This error:
"2009/05/28 13:46:34 ossec-agent(1103): ERROR: Unable to open file"
Is not really related to the decoder/rules, since it happens way
before on the agent side. For
some reason when ossec tries to open the file, it fails.... Is there
a way to send me the content
of 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log' ?
Or even running "type 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'."
on the command prompt?
If there is one small typo in the file path ossec will not be able to open it.
As far as the decoder (and rules), I tried them using the log samples
provided in the rule file and
seemed to work (*make sure to remove your local decoders too):
2009/05/29 10:03:35 ossec-testrule: INFO: Started (pid: 22553).
ossec-testrule: Type one log per line.
24,3/10/2009,0:00:46,Database Cleanup Begin,,,,
**Phase 1: Completed pre-decoding.
full event: '24,3/10/2009,0:00:46,Database Cleanup Begin,,,,'
hostname: 'enigma'
program_name: '(null)'
log: '24,3/10/2009,0:00:46,Database Cleanup Begin,,,,'
**Phase 2: Completed decoding.
decoder: 'ms-dhcp-ipv4'
id: '24'
**Phase 3: Completed filtering (rules).
Rule id: '6316'
Level: '3'
Description: 'IP address cleanup operation has began.'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: '11011,05/05/09,10:50:55,DHCPV6 Stopped,,,,,,'
hostname: 'enigma'
program_name: '(null)'
log: '11011,05/05/09,10:50:55,DHCPV6 Stopped,,,,,,'
**Phase 2: Completed decoding.
decoder: 'ms-dhcp-ipv6'
id: '11011'
**Phase 3: Completed filtering (rules).
Rule id: '6362'
Level: '7'
Description: 'Stopped.'
**Alert to be generated.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, May 29, 2009 at 9:53 AM, phish phreek <phishphr...@gmail.com> wrote:
> Daniel,
>
> Thanks for integrating them into the project. I've downloaded and installed
> the latest snapshot. I've also renamed my local_decoder.xml file so it
> wouldn't be included. I verified that the new decoder.xml file did have your
> decoders.
>
> Ossec is not able to decode the logs with the decoders you created. I tested
> this via the ossec-logtest utility. When I enable my decoders, it works fine
> with the new rules file you created. I'm short on time this AM and can't
> troubleshoot much more at the moment. I'll see what I can do with it this
> afternoon or over the weekend.
>
> Thanks again,
>
> phishphreek
>
> On Thu, May 28, 2009 at 1:29 PM, Daniel Cid <daniel....@gmail.com> wrote:
>>
>> Hey,
>>
>> I included those on the latest snapshot. I did a few changes so I
>> would like you to take a look:
>>
>> -Modified the use of <match> to <id>
>> -Simplified the decoder to only extract the id, since we were not
>> using the other information
>> -Changed the ids to be in the 6300-6399 range (assigned now for MS DHCP)
>> -Changed the levels from some informative rules to 0 (like ip assigned,
>> etc).
>>
>> Can you test? Anyone here using ms dhcp to try it out?
>>
>> Link: http://ossec.net/files/snapshots/ossec-hids-090528.tar.gz
>>
>>
>> Thanks,
>>
>> --
>> Daniel B. Cid
>> dcid ( at ) ossec.net
>>
>> On Wed, May 13, 2009 at 1:01 AM, phish phreek <phishphr...@gmail.com>
>> wrote:
>> > Here is the latest and *hopefully* final version. I've created three
>> > separate decoders for Windows DHCP server. One for Windows 2003 IPv4,
>> > one
>> > for Windows 2008 IPv4 and the last one for Windows 2008 IPv6. I'm not
>> > using
>> > IPv6, so I could only test a few log entries against the decoder. If
>> > someone
>> > is using 2K8 IPv6 and you can send me more logs, I'd be happy to test.
>> > Also,
>> > I'm pretty new to writing rules in regular expression. If you look at my
>> > decoders and think "WTF!", please let me know what I could do to make it
>> > better. ;)
>> >
>> > I've moved my decoders from decoder.xml to local_decoder.xml as was
>> > recommended on the mailing list.
>> >
>> > I've updated the ms_dhcp_rules.xml file to include 2 new rules from 2008
>> > IPv4 as well as a separate section for 2008 IPv6 rules. I've changed
>> > them
>> > from the 12200/12300 range to 120200 for 2k3/2k8 IPv4 and 120300 for 2k8
>> > IPv6. I also updated the alert levels to a little more reasonable level
>> > and
>> > I've changed the groups to match predefined groups when applicable.
>> >
>> > The decoders also fixed a "bug" when trying to filter out the MAC
>> > address or
>> > "extra data". In the last decoder I posted, it didn't always get it
>> > right.
>> >
>> > If you've followed my previous instructions, please remove the decoder
>> > from
>> > your OSSEC server's decoder.xml file and use the attached
>> > local_decoder.xml.
>> > If you're already using a local_decoder.xml file, then don't overwrite
>> > your
>> > copy with mine! Copy and paste the contents of mine into yours...
>> > Otherwise,
>> > the rest of the previous instructions still apply.
>> >
>> > I'm still working out some possible bugs with the OSSEC agent monitoring
>> > the
>> > Windows logs. When I told the agent to monitor
>> > c:\windows\system32\dhcp\*.log it stopped monitoring on Sunday at
>> > Midnight.
>> > I'm not sure if that was due to timestamps not being updated or not.
>> > I've
>> > since added an entry in the OSSEC agent's ossec.conf file for each day's
>> > log
>> > and we'll see if that works better.
>> >
>> > Will the dev team take notice of this on the list and decide if they
>> > want to
>> > include it in their project or do I need to send it elsewhere?
>> >
>
>
