subject:"\[ossec\-list\] Custom decoder \& rules not working"

Re: [ossec-list] Custom decoder & rules not working

2017-03-24 Thread Martin

Indeed it was evaluated first because the level of the rule 2501 (5) is 
higher than my rule.

Thank you for your answer !

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Custom decoder & rules not working

2017-03-23 Thread dan (ddp)

On Thu, Mar 23, 2017 at 12:41 PM, Martin  wrote:
> Hello,
>
> I've those kind of log comming from a custom app
>>
>>
>> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
>> [] []
>
>
> I'm trying to block an ip with to much authentication failure.
>
> So I did a custom decoder which is working ;
>
> 
>   ^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p 
> 
>
>
> 
>   app.ERROR
>   ^app.ERROR: \.+ (\S+) for IP: (\S+)
> (\.+)\s(\.+)$
>   status,srcip,extra_data,extra_data
> 
>
> and I want theses rules working with this log .
>
> 
> app.ERROR
> Multiple login attempts customapp
>   
>
>
>   
> 100201
> 
> Multiple login attempts customapp
> authentication_failures,
>   
>
>
> But this what I get when testing with /var/ossec/bin/ossec-logtest
>
>
>
> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
> [] []
>
>
>
>
> **Phase 1: Completed pre-decoding.
>full event: '[2017-03-23 10:18:01] app.ERROR: Authentication failure
> for IP: 172.17.0.1 [] []'
>hostname: 'Digital-Ocean-1'
>program_name: '(null)'
>log: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for IP:
> 172.17.0.1 [] []'
>
>
> **Phase 2: Completed decoding.
>decoder: 'app.ERROR'
>status: 'failure'
>srcip: '172.17.0.1'
>extra_data: '[]'
>extra_data: '[]'
>
>
> **Phase 3: Completed filtering (rules).
>Rule id: '2501'
>Level: '5'
>Description: 'User authentication failure.'
> **Alert to be generated.
>
> why are my rules not working over the 2501 one ?
>


2501 is probably evaluated first.
You can add an 2501 to your first rule to help it match.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Custom decoder & rules not working

2017-03-23 Thread Martin

Hello,

I've those kind of log comming from a custom app

>
> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 
> [] []


I'm trying to block an ip with to much authentication failure.

So I did a custom decoder which is working ;


  ^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p 




  app.ERROR
  ^app.ERROR: \.+ (\S+) for IP: (\S+) 
(\.+)\s(\.+)$
  status,srcip,extra_data,extra_data


and I want theses rules working with this log .


app.ERROR
Multiple login attempts customapp
  


  
100201

Multiple login attempts customapp
authentication_failures,
  


But this what I get when testing with */var/ossec/bin/ossec-logtest*



[2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 
[] []




**Phase 1: Completed pre-decoding.
   full event: '[2017-03-23 10:18:01] app.ERROR: Authentication failure 
for IP: 172.17.0.1 [] []'
   hostname: 'Digital-Ocean-1'
   program_name: '(null)'
   log: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for 
IP: 172.17.0.1 [] []'


**Phase 2: Completed decoding.
   decoder: 'app.ERROR'
   status: 'failure'
   srcip: '172.17.0.1'
   extra_data: '[]'
   extra_data: '[]'


**Phase 3: Completed filtering (rules).
   Rule id: '2501'
   Level: '5'
   Description: 'User authentication failure.'
**Alert to be generated.

why are my rules not working over the 2501 one ?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Custom decoder & rules not working

Re: [ossec-list] Custom decoder & rules not working

[ossec-list] Custom decoder & rules not working

3 matches

Site Navigation

Mail list logo

Footer information