/ossec/rules# ../bin/ossec-logtest
2012/12/04 16:35:08 ossec-testrule: INFO: Reading local decoder file.
2012/12/04 16:35:08 ossec-testrule: INFO: Started (pid: 12439).
ossec-testrule: Type one log per line.
Sep 28 15:35:18 server sshd[123]: pam_unix(sshd:session): session opened
for user carl by (uid=0)
**Phase 1: Completed pre-decoding.
full event: 'Sep 28 15:35:18 server sshd[123]:
pam_unix(sshd:session): session opened for user carl by (uid=0)'
hostname: 'server'
program_name: 'sshd'
log: 'pam_unix(sshd:session): session opened for user carl by
(uid=0)'
**Phase 2: Completed decoding.
decoder: 'pam'
**Phase 3: Completed filtering (rules).
Rule id: '5501'
Level: '3'
Description: 'Login session opened.'
**Alert to be generated.
As you can see it only defines the decoder but doesn't decode the user as
defined in the child object.
My question is, what's wrong and how can I fix it?
Best regards,
Jeroen D
