Hi all,
I'm trying to use OSSEC for analyzing applicative logs, but I encounter
some issues with the decoder and the OSSEC regex.
I defined the following decoder inputs :
<decoder name="vsftpd-local">
<parent>vsftpd</parent>
<regex>Client "(\d+.\d+.\d+.\d+)"</regex>
<order>srcip</order>
</decoder>
<decoder name="vsftpd-local">
<parent>vsftpd</parent>
<regex offset="after_regex">, "(\.+)"$</regex>
<order>action</order>
</decoder>
The first regex (<regex>Client "(\d+.\d+.\d+.\d+)"</regex>) is functionnal
and returns the IP address of the FTP client. The second one (<regex
offset="after_regex">, "(\.+)"$</regex>) should store the FTP
request/response message for a further analysis.
When I try to test this configuration with "ossec-logtest", I obtain the
results showed below (the behavior is the same with the OSSEC server
analysis):
<!-- Test 1 / real server response (there are two double quotes at the end
of the string)-->
Mon Sep 10 9:44:54 2013 [pid 1108] FTP response: Client "192.168.0.1",
"220 "Welcome at FTP Server""
...
**Phase 2: Completed decoding.
decoder: 'vsftpd'
status: 'response'
srcip: '192.168.0.1'
...
=> I don't have any string in the "action" variable.
<!-- Test 2 / other test (there is just one double quote at the end of the
string) -->
Mon Sep 10 9:44:54 2013 [pid 1108] FTP response: Client "192.168.0.1",
"220 "Welcome at FTP Server"
...
**Phase 2: Completed decoding.
decoder: 'vsftpd'
status: 'response'
srcip: '192.168.0.1'
action: '220 "Welcome at FTP Server"'
...
=> I have a string in the "action" variable but the last character (a
double quote) is included in the variable.
<!-- Test 3 / other test (there is just three double quotes at the end of
the string) -->
Mon Sep 10 9:44:54 2013 [pid 1108] FTP response: Client "192.168.0.1",
"220 "Welcome at FTP Server"""
...
**Phase 2: Completed decoding.
decoder: 'vsftpd'
status: 'response'
srcip: '192.168.0.1'
action: '220 "Welcome at FTP Server"""'
...
=> I have a string in the "action" variable but the last three characters
(three double quotes) are included in the variable.
More generally, with an even number of ", the regex doesn't match anything.
With an odd number of ", the regex matches but without removing the last "
defined in the regex.
Do you have any idea about this?
Below, the RPM packages used for my platform :
- OSSEC Server (CentOS release 6.3) :
ossec-hids-2.7-24.el6.art.x86_64
ossec-hids-server-2.7-24.el6.art.x86_64
- OSSEC Agent (CentOS release 6.3) :
ossec-hids-2.7-24.el6.art.x86_64
ossec-hids-client-2.7-24.el6.art.x86_64
Thanks.
Gilles
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
