Okay this message is wandering into a whole separate topic but I have found examples of rules and decoders scattered throughout OSSEC message lists that may or may not be committed into OSSEC official source - I found fixes to the broken Windows null route routines - I found a decoder for IIS 7.5 FTP - I also had written a simple decoder for Filezilla FTP Logs
My point is there has been some really good user contributed content sitting in OSSEC forums and I can only guess at reasons why those users never saw fit to contribute officially to OSSEC. In my case I would want others to provide feedback and improve upon a decoder before I would offer it up as a decoder. After all it may work for me but not for other setups. I think about places like splunkbase,nagiosexchange and osticket where users could easily contribute to the project without having to dig into source code. Just my two cents. On Wed, Jul 30, 2014 at 11:40 AM, dan (ddp) <[email protected]> wrote: > On Wed, Jul 30, 2014 at 11:31 AM, James Whittington > <[email protected]> wrote: > > Dan, thanks for taking a quick look at the log line. > > I'll try to modify the iis6 decoder and see what happens then. > > I have a OSSEC test system I feed logs to so I can try it out on that > system > > first. > > > > I think this would give me enough info to work with. > > > > I am trying to catch multiple website registration attempts from the > same ip > > but only on post actions. > > I need to filter out some http 500 errors alarms from google bots > > > > I work with web applications with about 90% being IIS based and 10% > Apache > > based so I would love to see more progress on the Windows Client side and > > Windows support. > > > > Fire up a text editor and jump aboard. > > > Also was there discussion in the past about having a place for user > > contributed content? > > I don't think there's been enough interest lately to even worry about > that yet. Emailing decoders/rules or contributing via github are both > easy to do. I try not to linger too long on decoder/rule > contributions. > > > I know OSSEC has invited folks to help develop but I bet a LOT of the > OSSEC > > userbase are more systems people than pure developers. > > But I bet those systems people have created really great decoders to > fully > > utilize OSSEC that they would share if there were a place for them to do > so. > > > > And most of those people have not tried to contribute those decoders. > > > James Whittington > > > > > > > > > > > > On Wed, Jul 30, 2014 at 11:00 AM, dan (ddp) <[email protected]> wrote: > >> > >> On Wed, Jul 30, 2014 at 10:55 AM, dan (ddp) <[email protected]> wrote: > >> > On Wed, Jul 30, 2014 at 10:28 AM, James Whittington > >> > <[email protected]> wrote: > >> >> I have seen several examples of decoders folks have written for IIS > 7. > >> >> I have tried out a couple of different ones yet each time the > >> >> ossec-logtest > >> >> stops at the windows-date-format decoder. > >> >> > >> >> Additionally one of the examples of an IIS 7 decoder is in a OSSEC > bug > >> >> "web-log category doesn't work" > >> >> (https://github.com/ossec/ossec-hids/issues/164). > >> >> > >> >> So I am left wondering if anyone is successfully decoding IIS logs on > >> >> Windows 2008-2012 servers? > >> >> > >> >> I am currently running OSSEC v2.7.1 , I see 2.8 is out but I didn't > >> >> see > >> >> anything in the release notes about updates to IIS logs? > >> >> > >> >> I would like to write some custom rules on post actions to specific > >> >> urls but > >> >> the windows-date-format decoder doesn't extract the correct fields > that > >> >> I > >> >> need. > >> > > >> > What fields do you need that are missing? > >> > > >> > >> (This gives me the POST: > >> > >> <decoder name="web-accesslog-iis6"> > >> <parent>windows-date-format</parent> > >> <type>web-log</type> > >> <use_own_name>true</use_own_name> > >> <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ </prematch> > >> <regex offset="after_prematch">^(\S+) (\S+ \S+) \d+ \S+ > >> (\d+.\d+.\d+.\d+) </regex> > >> <regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex> > >> <order>action, url, srcip, id</order> > >> </decoder> > >> > >> Just replace the current web-accesslog-iis6 entry. BUT TEST IT before > >> putting it into production.) > >> > >> >> Here is an example line and what I am seeing when I run a logtest on > >> >> it: > >> >> > >> >> 2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D 10.207.230.34 POST > >> >> /register - 443 - 120.138.126.238 HTTP/1.1 > >> >> > >> >> > Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 > >> >> _ga=GA1.2.1301279074.1406725635;+_dc=1 > >> >> https://www.cognitoforms.com/register > >> >> www.cognitoforms.com 302 0 0 949 2509 3667 > >> >> > >> >> > >> >> **Phase 1: Completed pre-decoding. > >> >> full event: '2014-07-30 13:27:06 W3SVC1273337584 > RD00155D43396D > >> >> 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 > >> >> > >> >> > Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 > >> >> _ga=GA1.2.1301279074.1406725635;+_dc=1 > >> >> https://www.cognitoforms.com/register > >> >> www.cognitoforms.com 302 0 0 949 2509 3667' > >> >> hostname: 'monitor' > >> >> program_name: '(null)' > >> >> log: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D > >> >> 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 > >> >> > >> >> > Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 > >> >> _ga=GA1.2.1301279074.1406725635;+_dc=1 > >> >> https://www.cognitoforms.com/register > >> >> www.cognitoforms.com 302 0 0 949 2509 3667' > >> >> > >> >> **Phase 2: Completed decoding. > >> >> decoder: 'windows-date-format' > >> >> url: '/register -' > >> >> srcip: '120.138.126.238' > >> >> id: '302' > >> >> > >> >> **Phase 3: Completed filtering (rules). > >> >> Rule id: '120000' > >> >> Level: '5' > >> >> Description: 'Registration Attempt' > >> >> **Alert to be generated. > >> >> > >> >> > >> >> I am trying to track registration activity to a web service and > trigger > >> >> a > >> >> custom AR script if multiple registration attempts occur from the > same > >> >> source ip. > >> >> > >> >> If anyone would like to share their IIS decoders I would be most > >> >> appreciative, I don't know why OSSEC doesn't have a user contributed > >> >> exchange of decoders much like the nagios community used to have with > >> >> custom > >> >> plugins. > >> >> > >> >> Any thanks for any advice on decoding IIS. > >> >> > >> >> James Whittington > >> >> > >> >> > >> >> > >> >> -- > >> >> > >> >> --- > >> >> You received this message because you are subscribed to the Google > >> >> Groups > >> >> "ossec-list" group. > >> >> To unsubscribe from this group and stop receiving emails from it, > send > >> >> an > >> >> email to [email protected]. > >> >> For more options, visit https://groups.google.com/d/optout. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
