Without the action match and order, it's OK :
<!--
Dec 2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41"
fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01
slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp
proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
action=pass logtype="filter"#015
-->
<decoder name="netasq-filter">
<parent>netasq</parent>
<prematch>logtype="filter"</prematch>
<regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)"
ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)
dstport=(\d+)</regex>
<order>id, extra_data, extra_data, protocol, protocol, srcip,
srcport, dstip, dstport</order>
<!-- segfault
<regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)"
ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)
dstport=(\d+) \.+ action=(\S+)</regex>
<order>id, extra_data, extra_data, protocol, protocol, srcip,
srcport, dstip, dstport, action</order>
-->
</decoder>
result :
**Phase 2: Completed decoding.
decoder: 'netasq'
id: 'firewall'
extra_data: 'FW1'
extra_data: 'port2'
proto: 'tcp'
proto: 'ssh'
srcip: '192.168.10.2'
srcport: '33659'
dstip: '192.168.10.1'
With the action match and order, it crash :
strace ./ossec-logtest
write(2, "\n**Phase 2: Completed decoding.", 31
**Phase 2: Completed decoding.) = 31
write(2, "\n", 1
) = 1
write(2, " decoder: 'netasq'", 24 decoder: 'netasq') = 24
write(2, "\n", 1
) = 1
write(2, " id: 'firewall'", 21 id: 'firewall') = 21
write(2, "\n", 1
) = 1
write(2, " extra_data: 'FW1'", 24 extra_data: 'FW1') = 24
write(2, "\n", 1
) = 1
write(2, " extra_data: 'port2'", 26 extra_data: 'port2') = 26
write(2, "\n", 1
) = 1
write(2, " proto: 'tcp'", 19 proto: 'tcp') = 19
write(2, "\n", 1
) = 1
write(2, " proto: 'ssh'", 19 proto: 'ssh') = 19
write(2, "\n", 1
) = 1
write(2, " srcip: '192.168.10.2'", 28 srcip: '192.168.10.2') = 28
write(2, "\n", 1
) = 1
write(2, " srcport: '33659'", 23 srcport: '33659') = 23
write(2, "\n", 1
) = 1
write(2, " dstip: '192.168.10.1'", 28 dstip: '192.168.10.1') = 28
write(2, "\n", 1
) = 1
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
2016-12-09 16:35 GMT+01:00 dan (ddp) <ddp...@gmail.com>:
>
>
> On Dec 9, 2016 5:51 AM, "Bertrand Danos" <mille...@gmail.com> wrote:
>
> Hello Dan,
>
> Thank you very much for your help.
>
> I've a problem with the following decoder and sample. Its generates a
> segfault in ossec-logtest :
>
> <!---
> Dec 2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41"
> fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01
> slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp
> proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
> srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
> action=pass logtype="filter"#015
> -->
>
> <decoder name="netasq-filter">
> <parent>netasq</parent>
> <prematch>logtype="filter"</prematch>
> <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)"
> ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)
> dstport=(\d+) \.+ action=(\S+)</regex>
> <order>id, extra_data, extra_data, protocol, protocol, srcip,
> srcport, dstip, dstport, action</order>
> </decoder>
>
> the segfaut appears before the display of dstport
> For the 'action' item, I can't display it too.
>
>
> Any ideas?
>
>
>
> If you remove the action match and order, does it still segfault?
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
