On Tue, Dec 4, 2012 at 10:46 AM, Jeroen D <[email protected]> wrote: > I was working all day with regular expressions to get a new child decoder of > bro-ids working. Nothing seemed to work so I tried one of the tested and > tried decoders to check if the childs are processed at all. > It turns out, they aren't... > > I'm using version 2.7. > > As you can see in the output below I took the example log line as mentioned > in the decoder.xml file. > The decoder child that should get a username doesn't get triggered. > > Decoder code: > <decoder name="pam-user"> > <parent>pam</parent> > <prematch>^session \w+ </prematch> > <regex offset="after_prematch">^for user (\S+)</regex> > <order>user</order> > </decoder> > > Test output: > root@mgt-ossec-01:/var/ossec/rules# ../bin/ossec-logtest > 2012/12/04 16:35:08 ossec-testrule: INFO: Reading local decoder file. > 2012/12/04 16:35:08 ossec-testrule: INFO: Started (pid: 12439). > ossec-testrule: Type one log per line. > > Sep 28 15:35:18 server sshd[123]: pam_unix(sshd:session): session opened for > user carl by (uid=0) > > > **Phase 1: Completed pre-decoding. > full event: 'Sep 28 15:35:18 server sshd[123]: > pam_unix(sshd:session): session opened for user carl by (uid=0)' > hostname: 'server' > program_name: 'sshd' > log: 'pam_unix(sshd:session): session opened for user carl by > (uid=0)' >
This log doesn't start with "session," it starts with "pam_unix." > **Phase 2: Completed decoding. > decoder: 'pam' > > **Phase 3: Completed filtering (rules). > Rule id: '5501' > Level: '3' > Description: 'Login session opened.' > **Alert to be generated. > > As you can see it only defines the decoder but doesn't decode the user as > defined in the child object. > My question is, what's wrong and how can I fix it? > > Best regards, > Jeroen D
