Hi Santiago!
Thanks for your input. As you pointed out the \D+ is out of place and I couldn't figure out why that would match whereas the latter regex, that I believed to be more complete, wouldn't. With input from Dan and yourself, I realize that OSSEC is offering a helping hand in stripping the transport header. If I got this right, I should match against what logtest outputs after log: and not the full string? Best regards, Fredrik On Thursday, January 28, 2016 at 12:12:53 AM UTC+1, Santiago Bassett wrote: > > Agree with Dan, also double check the regexes, as it looks like there are > some inconsistencies at the end. I don't think that \D+ is in the right > place. > > Best > > On Wed, Jan 27, 2016 at 7:08 AM, dan (ddp) <ddp...@gmail.com <javascript:> > > wrote: > >> >> On Jan 27, 2016 10:06 AM, "Fredrik" <fredri...@gmail.com <javascript:>> >> wrote: >> > >> > HI All, >> > >> > >> > Been working on a regex to match highlighted part of the (event) string >> below: >> > >> > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow <eth1 mail >> src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: ******; >> app_desc: ******; app_id: 10063753; app_category: ******; matched_category: >> ******; app_properties: ******; app_risk: ******; app_rule_id: ******; >> app_rule_name: ******; web_client_type: Chrome; web_server_type: >> Microsoft-IIS; app_sig_id: 10063753:5; resource: >> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: >> Application Control; service: http; s_port: 58579; product_family: Network; >> > >> > ... but I just can't get it to match the string I'm hoping to catch. I >> have tried different additions to the regex below, please note that it is >> not complete as I have not got past this point without failure - yet ;) I >> would like to match Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 >> > >> > <prematch>^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \D+</prematch> >> > >> > I'm sure I'm missing something obvious, any hints would be greatly >> appreciated. One example of a string that won't work is (I have included >> ossec_logtest output for for reference: >> > >> > <prematch>^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \d+:\d+:\d+ >> st4600fw01n/d*</prematch> >> > >> > admin@lab-host99:/var/ossec/bin# ./ossec-logtest >> > 2016/01/27 14:13:53 ossec-testrule: INFO: Reading local decoder file. >> > 2016/01/27 14:13:53 ossec-testrule: INFO: Started (pid: 22710). >> > ossec-testrule: Type one log per line. >> > >> > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow <eth1 mail >> src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: ******; >> app_desc: ******; app_id: 10063753; app_category: ******; matched_category: >> ******; app_properties: ******; app_risk: ******; app_rule_id: ******; >> app_rule_name: ******; web_client_type: Chrome; web_server_type: >> Microsoft-IIS; app_sig_id: 10063753:5; resource: >> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: >> Application Control; service: http; s_port: 58579; product_family: Network; >> > >> > >> > **Phase 1: Completed pre-decoding. >> > full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 >> st4600fw01n1 allow <eth1 mail src: 192.168.1.15; dst: 89.208.212.2; proto: >> tcp; appi_name: ******; app_desc: ******; app_id: 10063753; app_category: >> ******; matched_category: ******; app_properties: ******; app_risk: ******; >> app_rule_id: ******; app_rule_name: ******; web_client_type: Chrome; >> web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: >> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: >> Application Control; service: http; s_port: 58579; product_family: Network;' >> > hostname: '127.0.0.1' >> > program_name: '(null)' >> > log: 'Jan 27 9:32:28 st4600fw01n1 allow <eth1 mail src: >> 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: ******; app_desc: >> ******; app_id: 10063753; app_category: ******; matched_category: ******; >> app_properties: ******; app_risk: ******; app_rule_id: ******; >> app_rule_name: ******; web_client_type: Chrome; web_server_type: >> Microsoft-IIS; app_sig_id: 10063753:5; resource: >> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: >> Application Control; service: http; s_port: 58579; product_family: Network;' >> > >> >> Notice that in the "log:" entry part of what you highlighted has been >> removed. It's a transport header, and ossec generally tries to remove those >> from processing. >> >> > **Phase 2: Completed decoding. >> > No decoder matched. >> > >> > >> > Best, >> > Fredrik >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to ossec-list+...@googlegroups.com <javascript:>. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
