On Wed, Jul 6, 2016 at 5:31 AM, Martin Dulovič <[email protected]> wrote:
> Hi,
>
> so iam working on decoder for sophos UTM. I have written part of decoder, it
> passes ossec-regex but fail ossec-logtest.
>
> Here is log that iam tying to parse:
>
>
> May 13 15:30:37 10.169.200.70 2016:05:13-15:30:38 sophos-dc-1
> httpproxy[6896]: id="0001" severity="info" sys="SecureWeb" sub="http"
> name="http access" action="pass" method="GET" srcip="10.10.10.10"
> dstip="10.10.10.20"
>
>
>
>
> And here is my decoder:
>
>
>
> <decoder name="sophos_data_format">
> <prematch>^\w+\s+\d+ \d\d:\d\d:\d\d \d+.\d+.\d+.\d+
> \d\d\d\d:\d\d:\d\d-\d\d:\d\d:\d\d </prematch>
> </decoder>
>
>
> <decoder name="httpproxy">
> <parent>sophos_data_format</parent>
> <regex offset="after_parent">^(\S+) httpproxy[\d+]: id="\d+"
> severity="\w+" sys="\w+" sub="\w+" name="\.+" action="(\w+)" method="\w+"
> srcip="(\S+)" dstip="(\S*)"</regex>
> <order>url,action,srcip,dstip</order>
> </decoder>
>
>
>
> But for some reason, decoder working only if log starts like this:
>
>
> May 1 15:30:37 10.169.200.70 2016:05:13-15:30:38 sophos-dc-1
> httpproxy[6896]: id="0001" severity="info" sys="SecureWeb" sub="http"
> name="http access" action="pass" method="GET" srcip="10.10.10.10"
> dstip="10.10.10.20"
>
>
>
>
> And NOT working for these formats:
>
> May 1 15:30:37 10.169.200.70 2016:05:13-15:30:38 sophos-dc-1
> httpproxy[6896]: id="0001" severity="info" sys="SecureWeb" sub="http"
> name="http access" action="pass" method="GET" srcip="10.10.10.10"
> dstip="10.10.10.20"
>
>
> May 11 15:30:37 10.169.200.70 2016:05:13-15:30:38 sophos-dc-1
> httpproxy[6896]: id="0001" severity="info" sys="SecureWeb" sub="http"
> name="http access" action="pass" method="GET" srcip="10.10.10.10"
> dstip="10.10.10.20"
>
>
>
>
> As i was saying, ossec-regex will return OK for all of this formats, but
> ossec-logtest return OK online for first.
>
> Can you help me please ? Thanks in advanced.
>
**Phase 1: Completed pre-decoding.
full event: 'May 13 15:30:37 10.169.200.70 2016:05:13-15:30:38
sophos-dc-1 httpproxy[6896]: id="0001" severity="info" sys="SecureWeb"
sub="http" name="http access" action="pass" method="GET"
srcip="10.10.10.10" dstip="10.10.10.20"'
hostname: '10.169.200.70'
program_name: '(null)'
log: '2016:05:13-15:30:38 sophos-dc-1 httpproxy[6896]:
id="0001" severity="info" sys="SecureWeb" sub="http" name="http
access" action="pass" method="GET" srcip="10.10.10.10"
dstip="10.10.10.20"'
**Phase 2: Completed decoding.
No decoder matched.
The log field is what we need to look at for the decoder. In this case
the "May 13 15:30:37 10.169.200.70" is all predecoded out of the
message.
Changing the decoder to:
<decoder name="sophos_data_format">
<prematch>^\w\s+\d+ \d\d:\d\d:\d\d \d+.\d+.\d+.\d+
\d\d\d\d:\d\d:\d\d-\d\d:\d\d:\d\d |\d\d\d\d:\d\d:\d\d-\d\d:\d\d:\d\d
\S+ \S+: </prematch>
</decoder>
fixes this (all sample logs are decoded as sophos_data_format), but
I'm not sure if there is any fallout (other than breaking the
httpproxy decoder).
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
