Ok, think I got it. Waiting till server log level is tuned up a bit then I will go for it again.
On Friday, May 27, 2016 at 7:12:41 AM UTC-5, dan (ddpbsd) wrote: > > On Thu, May 26, 2016 at 4:33 PM, Jacob Mcgrath > <jacob.xt...@gmail.com <javascript:>> wrote: > > > > > > Looking to take these logs from two seperate server applications and > perform > > alerts and possibly responses to them. > > > > server 1: > > > > 2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 > > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 > > 0 0 15 > > 2016-05-26 15:38:15 172.18.2.247 GET /wff - 443 - 10.18.100.24 > > > Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/50.0.2661.102+Safari/537.36 > > > > 404 0 2 203 > > > > Server 2: > > > > 2016-05-26 00:16:02 W3SVC1071858006 192.168.1.30 POST > > /servlet/Router/Transaction/Erp - 80 - 10.13.100.4 > > > Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) > > > > 200 0 0 > > 2016-05-26 00:16:03 W3SVC1071858006 192.168.1.30 GET > > /lawson/portal/drill/drsearch.css - 80 - 10.12.100.10 > > > Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) > > > > 404 0 2 > > > > > > Right now I am just attempting to work with logs from Server1: to alert > on > > 200 & 4040 errors for for web scans and alike but a beginning. > > > > > > Entry in local_decoder.xml: > > > > <decoder name="kronos-web"> > > <parent>windows-date-format</parent> > > <use_own_name>true</use_own_name> > > <prematch offset="after_parent">^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ > > POST </prematch> > > <regex offset="after_prematch">(\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* > > (\d\d\d) \S+ \S+ \S+</regex> > > <order>url,srcip,id</order> > > </decoder> > > > > > > > > Entry in local_rules.xml > > > > > > <group name="kronos-web,syslog,"> > > <rule id="100007" level="0"> > > <decoded_as>kronos-web</decoded_as> > > This rule is assuming the events are decoded as "kronos-web," but as > you see in the logtest output they fall under "decoder: > 'windows-date-format'." > > > <description>Grouping for Kronos web rules.</description> > > </rule> > > > > <rule id="100008" level="5"> > > <if_sid>100007</if_sid> > > <id>404</id> > > <description>IIS 7 Web Server 404 Error.</description> > > <group>connection attempt,</group> > > </rule> > > > > <rule id="100009" level="5"> > > <if_sid>100007</if_sid> > > <id>200</id> > > <description>IIS 7 Web Server 200 Error.</description> > > <group>connection attempt,</group> > > </rule> > > > > <rule id="100010" level="10" frequency="10" timeframe="60"> > > <if_matched_sid>100008,100009</if_matched_sid> > > <description>Possible Kronos Web Scan/Attack Detected.</description> > > <group>attacks,</group> > > </rule> > > </group> > > > > > > > > > > When I run the logtest is get this output that I am getting the > url,srcip > > and id.. but is not getting to the rules I have created above... > > > > > > **Phase 1: Completed pre-decoding. > > full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - > 443 > > - 10.18.100.24 > > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 > > 0 0 15' > > hostname: 'alamo' > > program_name: '(null)' > > log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - > > 10.18.100.24 > > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 > > 0 0 15' > > > > **Phase 2: Completed decoding. > > decoder: 'windows-date-format' > > url: '/wfc/portal -' > > srcip: '10.18.100.24' > > id: '200' > > > > > > > > Am I missing something like a base idea behind this or a syntax thing I > > really do not know... > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
