Op woensdag 14 november 2012 17:02:47 UTC+1 schreef dan (ddpbsd) het volgende: > > On Wed, Nov 14, 2012 at 9:49 AM, Michiel van Es > <vanesm...@gmail.com<javascript:>> > wrote: > > Hello, > > > > I am trying to set up a local_decoder.xml entry to decode our Clavister > log > > entries. > > The clavister logfiles show only outgoing dropped traffic, for example: > > > > Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: RULE: prio=6 > > id=06000051 rev=1 event=ruleset_drop_packet action=drop > > rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 > > destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 > > ack=1 fin=1 > > > > I could not find an existing clavister decoder so I am trying to write > my > > own. > > I tried something as follows : > > > > <decoder name="clavister"> > > <prematch>^\w+ \d+ \S+ </prematch> > > </decoder> > > > > If I get it correct the ^ is beginning of the line,\w+ = Month, \d+ = > day of > > month, \S+=time , but its not working as expected, running logtest > shows: > > > > **Phase 1: Completed pre-decoding. > > full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] > EFW: > > RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet action=drop > > rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 > > destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 > > ack=1 fin=1' > > hostname: '10.170.80.3' > > program_name: '(null)' > > log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1 > > event=ruleset_drop_packet action=drop rule=d_all_any_to_external > > recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP > > ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' > > > > >>I think you want the prematch to look at the log line above, not the > full log. > > >> This is untested, and I don't know how much of the log message stays > the same. > >> <decoder name="whastever"> > >> <prematch>^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d] EFW: RULE: </prematch> > >> </decoder> > > Thanks, I am now trying to get the srcip,dstip,srcport and dstport from a 2nd local_decoder:
<decoder name="clavister"> <prematch>^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d] EFW: RULE: </prematch> </decoder> <decoder name="clavister-alert"> <parent>clavister</parent> <regex offset="after_parent">srcip=(\d+.\d+.\d+.\d+) destip=(\d+.\d+.\d+.\d+) (\.*)</regex> <order>srcip,dstip,srcport,dstport,action,extra_data</order> </decoder> But I can not get the srcport and dstport decoded. I tried: <regex offset="after_parent">srcip=(\d+.\d+.\d+.\d+) destip=(\d+.\d+.\d+.\d+) scrport=(\d+) destport(\d+) (\.*)</regex> but I get no src/dstport decoded. I also noticed that the clavisters are using the destport term and ossec dstport, I am not sure if that is an issue? I should mention I am not a guru at regex ;) Any help is welcome.
