On Tue, Mar 14, 2017 at 5:44 PM, Ralph Durkee <ralph.dur...@gmail.com> wrote: > Yes, I got the production system working against a test attack script. Will > monitor it to do tuning for the real flurries of bogus DNS queries, and will > try the duplicate / twin decoder name to see if that works. An override > option for the decoder name would be ideal. The other thing that occurred to > me I could do, is copy all the child named decoders into the local decoder > file and use the parent name of the new improved named decoder. >
I stopped updating the named decoders when I stopped using it a couple of years ago, so thanks for up to date log samples. "url" looks better than srcuser, but I'm open to using whatever. The below patch is also available at https://github.com/ossec/ossec-hids/pull/1094 How does this work for you: diff --git a/etc/decoder.xml b/etc/decoder.xml index d0c5a196..7d86bad0 100755 --- a/etc/decoder.xml +++ b/etc/decoder.xml @@ -952,11 +952,16 @@ Jan 8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with ke <decoder name="named-query"> <parent>named</parent> - <prematch>: query: </prematch> - <regex>client (\S+)#\d+\s*\S*: query: (\S+) IN </regex> + <prematch>: query </prematch> + <regex>client (\S+)#\d+\s*\S*: </regex> <order>srcip,url</order> </decoder> +<decoder name="named-query"> + <parent>named</parent> + <regex>query: (\S+) IN|query \S+ '(\S+)/</regex> + <order>url</order> +</decoder> <decoder name="named_client"> <parent>named</parent> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
