-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 G E Scott Knauss wrote: > Thanks, > First off, that is a way COOL perl command in your > signature. Still trying to wrap my head around that. (and I thought > I knew perl).
LOL Thanks. Supposed to help keep the spammers away, but not sure if it really works. ;-) Think ROT13 "encryption", it's basically the same. > > Actually found this today while I was poking around in the > code to try and understand it better.... > And yes, this should definitely be in the wiki, because it > applies to all rules not just the decoder. Suppose I could figure > out how to add it... Maybe tomorrow when I can view the wiki on a > connection other than my cell phone ..... (no home phone yet.... ) It now is in the Wiki: http://www.ossec.net/wiki/index.php/Know_How:Regex_Readme#Regular_Expression_Syntax_for_Rules_and_Decoders (watch out for wrapping) > > from 'src/os_regex/README Imagine that....READMEs. ;-) Should have thought to look there. > > The following expressions are supported: > \w -> A-Z, a-z, 0-9 characters > \d -> 0-9 characters > \s -> For spaces " " > \p -> ()*+,-.:;<=>?[] (pontuation characters) > \W -> For anything not \w > \D -> For anything not \d > \S -> For anything not \s > \. -> For anything > > > Each regular expression can be followed by: > > + -> To match one or more times (eg \w+ or \d+) > * -> To match zero or more times (eg \w* or \p*) > > > We also support the "^" to match at the beginning of the text, > '$" to match at the end of the text and "|" to have multiple > expressions. > > > On Sun, 2006-08-20 at 11:14 -0700, gentuxx wrote: > G E Scott Knauss wrote: > > Is anyone else seeing this problem ? I've played with the decoder > > rules a bit, I'm fairly certain I understand them, but no matter > > what I do, I always get UNKNOWN for the srcip and (null) for the > > action. Although admittedly, I don't see where the decoder gets the > > action ... Here's how I *_think_* it works ????? > > > <decoder > > > name="iptables"> > > > > > ### defines the decoder rule name > > > > <type>firewall</type> > > > > > ### type of rule. > > <prematch>^kernel: [\d+.\d+] \S+ IN=|^kernel: \S+ IN=eth0 > > OUT=</prematch> ### how to determine if log line fits for this > > rule > > > <regex offset="after_prematch"> MAC=\.+ SRC=(\S+) DST=(\S+) \.+ > > </regex> ### begins marking variables. each portion in () is a > > variable > > <regex>PROTO=(\w+) SPT=(\d+) DPT=(\d+) > > </regex> ### More variables > > > > <order>action,srcip,dstip,protocol,srcport,dstport</order> > > > > > ### the variable names in the order they show as defined by the () > > </decoder> > > > (this is not the default iptables decoder entry,) However it works > > the same way. It would seem to me that the regex defines the entire > > line from the log ???? Is that correct ? isolating portions with (). > > These portions are then exported in the order specified in the last > > line. Also, I'm guessing at what all of the escape secquences are > > based on the sample logs in the decoder XML. Is there a list of them > > somewhere ? I couldn't find any of the ones in the decoder.xml in > > any of the normal places I look for regex help ... (man regex, man > > grep) > > > Thanks, > > Unfortunately, I haven't had the chance to wrap my brain around how > the decoder works. but looking at the rules and the decoders, I'm > guessing that they use Perl, or extended POSIX, style regexes. So for > the metacharacters you have above, the following would be true (this > is an assumption, Daniel, et al., please feel free correct me if I'm > wrong): > > \.+ = one or more literal dots (.) > (\S+) = one or more non-space character (grouped/captured) > \w+ = one or more "word" character (letters or numbers - equivalent > to shell character class [a-zA-Z0-9]) > \d+ = one or more digit character (equivalent to shell character > class [0-9]) > > Looking at the default rulesets and the default decoder.xml in my own > installation, it looks like the ossec binaries may do some extra > interpolation for certain characters, so it's possible that '\.+' may > match one or more of any type character (except newline). > > This is probably perfect for a wiki entry. > > > > > > > > On Thu, 2006-08-17 at 11:18 +0200, G E Scott Knauss wrote: > >> I've read the posts on the decoder.xml, but I still can't > >> quite figure out what is going on here... As I understand it, the > >> second rule in the default firewall rules should fire if there are > >> more than 16 hits in from the same IP in 45 seconds. So if I insane > >> nmap from a machine, it should get blocked right ? > > >> Its not ... > > >> I think the decoder is missing the srcip from my firewall > >> log. I'm runing SuSE10.1 and the default SuSEfirewall2. Nothing > >> fancy on this box for the firewall rules. Here's a sample from the > >> syslog firewall.log: > > >> Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 > >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 > >> DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=44 ID=60200 PROTO=ICMP > >> TYPE=8 CODE=0 ID=10466 SEQ=21229 > >> Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 > >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 > >> DST=1.2.3.194 LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=46512 PROTO=TCP > >> SPT=56113 DPT=80 WINDOW=3072 RES=0x00 ACK URGP=0 > >> Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 > >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 > >> DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=51 ID=11781 PROTO=ICMP > >> TYPE=8 CODE=0 ID=10466 SEQ=21485 > >> Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 > >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 > >> DST=1.2.3.194 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=55879 PROTO=TCP > >> SPT=56109 DPT=80 WINDOW=3072 RES=0x00 ACK URGP=0 > >> Aug 17 10:03:58 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 > >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 > >> DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=18094 PROTO=ICMP > >> TYPE=8 CODE=0 ID=33513 SEQ=11805 > >> Aug 17 10:03:58 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 > >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 > >> DST=1.2.3.194 LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=48370 PROTO=TCP > >> SPT=54589 DPT=80 WINDOW=2048 RES=0x00 ACK URGP=0 > >> Aug 17 10:03:58 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 > >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 > >> DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=44 ID=39406 PROTO=ICMP > >> TYPE=8 CODE=0 ID=33513 SEQ=12061 > >> Aug 17 10:03:58 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 > >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 > >> DST=1.2.3.194 LEN=40 TOS=0x00 PREC=0x00 TTL=41 ID=15291 PROTO=TCP > >> SPT=54590 DPT=80 WINDOW=3072 RES=0x00 ACK URGP=0 > >> Aug 17 10:05:01 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 > >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=200.255.5.8 > >> DST=1.2.3.194 LEN=446 TOS=0x00 PREC=0x00 TTL=45 ID=23451 DF > >> PROTO=TCP SPT=80 DPT=10634 WINDOW=1716 RES=0x00 ACK PSH FIN URGP=0 > >> OPT (0101080A6B711D860028094B) > >> Aug 17 10:05:09 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 > >> OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=200.255.5.8 > >> DST=1.2.3.194 LEN=446 TOS=0x00 PREC=0x00 TTL=45 ID=38538 DF > >> PROTO=TCP SPT=80 DPT=1595 WINDOW=1716 RES=0x00 ACK PSH FIN URGP=0 > >> OPT (0101080A6B713B4F002813F7) > > > > > >> However, if I look at the ossec firewall log in > >> /opt/ossec/logs/firewall/firewall.log, all of the entries look like > >> this ..... > > >> 2006 Aug 17 10:02:19 UNKNOWN 80 1.2.3.194:10634->TCP:(null) > >> 2006 Aug 17 10:02:29 UNKNOWN 80 1.2.3.194:1595->TCP:(null) > >> 2006 Aug 17 10:03:13 UNKNOWN 80 1.2.3.194:10634->TCP:(null) > >> 2006 Aug 17 10:03:23 UNKNOWN 80 1.2.3.194:1595->TCP:(null) > >> 2006 Aug 17 10:03:39 UNKNOWN 56113 1.2.3.194:80->TCP:(null) > >> 2006 Aug 17 10:03:39 UNKNOWN 56109 1.2.3.194:80->TCP:(null) > >> 2006 Aug 17 10:03:59 UNKNOWN 54589 1.2.3.194:80->TCP:(null) > >> 2006 Aug 17 10:03:59 UNKNOWN 54590 1.2.3.194:80->TCP:(null) > >> 2006 Aug 17 10:05:03 UNKNOWN 80 1.2.3.194:10634->TCP:(null) > >> 2006 Aug 17 10:05:11 UNKNOWN 80 1.2.3.194:1595->TCP:(null) > > >> I'm guessing this may have something to do with the options > >> SuSE gives to all of the log statements ? (LOG flags 6 level 4 > >> prefix someprefix) > > > >> Thanks, > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE6LVQTPA54hjTSp4RArvLAKDhIXOjjQMySH0yjXxb0pDGGfZOUACgsTeC aeF2vlJUHjYCJWSKhDgfqco= =JrGb -----END PGP SIGNATURE-----
