I am experiencing an issue where the presence of a child decoder prevents
the fields in the parent decoder from being decoded.
We log all bash commands made by users on our systems. The format of these
log messages look like this:
Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234 UID=0(vader) whoami
Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234 UID=42(chuck) telnet
jupiter2 1337
My goal is to extract the user ids 0(vader) and 42(chuck) from the header
common to both messages. For the telnet message, I want to decode the dst
ip and port (jupiter2 and 1337).
I have the following decoders defined:
<decoder name="bash-stalker">
<program_name>bash</program_name>
<prematch>^HISTORY: PID=\d+ </prematch>
<regex offset="after_prematch">^UID=(\S*) </regex>
<order>user</order>
</decoder>
<decoder name="telnet-request">
<parent>bash-stalker</parent>
<prematch offset="after_parent">telnet </prematch>
<regex offset="after_prematch">^(\S+) (\d+)</regex>
<order>dstip,dstport</order>
</decoder>
When telnet-request is present, user is not decoded for any log message,
telnet or not. dstip and dstport are decoded correctly. If I comment
telnet-request out, then user is decoded properly for all log messages. I
want all three fields when they're available.
Am I missing a subtlety of parent decoders? Could someone point me in the
right direction?
Extra information, if it helps - here is the output of logtest in both
cases:
*telnet-request is present:*
Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234 UID=0(vader) whoami
**Phase 1: Completed pre-decoding.
full event: 'Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234
UID=0(vader) whoami'
hostname: 'mars31'
program_name: 'bash'
log: 'HISTORY: PID=45234 UID=0(vader) whoami'
**Phase 2: Completed decoding.
decoder: 'bash-stalker'
Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234 UID=42(chuck) telnet
jupiter2 1337
**Phase 1: Completed pre-decoding.
full event: 'Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234
UID=42(chuck) telnet jupiter2 1337'
hostname: 'mars31'
program_name: 'bash'
log: 'HISTORY: PID=56234 UID=42(chuck) telnet jupiter2 1337'
**Phase 2: Completed decoding.
decoder: 'bash-stalker'
dstip: 'jupiter2'
dstport: '1337'
* telnet-request is commented out:*
Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234 UID=0(vader) whoami
**Phase 1: Completed pre-decoding.
full event: 'Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234
UID=0(vader) whoami'
hostname: 'mars31'
program_name: 'bash'
log: 'HISTORY: PID=45234 UID=0(vader) whoami'
**Phase 2: Completed decoding.
decoder: 'bash-stalker'
dstuser: '0(vader)'
**Phase 3: Completed filtering (rules).
Rule id: '100002'
Level: '6'
Description: 'command as root'
Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234 UID=42(chuck) telnet
jupiter2 1337
**Phase 1: Completed pre-decoding.
full event: 'Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234
UID=42(chuck) telnet jupiter2 1337'
hostname: 'mars31'
program_name: 'bash'
log: 'HISTORY: PID=56234 UID=42(chuck) telnet jupiter2 1337'
**Phase 2: Completed decoding.
decoder: 'bash-stalker'
dstuser: '42(chuck)'
**Phase 3: Completed filtering (rules).
Rule id: '100003'
Level: '3'
Description: 'telnet connection'
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
