Re: [ossec-list] Default checkpoint decoder provided by ossec doesn't works
To start, your log message is missing the syslog header (timestamp and
hostname).
Then taking out the first \s+ in the prematch of the checkpoint
decoder makes this work.
In fact, changing the decoder to this made it work with one of your
examples and one of the examples in the decoder.conf:
decoder name=checkpoint-syslog
program_name^Checkpoint/program_name
prematch^\s*\S+ \d\d:\d\d:\d\d /prematch
/decoder
On Mon, Apr 30, 2012 at 4:31 AM, carlopmart carlopm...@gmail.com wrote:
Hi all,
I am doing some tests sending checkpoint fw logs to ossec vi syslog and the
default checkpoint decoder provided by ossec 2.6 doesn't works. For example
using log explained in decoder.xml:
2012/04/30 10:26:13 ossec-testrule: INFO: Reading local decoder file.
2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file:
'lists/dshield_list'
2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file:
'lists/rbn_host_list'
2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file:
'lists/rbn_subnet_list'
2012/04/30 10:26:13 ossec-testrule: INFO: Started (pid: 7884).
ossec-testrule: Type one log per line.
Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1 eth4 rule: 102; rule_uid:
{----}; ICMP: Echo Request; src: 10.10.10.2;
dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1
FireWall-1;
**Phase 1: Completed pre-decoding.
full event: 'Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1 eth4
rule: 102; rule_uid: {----}; ICMP: Echo
Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP
Code: 0; product: VPN-1 FireWall-1;'
hostname: 'plzfsgsip02'
program_name: '(null)'
log: 'Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1 eth4 rule:
102; rule_uid: {----}; ICMP: Echo Request;
src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0;
product: VPN-1 FireWall-1;'
**Phase 2: Completed decoding.
No decoder matched.
Using a real sample:
Checkpoint: 30Apr2012 9:52:24 accept 172.23.4.3 Lan2 rule: 54; rule_uid:
{9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id: https; src:
192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1 FireWall-1;
service: 443; s_port: ;
**Phase 1: Completed pre-decoding.
full event: 'Checkpoint: 30Apr2012 9:52:24 accept 172.23.4.3 Lan2
rule: 54; rule_uid: {9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id:
https; src: 192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1
FireWall-1; service: 443; s_port: ;'
hostname: 'ossecsrv02'
program_name: '(null)'
log: 'Checkpoint: 30Apr2012 9:52:24 accept 172.23.4.3 Lan2 rule: 54;
rule_uid: {9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id: https; src:
192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1 FireWall-1;
service: 443; s_port: ;'
**Phase 2: Completed decoding.
No decoder matched.
Where is the problem??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: [ossec-list] Default checkpoint decoder provided by ossec doesn't works
Oops ... You are right dan .. I have missed timestamp and hostname ...
Doing some adjustements, decoder works now ...
On 04/30/2012 02:59 PM, dan (ddp) wrote:
To start, your log message is missing the syslog header (timestamp and
hostname).
Then taking out the first \s+ in the prematch of the checkpoint
decoder makes this work.
In fact, changing the decoder to this made it work with one of your
examples and one of the examples in the decoder.conf:
decoder name=checkpoint-syslog
program_name^Checkpoint/program_name
prematch^\s*\S+ \d\d:\d\d:\d\d/prematch
/decoder
On Mon, Apr 30, 2012 at 4:31 AM, carlopmartcarlopm...@gmail.com wrote:
Hi all,
I am doing some tests sending checkpoint fw logs to ossec vi syslog and the
default checkpoint decoder provided by ossec 2.6 doesn't works. For example
using log explained in decoder.xml:
2012/04/30 10:26:13 ossec-testrule: INFO: Reading local decoder file.
2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file:
'lists/dshield_list'
2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file:
'lists/rbn_host_list'
2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file:
'lists/rbn_subnet_list'
2012/04/30 10:26:13 ossec-testrule: INFO: Started (pid: 7884).
ossec-testrule: Type one log per line.
Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1eth4 rule: 102; rule_uid:
{----}; ICMP: Echo Request; src: 10.10.10.2;
dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1
FireWall-1;
**Phase 1: Completed pre-decoding.
full event: 'Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1eth4
rule: 102; rule_uid: {----}; ICMP: Echo
Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP
Code: 0; product: VPN-1 FireWall-1;'
hostname: 'plzfsgsip02'
program_name: '(null)'
log: 'Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1eth4 rule:
102; rule_uid: {----}; ICMP: Echo Request;
src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0;
product: VPN-1 FireWall-1;'
**Phase 2: Completed decoding.
No decoder matched.
Using a real sample:
Checkpoint: 30Apr2012 9:52:24 accept 172.23.4.3Lan2 rule: 54; rule_uid:
{9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id: https; src:
192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1 FireWall-1;
service: 443; s_port: ;
**Phase 1: Completed pre-decoding.
full event: 'Checkpoint: 30Apr2012 9:52:24 accept 172.23.4.3Lan2
rule: 54; rule_uid: {9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id:
https; src: 192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1
FireWall-1; service: 443; s_port: ;'
hostname: 'ossecsrv02'
program_name: '(null)'
log: 'Checkpoint: 30Apr2012 9:52:24 accept 172.23.4.3Lan2 rule: 54;
rule_uid: {9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id: https; src:
192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1 FireWall-1;
service: 443; s_port: ;'
**Phase 2: Completed decoding.
No decoder matched.
Where is the problem??
--
CL Martinez
carlopmart {at} gmail {d0t} com
--
CL Martinez
carlopmart {at} gmail {d0t} com
