On Wed, Jul 30, 2014 at 10:28 AM, James Whittington <[email protected]> wrote: > I have seen several examples of decoders folks have written for IIS 7. > I have tried out a couple of different ones yet each time the ossec-logtest > stops at the windows-date-format decoder. > > Additionally one of the examples of an IIS 7 decoder is in a OSSEC bug > "web-log category doesn't work" > (https://github.com/ossec/ossec-hids/issues/164). > > So I am left wondering if anyone is successfully decoding IIS logs on > Windows 2008-2012 servers? > > I am currently running OSSEC v2.7.1 , I see 2.8 is out but I didn't see > anything in the release notes about updates to IIS logs? > > I would like to write some custom rules on post actions to specific urls but > the windows-date-format decoder doesn't extract the correct fields that I > need.
What fields do you need that are missing? > Here is an example line and what I am seeing when I run a logtest on it: > > 2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D 10.207.230.34 POST > /register - 443 - 120.138.126.238 HTTP/1.1 > Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 > _ga=GA1.2.1301279074.1406725635;+_dc=1 https://www.cognitoforms.com/register > www.cognitoforms.com 302 0 0 949 2509 3667 > > > **Phase 1: Completed pre-decoding. > full event: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D > 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 > Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 > _ga=GA1.2.1301279074.1406725635;+_dc=1 https://www.cognitoforms.com/register > www.cognitoforms.com 302 0 0 949 2509 3667' > hostname: 'monitor' > program_name: '(null)' > log: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D > 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 > Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 > _ga=GA1.2.1301279074.1406725635;+_dc=1 https://www.cognitoforms.com/register > www.cognitoforms.com 302 0 0 949 2509 3667' > > **Phase 2: Completed decoding. > decoder: 'windows-date-format' > url: '/register -' > srcip: '120.138.126.238' > id: '302' > > **Phase 3: Completed filtering (rules). > Rule id: '120000' > Level: '5' > Description: 'Registration Attempt' > **Alert to be generated. > > > I am trying to track registration activity to a web service and trigger a > custom AR script if multiple registration attempts occur from the same > source ip. > > If anyone would like to share their IIS decoders I would be most > appreciative, I don't know why OSSEC doesn't have a user contributed > exchange of decoders much like the nagios community used to have with custom > plugins. > > Any thanks for any advice on decoding IIS. > > James Whittington > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
