Hi, I would add a *prematch *tag:
<decoder name="Checkpoint-alert"> <parent>Checkpoint</parent> *<prematch>XXXXXXXX</prematch>* <regex offset="after_parent">(\w+) \p\w+ \w+ src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)</regex> <order>action,srcip,dstip</order> </decoder> <decoder name="Checkpoint-alert"> <parent>Checkpoint</parent> <regex offset="after_regex">\.*resource: (\.*);\.*product: (\.*);</regex> <order>url,extra_data</order> </decoder> Each decoder must have a *prematch* tag. Try this example without *prematch *and see what happens. <!-- Mar 3 12:15:24 LinMV TestDecoder[1963]: TypeA value1: hi; value2: bye; value3: seeyou Mar 3 12:15:24 LinMV TestDecoder[1963]: TypeB field1: hi; value2: bye; value3: seeyou --> <decoder name="TestDecoder"> <program_name>TestDecoder</program_name> </decoder> <decoder name="TestDecoder-1"> <parent>TestDecoder</parent> <prematch>TypeA</prematch> <regex offset="after_parent">value1: hi; value2: (\S+)</regex> <order>id</order> </decoder> <decoder name="TestDecoder-1"> <parent>TestDecoder</parent> <regex offset="after_regex">value3: (\S+)</regex> <order>extra_data</order> </decoder> <decoder name="TestDecoder-2"> <parent>TestDecoder</parent> <prematch>TypeB</prematch> <regex offset="after_parent">field1: hi; value2: (\S+)</regex> <order>id</order> </decoder> Also, when it is possible, try to don't use the character "\.". Maybe you can do it whit \S+. Regards, Jesus Linares. On Thursday, March 3, 2016 at 10:05:16 AM UTC+1, Pedro S wrote: > > Hi Fredrik, > > I don't think OSSEC allow regex to work backwards, from end to beginning, > I know that can be specify on other languages with some flags, but I am not > sure if we can do that here. > > Regarding to your decoder, we have two options, include the extraction of > "resource" and product" fields on the same decoder: > > FULL DECODER > > <decoder name="Checkpoint-alert"> > <parent>Checkpoint</parent> > <regex offset="after_parent">(\w+) \p\w+ \w+ > src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)\.*resource: > (\.*);\.*product: (\.*);</regex> > <order>action,srcip,dstip,url,extra_data</order> > </decoder> > > Or in a better way, separate the extraction in two different decoders, so > we can be sure that in case of "resource" and "product" fields do not > exists, our decoder still will parse and work. > > SPLIT DECODERS: > > <decoder name="Checkpoint-alert"> > <parent>Checkpoint</parent> > <regex offset="after_parent">(\w+) \p\w+ \w+ > src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)</regex> > <order>action,srcip,dstip</order> > </decoder> > > > <decoder name="Checkpoint-alert"> > <parent>Checkpoint</parent> > <regex offset="after_regex">\.*resource: (\.*);\.*product: (\.*); > </regex> > <order>url,extra_data</order> > </decoder> > > > > LOGTEST OUTPUT > **Phase 1: Completed pre-decoding. > full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 > allow <eth1 mail src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; > appi_name: ******; app_desc: ******; app_id: 10063753; app_category: > ******; matched_category: ******; app_properties: ******; app_risk: ******; > app_rule_id: ******; app_rule_name: ******; web_client_type: Chrome; > web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: > Application Control; service: http; s_port: 58579; product_family: Network;' > hostname: '127.0.0.1' > program_name: '(null)' > log: 'Jan 27 9:32:28 st4600fw01n1 allow <eth1 mail src: > 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: ******; app_desc: > ******; app_id: 10063753; app_category: ******; matched_category: ******; > app_properties: ******; app_risk: ******; app_rule_id: ******; > app_rule_name: ******; web_client_type: Chrome; web_server_type: > Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: > Application Control; service: http; s_port: 58579; product_family: Network;' > > > **Phase 2: Completed decoding. > decoder: 'Checkpoint' > action: 'allow' > srcip: '192.168.1.15' > dstip: '89.208.212.2' > * url* > *: 'http://www.aliveproxy.com/ <http://www.aliveproxy.com/>' > extra_data: 'Application Control'* > > > **Phase 3: Completed filtering (rules). > Rule id: '4100' > Level: '0' > Description: 'Firewall rules grouped.' > > > In both decoders, I am using wildcards *.* *and expecting always " > *resource*" before "*product*", either way won't work. > > You asked about using another "regex" line in the same decoder, it will > work too, like this: > > <decoder name="Checkpoint-alert"> > <parent>Checkpoint</parent> > <regex offset="after_parent">(\w+) \p\w+ \w+ > src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)</regex> > *<regex>\.*resource: (\.*);\.*product: (\.*);</regex>* > <order>action,srcip,dstip, url, extra_data</order> > </decoder> > > > > Best regards, > > Pedro S. > > > > On Wednesday, March 2, 2016 at 11:03:08 AM UTC+1, Fredrik wrote: >> >> Hi All, >> >> >> Came across this where I think I would be helped by extracting fields >> both in forward (from beginning) and in reverse (from end) order of >> messages!? Is this possible, if so, is it stupid given that there are other >> (better) ways to accomplish the same thing :/ ? >> >> In addition to the fields my current decoder extracts, I was hoping to >> extract the resource (http://www.aliveproxy.com/) and also the product >> (Application >> Control;). My idea was to add a secondary statement, before the <order> >> statement, something in the lines of: >> <regex>$/p\w+\s [...] and work my way backward so that I can extract >> Application Control and resource . How would you suggest I do this?! >> >> Thanks again for all the great help - hope my threads (and questions) can >> be useful for other newstarters outhere trying to get there feet off the >> ground ;) >> >> Best regards, >> Fredrik >> >> LOG-MESSAGE >> >> *Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 *allow <eth1 mail >> src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: ******; >> app_desc: ******; app_id: 10063753; app_category: ******; >> matched_category: ******; app_properties: ******; app_risk: ******; >> app_rule_id: ******; app_rule_name: ******; web_client_type: Chrome; >> web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: http: >> //www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application >> Control; service: http; s_port: 58579; product_family: Network; >> >> MY CURRENT DECODER >> >> <decoder name="Checkpoint"> >> <prematch>^\w+ \d+ \d+:\d+:\d+ st4600fw01n\d</prematch> >> <type>firewall</type> >> </decoder> >> >> <decoder name="Checkpoint-alert"> >> <parent>Checkpoint</parent> >> <regex offset="after_parent">(\w+) \p\w+ \w+ >> src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)</regex> >> <order>action,srcip,dstip</order> >> </decoder> >> >> LOGTEST OUTPUT >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 >> allow <eth1 mail src: 192.168.1.15 dst: 89.208.212.2; proto: tcp; >> appi_name: ******; app_desc: ******; app_id: 10063753; app_category: >> ******; matched_category: ******; app_properties: ******; app_risk: ******; >> app_rule_id: ******; app_rule_name: ******; web_client_type: Chrome; >> web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: >> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15; product: >> Application Control; service: http; s_port: 58579; product_family: Network;' >> hostname: '127.0.0.1' >> program_name: '(null)' >> log: 'Jan 27 9:32:28 st4600fw01n1 allow <eth1 mail src: >> 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: ******; app_desc: >> ******; app_id: 10063753; app_category: ******; matched_category: ******; >> app_properties: ******; app_risk: ******; app_rule_id: ******; >> app_rule_name: ******; web_client_type: Chrome; web_server_type: >> Microsoft-IIS; app_sig_id: 10063753:5; resource: >> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15; product: >> Application Control; service: http; s_port: 58579; product_family: Network;' >> >> **Phase 2: Completed decoding. >> decoder: 'Checkpoint' >> action: 'allow' >> srcip: '192.168.1.15' >> dstip: '89.208.212.2' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '4100' >> Level: '0' >> Description: 'Firewall rules grouped.' >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.