Nice catch! You know it also happened to me when testing your decoders? Same thing! That is why I always recommend to use ossec-logtest, it's a wonderful tool :D
I don't think you have a way to not modify* decoders.xml*, there is already a child decoder matching your event, using "prematch" which will prevent OSSEC to keep decoding (it match, it is a child, stop and exit). We have something call "twin decoders"... you can give it a try, I don't have enough time today to test it for you. You could "expand" a current decoder by using same decoder name, but it's tricky. So.. everything is working as expected? AR up and running? Regards, Pedro Sanchez. On Tue, Mar 14, 2017 at 9:43 PM, Ralph Durkee <ralph.dur...@gmail.com> wrote: > Pedro thanks again for your help. > > > I think I found the problem, but the work around requires modification of > the decoder.xml > > I moved decoder into the decoder.xml file (I now that’s not the > recommended), before the named group decoder, and made the decoder not a > child of the named group decoder. From etc/decoder.xml > > > . . . > > <decoder name="named-query-denied"> > > <program_name>^named</program_name> > > <prematch>denied$</prematch> > > <regex>client (\S+)#\d+\s+\((\S+)\): query </regex> > > <order>srcip,user</order> > > </decoder> > > > > <!-- Named decoder. > > - Will extract the srcip > > - Examples: > > - valhalla named[7885]: client 192.168.1.231#1142: update ' > hayaletgemi.edu/IN' denied > > - named[12637]: client 1.2.3.4#32769: query (cache) 'somedomain.com/MX/IN' > denied > > - Oct 22 10:12:33 junction named[31687]: /etc/blocked.slave:9892: syntax > error near ';' > > - Oct 22 10:12:33 junction named[31687]: reloading configuration failed: > unexpected token > > --> > > <decoder name="named"> > > <program_name>^named</program_name> > > </decoder> > > . . . > > > The decoding works properly as per logtest > > > # head -1 log-sample1 | bin/ossec-logtest > > 2017/03/14 16:30:27 ossec-testrule: INFO: Reading local decoder file. > > 2017/03/14 16:30:27 ossec-testrule: INFO: Started (pid: 4093). > > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > > full event: 'Mar 14 12:58:58 net19 named[6147]: client 108.239.52.141#3181 > (kzcvyjchmduzkj.tengyin66.com): query (cache) ' > kzcvyjchmduzkj.tengyin66.com/A/IN' denied' > > hostname: 'net19' > > program_name: 'named' > > log: 'client 108.239.52.141#3181 (kzcvyjchmduzkj.tengyin66.com): query > (cache) 'kzcvyjchmduzkj.tengyin66.com/A/IN' denied' > > > **Phase 2: Completed decoding. > > decoder: 'named-query-denied' > > srcip: '108.239.52.141' > > *dstuser: 'kzcvyjchmduzkj.tengyin66.com > <http://kzcvyjchmduzkj.tengyin66.com>'* > > > **Phase 3: Completed filtering (rules). > > Rule id: '12108' > > Level: '4' > > Description: 'Invalid Query cache denied.' > > Info - Link: 'http://www.reedmedia.net/misc/dns/errors.html' > > **Alert to be generated. > > > > I originally had the decoder as a parent top level decoder, otherwise the > logtest output seemed to only mention the named decoder, rather than the > child. I thought it was just limited output at the time. So once I was > convinced it worked, I moved it to be a child decoder, and moved it to the > local_named.xml file, and made its parent be the named decoder. However I > believe the ‘named-query-denied’ decoding is not working as a child of the > named decoder. Any ideas why??? > > > The rest of the rules and alerts etc are working fine, but I believe if > the decoder fails to extract the dtsuser from the log, then OSSEC would > silently refuse to call the active response script, because it didn’t have > the expected user value from the log. (Might be nice to have a log on such > a failure) > > > > *Is there a way to make this work without modifying the decoder.xml file ? > * > > > > *Thanks!* > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.