Re: [ossec-list] Default checkpoint decoder provided by ossec doesn't works

Mon, 30 Apr 2012 06:31:57 -0700

Oops ... You are right dan .. I have missed timestamp and hostname ... Doing some adjustements, decoder works now ... 

On 04/30/2012 02:59 PM, dan (ddp) wrote:

To start, your log message is missing the syslog header (timestamp and
hostname).
Then taking out the first \s+ in the prematch of the checkpoint
decoder makes this work.

In fact, changing the decoder to this made it work with one of your
examples and one of the examples in the decoder.conf:

<decoder name="checkpoint-syslog">
   <program_name>^Checkpoint</program_name>
   <prematch>^\s*\S+ \d\d:\d\d:\d\d</prematch>
</decoder>


On Mon, Apr 30, 2012 at 4:31 AM, carlopmart<carlopm...@gmail.com>  wrote:

Hi all,

  I am doing some tests sending checkpoint fw logs to ossec vi syslog and the
default checkpoint decoder provided by ossec 2.6 doesn't works. For example
using log explained in decoder.xml:

2012/04/30 10:26:13 ossec-testrule: INFO: Reading local decoder file.
2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file:
'lists/dshield_list'
2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file:
'lists/rbn_host_list'
2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file:
'lists/rbn_subnet_list'
2012/04/30 10:26:13 ossec-testrule: INFO: Started (pid: 7884).
ossec-testrule: Type one log per line.

Checkpoint: 21Aug2007 14:49:26 drop   10.10.10.1>eth4 rule: 102; rule_uid:
{00000000-0000-0000-0000-000000000000}; ICMP: Echo Request; src: 10.10.10.2;
dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1&
FireWall-1;


**Phase 1: Completed pre-decoding.
       full event: 'Checkpoint: 21Aug2007 14:49:26 drop   10.10.10.1>eth4
rule: 102; rule_uid: {00000000-0000-0000-0000-000000000000}; ICMP: Echo
Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP
Code: 0; product: VPN-1&  FireWall-1;'
       hostname: 'plzfsgsip02'
       program_name: '(null)'
       log: 'Checkpoint: 21Aug2007 14:49:26 drop   10.10.10.1>eth4 rule:
102; rule_uid: {00000000-0000-0000-0000-000000000000}; ICMP: Echo Request;
src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0;
product: VPN-1&  FireWall-1;'

**Phase 2: Completed decoding.
       No decoder matched.


Using a real sample:

Checkpoint:  30Apr2012 9:52:24 accept 172.23.4.3>Lan2 rule: 54; rule_uid:
{9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id: https; src:
192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1&  FireWall-1;
service: 443; s_port: 1111;


**Phase 1: Completed pre-decoding.
       full event: 'Checkpoint:  30Apr2012 9:52:24 accept 172.23.4.3>Lan2
rule: 54; rule_uid: {9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id:
https; src: 192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1&
FireWall-1; service: 443; s_port: 1111;'
       hostname: 'ossecsrv02'
       program_name: '(null)'
       log: 'Checkpoint:  30Apr2012 9:52:24 accept 172.23.4.3>Lan2 rule: 54;
rule_uid: {9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id: https; src:
192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1&  FireWall-1;
service: 443; s_port: 1111;'

**Phase 2: Completed decoding.
       No decoder matched.

Where is the problem??

--
CL Martinez
carlopmart {at} gmail {d0t} com



--
CL Martinez
carlopmart {at} gmail {d0t} com






















					Reply via email to