Hello, I still have some problems with my customes rules. How to generate 3 differents alerts depending on the messages.
Here are my steps : 1) Add log file to monitor * Edit the file etc/ossec.conf and add the following lines: <localfile> <log_format>syslog</log_format> <location>/var/log/firewall.log</location> </localfile> 2) Create a decoder * Add in file etc/local_decoder.xml the following lines : <decoder name="netasq"> <prematch>^id=</prematch> </decoder> <decoder name="netasq-auth"> <parent>netasq</parent> <prematch>logtype="auth"</prematch> <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ user="(\S+)" src=(\S+) \.+ logtype="auth"</regex> <order>id, extra_data, user, srcip</order> </decoder> <decoder name="netasq-filter"> <parent>netasq</parent> <prematch>logtype="filter"</prematch> <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)" ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+) dstport=(\d+) \.+ logtype="(\S+)"</regex> <order>id, extra_data, extra_data, protocol, protocol, srcip, srcport, dstip, dstport</order> </decoder> <decoder name="netasq-alarm"> <parent>netasq</parent> <prematch>logtype="alarm"</prematch> <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ msg="(\.+)" \.+ logtype="alarm"</regex> <order>id, extra_data, extra_data, action</order> </decoder> 3) Write custom rules : * Edit the file etc/ossec.conf and add in <ossec_config/rules> the line : <include>netasq.xml</include> * Create file rules/netasq.xml <group name="local,syslog,"> <rule id="3000001" level="0"> <decoded_as>netasq-auth</decoded_as> <description>Authentication failure on firewall</description> </rule> <rule id="3000002" level="0"> <decoded_as>netasq-filter</decoded_as> <description>Firewall has filtered some data</description> </rule> <rule id="3000003" level="0"> <decoded_as>netasq-alarm</decoded_as> <description>Firewall has gnerated an alarm</description> </rule> </group> For each sample I'd like to receive one of the 3 alerts : Dec 2 15:42:29 192.168.200.1 id=firewall time="2016-12-02 15:42:28" fw="test-fw" tz=+0000 startime="2016-12-02 15:42:28" user="admin" src=10.0.0.1 ruleid=0 method="PLAIN" error=4 msg="Authentication request invalid" logtype="auth"#015 Dec 2 14:37:42 192.168.200.1 id=firewall time="2016-12-02 14:37:41" fw="test-fw" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="eth2" ipproto=tcp proto=ssh src=10.0.0.2 srcport=33659 srcportname=ephemeral_fw_tcp srcname=admin dst=192.168.1.1 dstport=22 dstportname=ssh dstname=fw action=pass logtype="filter"#015 Jan 9 14:54:32 192.168.200.1 id=firewall time="2017-01-09 14:53:49" fw="test-fw" tz=+0000 startime="2017-01-09 14:53:48" pri=4 confid=01 slotlevel=2 ruleid=13 srcif="Ethernet2" srcifname="eth2" ipproto=icmp icmptype=8 icmpcode=0 proto=icmp src=10.0.0.2 dst=192.168.1.1 dstname=fw action=block msg="Filter alarm" class=filter classification=0 logtype="alarm"#015 Thanks in advance for your help. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.