Re: [ossec-list] Parent decoder's fields are not parsed when child decoder is present

Jesus Linares Thu, 18 Aug 2016 02:22:44 -0700

Hi Michael,

it is the normal behaviour. A parent decoder must be used to group logs and 
child decoders to extract fields. Example:


*local_decoder.xml*
<!--
Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234 UID=0(vader) whoami
Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234 UID=42(chuck) telnet 
jupiter2 1337
-->

<decoder name="bash">
  <program_name>bash</program_name>
</decoder>

<decoder name="bash-telnet">
  <parent>bash</parent>
  <prematch offset="after_parent">telnet </prematch>
  <regex offset="after_parent">^HISTORY: PID=\d+ UID=\d+\((\S+)\) (\S+) 
(\S+) (\d+)</regex>
  <order>user,extra_data,dstip,dstport</order>
</decoder>

<decoder name="bash-general">
  <parent>bash</parent>
  <prematch offset="after_parent">^HISTORY: PID=\d+ </prematch>
  <regex offset="after_prematch">^UID=\d+\((\S+)\) (\S+)</regex>
  <order>user,extra_data</order>
</decoder>

local_rules.xml
<group name="test,">
    <rule id="100100" level="0">
        <decoded_as>bash</decoded_as>
        <description>bash messages grouped.</description>
    </rule>
</group>


ossec-logtest:
Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234 UID=0(vader) whoami

**Phase 2: Completed decoding.
       decoder: 'bash'
       dstuser: 'vader'
       extra_data: 'whoami'


**Phase 3: Completed filtering (rules).
       Rule id: '100100'
       Level: '0'
       Description: 'bash messages grouped.'

Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234 UID=42(chuck) telnet 
jupiter2 1337

**Phase 2: Completed decoding.
       decoder: 'bash'
       dstuser: 'chuck'
       extra_data: 'telnet'
       dstip: 'jupiter2'
       dstport: '1337'


**Phase 3: Completed filtering (rules).
       Rule id: '100100'
       Level: '0'
       Description: 'bash messages grouped.'

I used the field *extra_data* to extract the command.

I hope it helps.
Regards.




On Wednesday, August 17, 2016 at 10:40:50 PM UTC+2, dan (ddpbsd) wrote:
>
> On Aug 17, 2016 4:37 PM, "Michael P." <haple...@gmail.com <javascript:>> 
> wrote:
> >
> > I am experiencing an issue where the presence of a child decoder 
> prevents the fields in the parent decoder from being decoded. 
> >
> > We log all bash commands made by users on our systems. The format of 
> these log messages look like this:
> > Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234 UID=0(vader) whoami
> > Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234 UID=42(chuck) telnet 
> jupiter2 1337
> >
> > My goal is to extract the user ids 0(vader) and 42(chuck) from the 
> header common to both messages. For the telnet message, I want to decode 
> the dst ip and port (jupiter2 and 1337). 
> >
> > I have the following decoders defined:
> > <decoder name="bash-stalker">
> >   <program_name>bash</program_name>
> >   <prematch>^HISTORY: PID=\d+ </prematch>
> >   <regex offset="after_prematch">^UID=(\S*) </regex>
> >   <order>user</order>
> > </decoder>
> >
> >
> > <decoder name="telnet-request">
> >   <parent>bash-stalker</parent>
> >   <prematch offset="after_parent">telnet </prematch>
> >   <regex offset="after_prematch">^(\S+) (\d+)</regex>
> >   <order>dstip,dstport</order>
> > </decoder>
> >
> > When telnet-request is present, user is not decoded for any log message, 
> telnet or not. dstip and dstport are decoded correctly. If I comment 
> telnet-request out, then user is decoded properly for all log messages. I 
> want all three fields when they're available. 
> >
> > Am I missing a subtlety of parent decoders? Could someone point me in 
> the right direction?
> >
>
> I think that's just the way it is. You can name thw second decoder the 
> same thing though and decode extra fields. I can't remember if there's an 
> example in decoders or not, but it isn't too hard (i'm on my phone or I'd 
> provide an example).
>
> >
> >
> > Extra information, if it helps - here is the output of logtest in both 
> cases: 
> >
> > telnet-request is present:
> > Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234 UID=0(vader) whoami
> >
> >
> > **Phase 1: Completed pre-decoding.
> >        full event: 'Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234 
> UID=0(vader) whoami'
> >        hostname: 'mars31'
> >        program_name: 'bash'
> >        log: 'HISTORY: PID=45234 UID=0(vader) whoami'
> >
> >
> > **Phase 2: Completed decoding.
> >        decoder: 'bash-stalker'
> >
> >
> > Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234 UID=42(chuck) telnet 
> jupiter2 1337
> >
> >
> > **Phase 1: Completed pre-decoding.
> >        full event: 'Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234 
> UID=42(chuck) telnet jupiter2 1337'
> >        hostname: 'mars31'
> >        program_name: 'bash'
> >        log: 'HISTORY: PID=56234 UID=42(chuck) telnet jupiter2 1337'
> >
> >
> > **Phase 2: Completed decoding.
> >        decoder: 'bash-stalker'
> >        dstip: 'jupiter2'
> >        dstport: '1337'
> >
> >
> >
> >  telnet-request is commented out:
> >  Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234 UID=0(vader) whoami
> >
> >
> > **Phase 1: Completed pre-decoding.
> >        full event: 'Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234 
> UID=0(vader) whoami'
> >        hostname: 'mars31'
> >        program_name: 'bash'
> >        log: 'HISTORY: PID=45234 UID=0(vader) whoami'
> >
> >
> > **Phase 2: Completed decoding.
> >        decoder: 'bash-stalker'
> >        dstuser: '0(vader)'
> >
> >
> > **Phase 3: Completed filtering (rules).
> >        Rule id: '100002'
> >        Level: '6'
> >        Description: 'command as root'
> >
> >
> > Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234 UID=42(chuck) telnet 
> jupiter2 1337
> >
> >
> > **Phase 1: Completed pre-decoding.
> >        full event: 'Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234 
> UID=42(chuck) telnet jupiter2 1337'
> >        hostname: 'mars31'
> >        program_name: 'bash'
> >        log: 'HISTORY: PID=56234 UID=42(chuck) telnet jupiter2 1337'
> >
> >
> > **Phase 2: Completed decoding.
> >        decoder: 'bash-stalker'
> >        dstuser: '42(chuck)'
> >
> >
> > **Phase 3: Completed filtering (rules).
> >        Rule id: '100003'
> >        Level: '3'
> >        Description: 'telnet connection'
> >
> >
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Parent decoder's fields are not parsed when child decoder is present

Reply via email to