Re: [ossec-list] help with writing decoder rules for clavister firewall
Op woensdag 14 november 2012 17:02:47 UTC+1 schreef dan (ddpbsd) het volgende: > > On Wed, Nov 14, 2012 at 9:49 AM, Michiel van Es > > > wrote: > > Hello, > > > > I am trying to set up a local_decoder.xml entry to decode our Clavister > log > > entries. > > The clavister logfiles show only outgoing dropped traffic, for example: > > > > Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: RULE: prio=6 > > id=0651 rev=1 event=ruleset_drop_packet action=drop > > rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 > > destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 > > ack=1 fin=1 > > > > I could not find an existing clavister decoder so I am trying to write > my > > own. > > I tried something as follows : > > > > > > ^\w+ \d+ \S+ > > > > > > If I get it correct the ^ is beginning of the line,\w+ = Month, \d+ = > day of > > month, \S+=time , but its not working as expected, running logtest > shows: > > > > **Phase 1: Completed pre-decoding. > >full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] > EFW: > > RULE: prio=6 id=0651 rev=1 event=ruleset_drop_packet action=drop > > rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 > > destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 > > ack=1 fin=1' > >hostname: '10.170.80.3' > >program_name: '(null)' > >log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=0651 rev=1 > > event=ruleset_drop_packet action=drop rule=d_all_any_to_external > > recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP > > ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' > > > > >>I think you want the prematch to look at the log line above, not the > full log. > > >> This is untested, and I don't know how much of the log message stays > the same. > >> > >> ^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d] EFW: RULE: > >> > > Thanks, I am now trying to get the srcip,dstip,srcport and dstport from a 2nd local_decoder: ^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d] EFW: RULE: clavister srcip=(\d+.\d+.\d+.\d+) destip=(\d+.\d+.\d+.\d+) (\.*) srcip,dstip,srcport,dstport,action,extra_data But I can not get the srcport and dstport decoded. I tried: srcip=(\d+.\d+.\d+.\d+) destip=(\d+.\d+.\d+.\d+) scrport=(\d+) destport(\d+) (\.*) but I get no src/dstport decoded. I also noticed that the clavisters are using the destport term and ossec dstport, I am not sure if that is an issue? I should mention I am not a guru at regex ;) Any help is welcome.
Re: [ossec-list] help with writing decoder rules for clavister firewall
On Wed, Nov 14, 2012 at 9:49 AM, Michiel van Es wrote: > Hello, > > I am trying to set up a local_decoder.xml entry to decode our Clavister log > entries. > The clavister logfiles show only outgoing dropped traffic, for example: > > Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: RULE: prio=6 > id=0651 rev=1 event=ruleset_drop_packet action=drop > rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 > destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 > ack=1 fin=1 > > I could not find an existing clavister decoder so I am trying to write my > own. > I tried something as follows : > > > ^\w+ \d+ \S+ > > > If I get it correct the ^ is beginning of the line,\w+ = Month, \d+ = day of > month, \S+=time , but its not working as expected, running logtest shows: > > **Phase 1: Completed pre-decoding. >full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: > RULE: prio=6 id=0651 rev=1 event=ruleset_drop_packet action=drop > rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 > destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 > ack=1 fin=1' >hostname: '10.170.80.3' >program_name: '(null)' >log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=0651 rev=1 > event=ruleset_drop_packet action=drop rule=d_all_any_to_external > recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP > ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' > I think you want the prematch to look at the log line above, not the full log. This is untested, and I don't know how much of the log message stays the same. ^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d] EFW: RULE: > **Phase 2: Completed decoding. >No decoder matched. > > It does not show the clavister field at Phase 2 which I would expect. > > Can anyone point out what I am doing wrong even with this simpel > example? > > Thanks in advance. > > Regards, > > Michiel
Re: [ossec-list] help with writing decoder rules for clavister firewall
try changing your prematch tag to ^\w\w\w \d\d \d\d:\d\d:\d\d see here: http://www.ossec.net/doc/manual/rules-decoders/create-custom.html -AK On Wed, Nov 14, 2012 at 8:49 AM, Michiel van Es wrote: > Hello, > > I am trying to set up a local_decoder.xml entry to decode our Clavister log > entries. > The clavister logfiles show only outgoing dropped traffic, for example: > > Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: RULE: prio=6 > id=0651 rev=1 event=ruleset_drop_packet action=drop > rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 > destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 > ack=1 fin=1 > > I could not find an existing clavister decoder so I am trying to write my > own. > I tried something as follows : > > > ^\w+ \d+ \S+ > > > If I get it correct the ^ is beginning of the line,\w+ = Month, \d+ = day of > month, \S+=time , but its not working as expected, running logtest shows: > > **Phase 1: Completed pre-decoding. >full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: > RULE: prio=6 id=0651 rev=1 event=ruleset_drop_packet action=drop > rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 > destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 > ack=1 fin=1' >hostname: '10.170.80.3' >program_name: '(null)' >log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=0651 rev=1 > event=ruleset_drop_packet action=drop rule=d_all_any_to_external > recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP > ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' > > **Phase 2: Completed decoding. >No decoder matched. > > It does not show the clavister field at Phase 2 which I would expect. > > Can anyone point out what I am doing wrong even with this simpel > example? > > Thanks in advance. > > Regards, > > Michiel
