-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 G E Scott Knauss wrote: > Is anyone else seeing this problem ? I've played with the decoder > rules a bit, I'm fairly certain I understand them, but no matter > what I do, I always get UNKNOWN for the srcip and (null) for the > action. Although admittedly, I don't see where the decoder gets the > action ... Here's how I *_think_* it works ????? > > <decoder > name="iptables"> >
> ### defines the decoder rule name > > <type>firewall</type> > > ### type of rule. > <prematch>^kernel: [\d+.\d+] \S+ IN=|^kernel: \S+ IN=eth0 > OUT=</prematch> ### how to determine if log line fits for this > rule > > <regex offset="after_prematch"> MAC=\.+ SRC=(\S+) DST=(\S+) \.+ > </regex> ### begins marking variables. each portion in () is a > variable > <regex>PROTO=(\w+) SPT=(\d+) DPT=(\d+) > </regex> ### More variables > > <order>action,srcip,dstip,protocol,srcport,dstport</order> > > ### the variable names in the order they show as defined by the () > </decoder> > > (this is not the default iptables decoder entry,) However it works > the same way. It would seem to me that the regex defines the entire > line from the log ???? Is that correct ? isolating portions with (). > These portions are then exported in the order specified in the last > line. Also, I'm guessing at what all of the escape secquences are > based on the sample logs in the decoder XML. Is there a list of them > somewhere ? I couldn't find any of the ones in the decoder.xml in > any of the normal places I look for regex help ... (man regex, man > grep) > > Thanks, > Unfortunately, I haven't had the chance to wrap my brain around how the decoder works. but looking at the rules and the decoders, I'm guessing that they use Perl, or extended POSIX, style regexes. So for the metacharacters you have above, the following would be true (this is an assumption, Daniel, et al., please feel free correct me if I'm wrong): \.+ = one or more literal dots (.) (\S+) = one or more non-space character (grouped/captured) \w+ = one or more "word" character (letters or numbers - equivalent to shell character class [a-zA-Z0-9]) \d+ = one or more digit character (equivalent to shell character class [0-9]) Looking at the default rulesets and the default decoder.xml in my own installation, it looks like the ossec binaries may do some extra interpolation for certain characters, so it's possible that '\.+' may match one or more of any type character (except newline). This is probably perfect for a wiki entry. > > > > > > On Thu, 2006-08-17 at 11:18 +0200, G E Scott Knauss wrote: >> I've read the posts on the decoder.xml, but I still can't >> quite figure out what is going on here... As I understand it, the >> second rule in the default firewall rules should fire if there are >> more than 16 hits in from the same IP in 45 seconds. So if I insane >> nmap from a machine, it should get blocked right ? >> >> Its not ... >> >> I think the decoder is missing the srcip from my firewall >> log. I'm runing SuSE10.1 and the default SuSEfirewall2. Nothing >> fancy on this box for the firewall rules. Here's a sample from the >> syslog firewall.log: >> >> Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 >> DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=44 ID=60200 PROTO=ICMP >> TYPE=8 CODE=0 ID=10466 SEQ=21229 >> Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 >> DST=1.2.3.194 LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=46512 PROTO=TCP >> SPT=56113 DPT=80 WINDOW=3072 RES=0x00 ACK URGP=0 >> Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 >> DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=51 ID=11781 PROTO=ICMP >> TYPE=8 CODE=0 ID=10466 SEQ=21485 >> Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 >> DST=1.2.3.194 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=55879 PROTO=TCP >> SPT=56109 DPT=80 WINDOW=3072 RES=0x00 ACK URGP=0 >> Aug 17 10:03:58 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 >> DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=18094 PROTO=ICMP >> TYPE=8 CODE=0 ID=33513 SEQ=11805 >> Aug 17 10:03:58 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 >> DST=1.2.3.194 LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=48370 PROTO=TCP >> SPT=54589 DPT=80 WINDOW=2048 RES=0x00 ACK URGP=0 >> Aug 17 10:03:58 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 >> DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=44 ID=39406 PROTO=ICMP >> TYPE=8 CODE=0 ID=33513 SEQ=12061 >> Aug 17 10:03:58 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 >> DST=1.2.3.194 LEN=40 TOS=0x00 PREC=0x00 TTL=41 ID=15291 PROTO=TCP >> SPT=54590 DPT=80 WINDOW=3072 RES=0x00 ACK URGP=0 >> Aug 17 10:05:01 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=200.255.5.8 >> DST=1.2.3.194 LEN=446 TOS=0x00 PREC=0x00 TTL=45 ID=23451 DF >> PROTO=TCP SPT=80 DPT=10634 WINDOW=1716 RES=0x00 ACK PSH FIN URGP=0 >> OPT (0101080A6B711D860028094B) >> Aug 17 10:05:09 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=200.255.5.8 >> DST=1.2.3.194 LEN=446 TOS=0x00 PREC=0x00 TTL=45 ID=38538 DF >> PROTO=TCP SPT=80 DPT=1595 WINDOW=1716 RES=0x00 ACK PSH FIN URGP=0 >> OPT (0101080A6B713B4F002813F7) >> >> >> >> >> However, if I look at the ossec firewall log in >> /opt/ossec/logs/firewall/firewall.log, all of the entries look like >> this ..... >> >> 2006 Aug 17 10:02:19 UNKNOWN 80 1.2.3.194:10634->TCP:(null) >> 2006 Aug 17 10:02:29 UNKNOWN 80 1.2.3.194:1595->TCP:(null) >> 2006 Aug 17 10:03:13 UNKNOWN 80 1.2.3.194:10634->TCP:(null) >> 2006 Aug 17 10:03:23 UNKNOWN 80 1.2.3.194:1595->TCP:(null) >> 2006 Aug 17 10:03:39 UNKNOWN 56113 1.2.3.194:80->TCP:(null) >> 2006 Aug 17 10:03:39 UNKNOWN 56109 1.2.3.194:80->TCP:(null) >> 2006 Aug 17 10:03:59 UNKNOWN 54589 1.2.3.194:80->TCP:(null) >> 2006 Aug 17 10:03:59 UNKNOWN 54590 1.2.3.194:80->TCP:(null) >> 2006 Aug 17 10:05:03 UNKNOWN 80 1.2.3.194:10634->TCP:(null) >> 2006 Aug 17 10:05:11 UNKNOWN 80 1.2.3.194:1595->TCP:(null) >> >> I'm guessing this may have something to do with the options >> SuSE gives to all of the log statements ? (LOG flags 6 level 4 >> prefix someprefix) >> >> >> Thanks, >> >> >> >> >> G E Scott Knauss [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> or [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> ECRNOC Naples, IT [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> Lead Network Engineer >> DSN: 314-626-4854 >> Comm: 39-333-224-9323 >> Cell: 39-333-224-9323 >> > G E Scott Knauss [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > or [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > ECRNOC Naples, IT [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > Lead Network Engineer > DSN: 314-626-4854 > Comm: 39-333-224-9323 > Cell: 39-333-224-9323 > - -- gentux echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 18D3 4A9E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE6KZyTPA54hjTSp4RAlWPAJ4uRxlc/K7Udu7xEpPo/KNGnVMyMQCeKNtW SC6kNb6oIzNpVUxMLSb4h4Y= =VYPA -----END PGP SIGNATURE-----
