Hello,
I still have some problems with my customes rules.
How to generate 3 differents alerts depending on the messages.
Here are my steps :
1) Add log file to monitor
* Edit the file etc/ossec.conf and add the following lines:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/firewall.log</location>
</localfile>
2) Create a decoder
* Add in file etc/local_decoder.xml the following lines :
<decoder name="netasq">
<prematch>^id=</prematch>
</decoder>
<decoder name="netasq-auth">
<parent>netasq</parent>
<prematch>logtype="auth"</prematch>
<regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ user="(\S+)" src=(\S+) \.+
logtype="auth"</regex>
<order>id, extra_data, user, srcip</order>
</decoder>
<decoder name="netasq-filter">
<parent>netasq</parent>
<prematch>logtype="filter"</prematch>
<regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)" ipproto=(\S+)
proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+) dstport=(\d+) \.+
logtype="(\S+)"</regex>
<order>id, extra_data, extra_data, protocol, protocol, srcip, srcport,
dstip, dstport</order>
</decoder>
<decoder name="netasq-alarm">
<parent>netasq</parent>
<prematch>logtype="alarm"</prematch>
<regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ msg="(\.+)" \.+
logtype="alarm"</regex>
<order>id, extra_data, extra_data, action</order>
</decoder>
3) Write custom rules :
* Edit the file etc/ossec.conf and add in <ossec_config/rules> the line :
<include>netasq.xml</include>
* Create file rules/netasq.xml
<group name="local,syslog,">
<rule id="3000001" level="0">
<decoded_as>netasq-auth</decoded_as>
<description>Authentication failure on firewall</description>
</rule>
<rule id="3000002" level="0">
<decoded_as>netasq-filter</decoded_as>
<description>Firewall has filtered some data</description>
</rule>
<rule id="3000003" level="0">
<decoded_as>netasq-alarm</decoded_as>
<description>Firewall has gnerated an alarm</description>
</rule>
</group>
For each sample I'd like to receive one of the 3 alerts :
Dec 2 15:42:29 192.168.200.1 id=firewall time="2016-12-02 15:42:28"
fw="test-fw" tz=+0000 startime="2016-12-02 15:42:28" user="admin"
src=10.0.0.1 ruleid=0 method="PLAIN" error=4 msg="Authentication request
invalid" logtype="auth"#015
Dec 2 14:37:42 192.168.200.1 id=firewall time="2016-12-02 14:37:41"
fw="test-fw" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01
slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="eth2" ipproto=tcp
proto=ssh src=10.0.0.2 srcport=33659 srcportname=ephemeral_fw_tcp
srcname=admin dst=192.168.1.1 dstport=22 dstportname=ssh dstname=fw
action=pass logtype="filter"#015
Jan 9 14:54:32 192.168.200.1 id=firewall time="2017-01-09 14:53:49"
fw="test-fw" tz=+0000 startime="2017-01-09 14:53:48" pri=4 confid=01
slotlevel=2 ruleid=13 srcif="Ethernet2" srcifname="eth2" ipproto=icmp
icmptype=8 icmpcode=0 proto=icmp src=10.0.0.2 dst=192.168.1.1 dstname=fw
action=block msg="Filter alarm" class=filter classification=0
logtype="alarm"#015
Thanks in advance for your help.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
