Hi list,
I was running OSSEC v0.92 to monitor snort log via remote snort sensor
with syslog output. It was working fine until I upgraded to OSSEC v1.0.
OSSEC could not decode the log into IDS category anymore. I digged into
the code and found out the parsing logical changed in the function
OS_CleanMSG and a new xml tag program_name was introduced. The new
decoder.xml try to use this new tag but was not able to parse my log
format as it could before.
The sample format of my snort log:
snort[3769]: [1:1420:11] SNMP trap tcp [Classification: Attempted
Information Leak] [Priority: 2]: {TCP} 10.4.12.26:37020 ->
10.4.10.231:162
Then I noticed the difference of decoder.xml between 0.92 and 1.0. I did
a slight modification for decoder.xml and it works perfectly now. The
patch is attached as snippet with this email.
Finally I realized I should go to decoder.xml directly without digging
into code first if I just want to save some time. Hey, at least I
learned. :-)
Great stuff. Keep on.
John Li
Snippet:
--- decoder.xml 2007-02-01 16:26:11.000000000 -0500
+++ decoder-new.xml 2007-02-01 16:25:59.000000000 -0500
@@ -807,16 +807,23 @@
<decoder name="snort">
<type>ids</type>
+ <prematch>^snort[\d+]: [\d+:\d+:\d+] </prematch>
+</decoder>
+
+<decoder name="snort">
+ <type>ids</type>
<prematch>^[**] [\d+:\d+:\d+] </prematch>
</decoder>
<decoder name="snort2">
<parent>snort</parent>
<type>ids</type>
- <prematch>^[**] |^[\d+:\d+:\d+] </prematch>
+ <prematch>^[**] |^[\d+:\d+:\d+] |^snort[\d+]: </prematch>
<regex>^[**] [(\d+:\d+:\d+)] \.+ (\d+.\d+.\d+.\d+)\p*\d* -> </regex>
<regex>(\d+.\d+.\d+.\d+)|^[(\d+:\d+:\d+)] \.+ </regex>
<regex>(\d+.\d+.\d+.\d+)\p*\d* -> (\d+.\d+.\d+.\d+)</regex>
+ <regex>|^snort[\d+]: [(\d+:\d+:\d+)] \.+ </regex>
+ <regex>(\d+.\d+.\d+.\d+)\p*\d* -> (\d+.\d+.\d+.\d+)</regex>
<order>id,srcip,dstip</order>
<fts>name,id,srcip,dstip</fts>
</decoder>
