On Mon, Nov 19, 2012 at 4:39 AM, Michiel van Es <vanesmich...@gmail.com> wrote: > > Hello > > 2012/11/15 Jb Cheng <jjoob...@gmail.com> >> >> The OSSEC allowed fields are listed at the beginning of the file >> etc/decoder.xml. In your case, 'dstport' is correct. >> For the extra fields in the raw log which you want to skip (ipproto= >> ipdatalen= ...), you need to count them out using <regex> like the >> following: >> >> <decoder name="clavister"> >> <prematch>^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d] EFW: RULE: </prematch> >> </decoder> >> >> <decoder name="clavister-alert"> >> <parent>clavister</parent> >> <regex offset="after_parent">\.+ action=(\w+) rule=\w+ recvif=\w+ >> srcip=(\d+.\d+.\d+.\d+) destip=(\d+.\d+.\d+.\d+) ipproto=\w+ ipdatalen=\d+ >> srcport=(\d+) destport=(\d+) (\.*)</regex> >> <order>action,srcip,dstip,srcport,dstport,extra_data</order> >> </decoder> >> > > Thanks! This works as a charm! > I am now trying to generate alerts from every rule that is passing by with > the following configuration: > > agent.conf: > > <agent_config name="machine"> > <localfile> > <log_format>syslog</log_format> > <location>/data/logs/host/fw-10.170.80.*.log</location> > </localfile> > > and then in local_rules.xml: > > <group name="clavister"> > <rule id="700005" level="0"> > <decoded_as>clavister-alert</decoded_as>
The decoder is clavister, not clavister-alert. Before changing the decoder name: **Phase 1: Completed pre-decoding. full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet action=drop rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' hostname: '10.170.80.3' program_name: '(null)' log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet action=drop rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' **Phase 2: Completed decoding. decoder: 'clavister' action: 'drop' srcip: '10.170.83.14' dstip: '81.83.145.188' srcport: '80' dstport: '49511' extra_data: 'ack=1 fin=1' After changing the decoder name: **Phase 1: Completed pre-decoding. full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet action=drop rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' hostname: '10.170.80.3' program_name: '(null)' log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet action=drop rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' **Phase 2: Completed decoding. decoder: 'clavister' action: 'drop' srcip: '10.170.83.14' dstip: '81.83.145.188' srcport: '80' dstport: '49511' extra_data: 'ack=1 fin=1' **Phase 3: Completed filtering (rules). Rule id: '700006' Level: '12' Description: 'Clavister drop firewall!' **Alert to be generated. > <description>Custom Clavister firewall Alert</description> > </rule> > <rule id="700006" level="12"> > <if_sid>700005</if_sid> > <description>Clavister drop firewall!</description> > </rule> > </group> > > Restarted ossec-hids on the ossec manager > > But it does not show any alert and firewall drop entries in the logfile > are rapidly entered. > > For some reason the new clavister-alert entries are not showing in the > alert.log log file.. > > Any help is appreciated :) > > Regards, > > Michiel >> >> >> On Wednesday, November 14, 2012 6:49:10 AM UTC-8, Michiel van Es wrote: >>> >>> Hello, >>> >>> I am trying to set up a local_decoder.xml entry to decode our Clavister >>> log entries. >>> The clavister logfiles show only outgoing dropped traffic, for example: >>> >>> Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: RULE: prio=6 >>> id=06000051 rev=1 event=ruleset_drop_packet action=drop >>> rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 >>> destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 >>> ack=1 fin=1 >>> >>> I could not find an existing clavister decoder so I am trying to write >>> my own. >>> I tried something as follows : >>> >>> <decoder name="clavister"> >>> <prematch>^\w+ \d+ \S+ </prematch> >>> </decoder> >>> >>> If I get it correct the ^ is beginning of the line,\w+ = Month, \d+ = >>> day of month, \S+=time , but its not working as expected, running logtest >>> shows: >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] >>> EFW: RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet action=drop >>> rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 >>> destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 >>> ack=1 fin=1' >>> hostname: '10.170.80.3' >>> program_name: '(null)' >>> log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1 >>> event=ruleset_drop_packet action=drop rule=d_all_any_to_external >>> recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP >>> ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' >>> >>> **Phase 2: Completed decoding. >>> No decoder matched. >>> >>> It does not show the clavister field at Phase 2 which I would expect. >>> >>> Can anyone point out what I am doing wrong even with this simpel >>> <prematch> example? >>> >>> Thanks in advance. >>> >>> Regards, >>> >>> Michiel > >