On Wed, Jul 30, 2014 at 10:55 AM, dan (ddp) <[email protected]> wrote: > On Wed, Jul 30, 2014 at 10:28 AM, James Whittington > <[email protected]> wrote: >> I have seen several examples of decoders folks have written for IIS 7. >> I have tried out a couple of different ones yet each time the ossec-logtest >> stops at the windows-date-format decoder. >> >> Additionally one of the examples of an IIS 7 decoder is in a OSSEC bug >> "web-log category doesn't work" >> (https://github.com/ossec/ossec-hids/issues/164). >> >> So I am left wondering if anyone is successfully decoding IIS logs on >> Windows 2008-2012 servers? >> >> I am currently running OSSEC v2.7.1 , I see 2.8 is out but I didn't see >> anything in the release notes about updates to IIS logs? >> >> I would like to write some custom rules on post actions to specific urls but >> the windows-date-format decoder doesn't extract the correct fields that I >> need. > > What fields do you need that are missing? >
(This gives me the POST: <decoder name="web-accesslog-iis6"> <parent>windows-date-format</parent> <type>web-log</type> <use_own_name>true</use_own_name> <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ </prematch> <regex offset="after_prematch">^(\S+) (\S+ \S+) \d+ \S+ (\d+.\d+.\d+.\d+) </regex> <regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex> <order>action, url, srcip, id</order> </decoder> Just replace the current web-accesslog-iis6 entry. BUT TEST IT before putting it into production.) >> Here is an example line and what I am seeing when I run a logtest on it: >> >> 2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D 10.207.230.34 POST >> /register - 443 - 120.138.126.238 HTTP/1.1 >> Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 >> _ga=GA1.2.1301279074.1406725635;+_dc=1 https://www.cognitoforms.com/register >> www.cognitoforms.com 302 0 0 949 2509 3667 >> >> >> **Phase 1: Completed pre-decoding. >> full event: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D >> 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 >> Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 >> _ga=GA1.2.1301279074.1406725635;+_dc=1 https://www.cognitoforms.com/register >> www.cognitoforms.com 302 0 0 949 2509 3667' >> hostname: 'monitor' >> program_name: '(null)' >> log: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D >> 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 >> Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 >> _ga=GA1.2.1301279074.1406725635;+_dc=1 https://www.cognitoforms.com/register >> www.cognitoforms.com 302 0 0 949 2509 3667' >> >> **Phase 2: Completed decoding. >> decoder: 'windows-date-format' >> url: '/register -' >> srcip: '120.138.126.238' >> id: '302' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '120000' >> Level: '5' >> Description: 'Registration Attempt' >> **Alert to be generated. >> >> >> I am trying to track registration activity to a web service and trigger a >> custom AR script if multiple registration attempts occur from the same >> source ip. >> >> If anyone would like to share their IIS decoders I would be most >> appreciative, I don't know why OSSEC doesn't have a user contributed >> exchange of decoders much like the nagios community used to have with custom >> plugins. >> >> Any thanks for any advice on decoding IIS. >> >> James Whittington >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
