Awesome, thanks for the patch.
I tried it out on or test servers, and then bumped it to our live
servers. No problems, no side affects. Looks good :-)
On 1/11/2013 4:18 PM, Jb Cheng wrote:
Try the attached patch which modifies analysisd/cleanevent.c and
report back. Thanks!
On Friday, January 11, 2013 2:04:05 PM UTC-8, Jb Cheng wrote:
Found the root cause at "analysisd/cleanevent.c".
If you have an IP address which happens to meet the conditional
statement, the first 14 characters of the log will be stripped
(and cause "No decoder matched").
You can modify the following code so there won't be false positives:
489 /* Checking for squid date format
490 * 1140804070.368 11623
491 * seconds from 00:00:00 1970-01-01 UTC
492 */
493 else if((loglen > 32) &&
494 (pieces[0] == '1') &&
495 (pieces[10] == '.') &&
496 (pieces[14] == ' ') &&
497 (isdigit((int)pieces[13])) &&
498 (isdigit((int)pieces[1])) &&
499 ((pieces[21] == ' ')||(pieces[22] == ' ')))
500 {
501 lf->log+=14;
On Thursday, December 27, 2012 12:10:46 PM UTC-8, Ryan Schulze wrote:
I stumbled across a weird phenomenon today. I noticed that
some of my
apache logs were being decoded as syslogs.
As far as I can tell, if the 1st, 3rd and 4th octet of the IP are
three-digit and the 2nd octed is two-digit AND apache logged a
username
(e.g. due to .htaccess) then ossec doesn't decode it as
web-accesslog.
Tests were done with a fresh install of ossec 2.7 on ubuntu
12.04, no
local decoder or rules.
I can replicate the problem with the following two lines:
111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/
HTTP/1.1"
200 20 "somereferrer" "somebrowser"
No decoder matched
111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/
HTTP/1.1" 200 20 "somereferrer" "somebrowser"
decoder: 'web-accesslog'
111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/
HTTP/1.1"
200 20 "somereferrer" "somebrowser"
decoder: 'web-accesslog'
Does anyone have an idea where I would fix this? (which part
of the
source tree will I have to look at for the decoder regex logic)?
logs:
> rtest:~# /var/ossec/bin/ossec-logtest
> 2012/12/27 21:05:08 ossec-testrule: INFO: Reading local
decoder file.
> 2012/12/27 21:05:08 ossec-testrule: INFO: Started (pid: 17574).
> ossec-testrule: Type one log per line.
>
> 111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/
> HTTP/1.1" 200 20 "somereferrer" "somebrowser"
>
>
> **Phase 1: Completed pre-decoding.
> full event: '111.22.111.111 - test
[26/Dec/2012:17:51:27 +0100]
> "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'
> hostname: 'rtest'
> program_name: '(null)'
> log: '- test [26/Dec/2012:17:51:27 +0100] "POST /api/
HTTP/1.1"
> 200 20 "somereferrer" "somebrowser"'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> 111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/
> HTTP/1.1" 200 20 "somereferrer" "somebrowser"
>
>
> **Phase 1: Completed pre-decoding.
> full event: '111.222.111.111 - test
[26/Dec/2012:17:51:27
> +0100] "POST /api/ HTTP/1.1" 200 20 "somereferrer"
"somebrowser"'
> hostname: 'rtest'
> program_name: '(null)'
> log: '111.222.111.111 - test [26/Dec/2012:17:51:27
+0100] "POST
> /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'
>
> **Phase 2: Completed decoding.
> decoder: 'web-accesslog'
> srcip: '111.222.111.111'
> url: '/api/'
> id: '200'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '31108'
> Level: '0'
> Description: 'Ignored URLs (simple queries).'
>
> 111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/
HTTP/1.1"
> 200 20 "somereferrer" "somebrowser"
>
>
> **Phase 1: Completed pre-decoding.
> full event: '111.22.111.111 - - [26/Dec/2012:17:51:27
+0100]
> "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'
> hostname: 'rtest'
> program_name: '(null)'
> log: '111.22.111.111 - - [26/Dec/2012:17:51:27 +0100]
"POST
> /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'
>
> **Phase 2: Completed decoding.
> decoder: 'web-accesslog'
> srcip: '111.22.111.111'
> url: '/api/'
> id: '200'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '31108'
> Level: '0'
> Description: 'Ignored URLs (simple queries).'