My phase 3 is the same.. **Phase 1: Completed pre-decoding. full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 200 0 0 15' hostname: 'alamo' program_name: '(null)' log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 200 0 0 15'
**Phase 2: Completed decoding. decoder: 'windows-date-format' url: '/wfc/portal -' srcip: '10.18.100.24' id: '200' **Phase 3: Completed filtering (rules). Rule id: '31108' Level: '0' Description: 'Ignored URLs (simple queries).' On Thursday, May 26, 2016 at 4:05:55 PM UTC-5, Brent Morris wrote: > > Hi Jacob, > > What version of OSSEC are you on? > > It doesn't look like you've configured your IIS servers logging to meet > the OSSEC 2.8 decoder expectations. But even having said that, I'd > submitted some "IIS default" decodes to the github repository some time > back. > > So when I test your log against my OSSEC, I get a different result. > > **Phase 1: Completed pre-decoding. > full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - > 443 - 10.18.100.24 > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 0 0 15' > hostname: 'lott-ossec' > program_name: '(null)' > log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - > 10.18.100.24 > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 0 0 15' > > **Phase 2: Completed decoding. > decoder: 'windows-date-format' > dstip: '172.18.2.247' > action: 'POST' > url: '/wfc/portal' > dstport: '443' > srcip: '10.18.100.24' > id: '200' > > **Phase 3: Completed filtering (rules). > Rule id: '31108' > Level: '0' > Description: 'Ignored URLs (simple queries).' > > But it looks like you have a decoder that is working. And having said > that, I can't see what "**Phase 3" of your logtest shows for the output of > the rule id. I only see Phase 1 and Phase 2... so there's no way for us to > know what rule it is matching to compare against your local_rules.xml > entries. > > > On Thursday, May 26, 2016 at 1:35:30 PM UTC-7, Jacob Mcgrath wrote: >> >> I am still struggling with the general syntax of regex... >> >> On Thursday, May 26, 2016 at 3:33:30 PM UTC-5, Jacob Mcgrath wrote: >>> >>> >>> >>> Looking to take these logs from two seperate server applications and >>> perform alerts and possibly responses to them. >>> >>> server 1: >>> >>> 2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 >>> Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 >>> 200 0 0 15 >>> 2016-05-26 15:38:15 172.18.2.247 GET /wff - 443 - 10.18.100.24 >>> Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/50.0.2661.102+Safari/537.36 >>> >>> 404 0 2 203 >>> >>> Server 2: >>> >>> 2016-05-26 00:16:02 W3SVC1071858006 192.168.1.30 POST >>> /servlet/Router/Transaction/Erp - 80 - 10.13.100.4 >>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) >>> >>> 200 0 0 >>> 2016-05-26 00:16:03 W3SVC1071858006 192.168.1.30 GET >>> /lawson/portal/drill/drsearch.css - 80 - 10.12.100.10 >>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) >>> >>> 404 0 2 >>> >>> >>> Right now I am just attempting to work with logs from Server1: to alert >>> on 200 & 4040 errors for for web scans and alike but a beginning. >>> >>> >>> Entry in local_decoder.xml: >>> >>> <decoder name="kronos-web"> >>> <parent>windows-date-format</parent> >>> <use_own_name>true</use_own_name> >>> <prematch offset="after_parent">^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ >>> POST </prematch> >>> <regex offset="after_prematch">(\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* >>> (\d\d\d) \S+ \S+ \S+</regex> >>> <order>url,srcip,id</order> >>> </decoder> >>> >>> >>> >>> Entry in local_rules.xml >>> >>> >>> <group name="kronos-web,syslog,"> >>> <rule id="100007" level="0"> >>> <decoded_as>kronos-web</decoded_as> >>> <description>Grouping for Kronos web rules.</description> >>> </rule> >>> >>> <rule id="100008" level="5"> >>> <if_sid>100007</if_sid> >>> <id>404</id> >>> <description>IIS 7 Web Server 404 Error.</description> >>> <group>connection attempt,</group> >>> </rule> >>> >>> <rule id="100009" level="5"> >>> <if_sid>100007</if_sid> >>> <id>200</id> >>> <description>IIS 7 Web Server 200 Error.</description> >>> <group>connection attempt,</group> >>> </rule> >>> >>> <rule id="100010" level="10" frequency="10" timeframe="60"> >>> <if_matched_sid>100008,100009</if_matched_sid> >>> <description>Possible Kronos Web Scan/Attack Detected.</description> >>> <group>attacks,</group> >>> </rule> >>> </group> >>> >>> >>> >>> >>> When I run the logtest is get this output that I am getting the >>> url,srcip and id.. but is not getting to the rules I have created above... >>> >>> >>> **Phase 1: Completed pre-decoding. >>> full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - >>> 443 - 10.18.100.24 >>> Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 >>> 200 0 0 15' >>> hostname: 'alamo' >>> program_name: '(null)' >>> log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - >>> 10.18.100.24 >>> Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 >>> 200 0 0 15' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'windows-date-format' >>> url: '/wfc/portal -' >>> srcip: '10.18.100.24' >>> id: '200' >>> >>> >>> >>> Am I missing something like a base idea behind this or a syntax thing I >>> really do not know... >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.