On Fri, Aug 4, 2017 at 2:57 AM, Fredrik Hilmersson <fredrik.hilmers...@gmail.com> wrote: > Hello, > > I would like some help and pointers to create a decoder. So I ran the line > from the access log (see below). What I would like to accomplish is to > match: <match>python-requests/2.2.1</match> However as you can see at the > moment the default decoder for rule 31101, does only store the srcip, url > and id field. Some help to get me started would be much appreciated. > > > log-test: 'srcpip - admin [03/Aug/2017:21:30:44 +0200] "GET / HTTP/1.1" 404 > 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.13.0-24-generic"' > > > **Phase 2: Completed decoding. > > decoder: 'web-accesslog' > > srcip: '' > > url: '/' > > id: '404' > > > **Phase 3: Completed filtering (rules). > > Rule id: '31101' > > Level: '5' > > Description: 'Web server 400 error code.' > > **Alert to be generated. >
There's probably a cleaner way to do this, but I'm short on time. The original logtest gives me: **Phase 1: Completed pre-decoding. full event: 'srcpip - admin [03/Aug/2017:21:30:44 +0200] "GET / HTTP/1.1" 404 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.13.0-24-generic' hostname: 'ossec-syscheckdb' program_name: '(null)' log: 'srcpip - admin [03/Aug/2017:21:30:44 +0200] "GET / HTTP/1.1" 404 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.13.0-24-generic' **Phase 2: Completed decoding. decoder: 'web-accesslog' srcip: 'srcpip' url: '/' id: '404' **Phase 3: Completed filtering (rules). Rule id: '31101' Level: '5' Description: 'Web server 400 error code.' **Alert to be generated. Adding the following decoder to local_decoder.xml: <decoder name="web-accesslog"> <type>web-log</type> <parent>web-accesslog</parent> <regex>^(\S+) \S+ (\S+) [\S+ \S\d+] "(\w+) (\S+) HTTP\S+" (\d+) \d+ \S+ "(\S+) </regex> <order>srcip, srcuser, action, url, id, extra_data</order> </decoder> Gives me: **Phase 1: Completed pre-decoding. full event: 'srcpip - admin [03/Aug/2017:21:30:44 +0200] "GET / HTTP/1.1" 404 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.13.0-24-generic' hostname: 'ossec-syscheckdb' program_name: '(null)' log: 'srcpip - admin [03/Aug/2017:21:30:44 +0200] "GET / HTTP/1.1" 404 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.13.0-24-generic' **Phase 2: Completed decoding. decoder: 'web-accesslog' srcip: 'srcpip' srcuser: 'admin' action: 'GET' url: '/' id: '404' extra_data: 'python-requests/2.2.1' **Phase 3: Completed filtering (rules). Rule id: '31101' Level: '5' Description: 'Web server 400 error code.' **Alert to be generated. Now I can probably add that to the original web-accesslog decoder, or write a decoder with the same name that builds on it. For the first, I'd hesitate to do so because the changes would get overwritten whenever I upgraded. For the second, I'd have to look it up to remember exactly how to do it. > > Kind regards, > Fredrik > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.