On Wed, Dec 14, 2016 at 9:50 AM, Bertrand Danos <mille...@gmail.com> wrote: > Without the action match and order, it's OK : >
I feel like there was a limit in the number of entries in the <order> field. Maybe it's 9? What about something like this: > <!-- > Dec 2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41" > fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01 > slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp > proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp > srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW > action=pass logtype="filter"#015 > --> > <decoder name="netasq-filter"> > <parent>netasq</parent> > <prematch>logtype="filter"</prematch> > <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)" > ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+) > dstport=(\d+)</regex> > <order>id, extra_data, extra_data, protocol, protocol, srcip, > srcport, dstip, dstport</order> > > <!-- segfault > <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)" > ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+) > dstport=(\d+) \.+ action=(\S+)</regex> > <order>id, extra_data, extra_data, protocol, protocol, srcip, > srcport, dstip, dstport, action</order> > --> > </decoder> > Splitting it into multiple decoders seems to work for me: <decoder name="netasq-filter"> <parent>netasq</parent> <prematch>logtype="filter"</prematch> <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)" ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+) dstport=(\d+) </regex> <order>id, extra_data, extra_data, protocol, protocol, srcip, srcport, dstip, dstport</order> </decoder> <decoder name="netasq-filter"> <parent>netasq</parent> <regex>action=(\S+)</regex> <order>action</order> </decoder> **Phase 1: Completed pre-decoding. full event: 'Dec 2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41" fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW action=pass logtype="filter"#015' hostname: '192.168.10.1' program_name: '(null)' log: 'id=firewall time="2016-12-02 14:37:41" fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW action=pass logtype="filter"#015' **Phase 2: Completed decoding. decoder: 'netasq' id: 'firewall' extra_data: 'FW1' extra_data: 'port2' proto: 'tcp' proto: 'ssh' srcip: '192.168.10.2' srcport: '33659' dstip: '192.168.10.1' action: 'pass' > > result : > > **Phase 2: Completed decoding. > decoder: 'netasq' > id: 'firewall' > extra_data: 'FW1' > extra_data: 'port2' > proto: 'tcp' > proto: 'ssh' > srcip: '192.168.10.2' > srcport: '33659' > dstip: '192.168.10.1' > > > > With the action match and order, it crash : > > strace ./ossec-logtest > > write(2, "\n**Phase 2: Completed decoding.", 31 > **Phase 2: Completed decoding.) = 31 > write(2, "\n", 1 > ) = 1 > write(2, " decoder: 'netasq'", 24 decoder: 'netasq') = 24 > write(2, "\n", 1 > ) = 1 > write(2, " id: 'firewall'", 21 id: 'firewall') = 21 > write(2, "\n", 1 > ) = 1 > write(2, " extra_data: 'FW1'", 24 extra_data: 'FW1') = 24 > write(2, "\n", 1 > ) = 1 > write(2, " extra_data: 'port2'", 26 extra_data: 'port2') = 26 > write(2, "\n", 1 > ) = 1 > write(2, " proto: 'tcp'", 19 proto: 'tcp') = 19 > write(2, "\n", 1 > ) = 1 > write(2, " proto: 'ssh'", 19 proto: 'ssh') = 19 > write(2, "\n", 1 > ) = 1 > write(2, " srcip: '192.168.10.2'", 28 srcip: '192.168.10.2') = 28 > write(2, "\n", 1 > ) = 1 > write(2, " srcport: '33659'", 23 srcport: '33659') = 23 > write(2, "\n", 1 > ) = 1 > write(2, " dstip: '192.168.10.1'", 28 dstip: '192.168.10.1') = 28 > write(2, "\n", 1 > ) = 1 > --- SIGSEGV (Segmentation fault) @ 0 (0) --- > +++ killed by SIGSEGV +++ > > > > 2016-12-09 16:35 GMT+01:00 dan (ddp) <ddp...@gmail.com>: >> >> >> On Dec 9, 2016 5:51 AM, "Bertrand Danos" <mille...@gmail.com> wrote: >> >> Hello Dan, >> >> Thank you very much for your help. >> >> I've a problem with the following decoder and sample. Its generates a >> segfault in ossec-logtest : >> >> <!--- >> Dec 2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41" >> fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01 >> slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp >> proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp >> srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW >> action=pass logtype="filter"#015 >> --> >> >> <decoder name="netasq-filter"> >> <parent>netasq</parent> >> <prematch>logtype="filter"</prematch> >> <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)" >> ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+) >> dstport=(\d+) \.+ action=(\S+)</regex> >> <order>id, extra_data, extra_data, protocol, protocol, srcip, >> srcport, dstip, dstport, action</order> >> </decoder> >> >> the segfaut appears before the display of dstport >> For the 'action' item, I can't display it too. >> >> >> Any ideas? >> >> >> >> If you remove the action match and order, does it still segfault? >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.