On Monday, May 23, 2016 at 2:22:33 AM UTC-6, Jesus Linares wrote: > > Hi Dave, > > I found the problem. The last decoder > in kernel-iptables_apparmor_decoders.xml doesn't have a prematch tag. I > fixed it here > <https://github.com/wazuh/ossec-rules/commit/48db55be1917596f9de69a0d7e5efabe8d1dadd0>, > > just add that line. Usually, every decoder should have a prematch because > when OSSEC matches a decoder just with regex it doesn't continue looking > for the next decoder. > > Now, you can place your decoder in local_decoders and it will work. I > recommend you use prematch in your decoder too. > > <decoder name="local_iptables"> > <parent>iptables</parent> > <prematch>^[\s*\d+.\d+] ipt:</prematch> > <regex offset="after_prematch">(\S+): in=\.+ src=(\S+) dst=(\S+) > </regex> > <order>action,srcip,srcdst</order> > </decoder> > > **Phase 1: Completed pre-decoding. > full event: 'May 21 07:06:25 agora kernel: [ 303.966106] IPT: > GEOIP VIETNAM DROP: IN=eth0 OUT= > MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 > DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP > SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0' > hostname: 'agora' > program_name: 'kernel' > log: '[ 303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT= > MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 > DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP > SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0' > > > **Phase 2: Completed decoding. > decoder: 'iptables' > action: 'DROP' > srcip: '116.110.88.148' > srcdst: '192.168.0.3' > > > Thank you but it still doesn't work. First there is the issue of the 'srcdst' produces an error but even if I fix that to read 'dstip', it stops at the same point that it did without the prematch.
Unfortunately I thought it might be an issue that was fixed in an update so I updated my git copy and installed it. Now I get a whole different set of errors. Starting with decoder.xml not being copied into the installation directory and followed by ossec-logtest resulting in reports like: 2016/05/24 17:47:42 ossec-analysisd(2102): ERROR: Duplicated decoder with prematch: 'pam-ruser'. And if I fix that one (because one of the duplicates should really be named pam-rhost rather than pam-ruser) it goes on to complain about other duplicates. So something changed in the update and it didn't update all the files. I'm looking into it and hopefully will soon get to a point I can test your idea. Thanks again, Dave -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
