Hi John,
Thanks for the patch. My question is, why are your snort logs coming without
a proper syslog header?
Instead of being:
snort[3769]: [1:1420:11] SNMP trap tcp [Classification:
Attempted Information Leak] [Priority: 2]: {TCP} 10.4.12.26:37020 -> 10.4.10.231
162
They were supposed to be:
Feb 10 16:58:32 hostname snort[3769]: [1:1420:11] SNMP trap tcp [Classification:
Attempted Information Leak] [Priority: 2]: {TCP} 10.4.12.26:37020 -> 10.4.10.231
162
Just curious if other people might be affected by this issue.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/2/07, John Li <[EMAIL PROTECTED]> wrote:
Hi list,
I was running OSSEC v0.92 to monitor snort log via remote snort sensor with
syslog output. It was working fine until I upgraded to OSSEC v1.0. OSSEC
could not decode the log into IDS category anymore. I digged into the code
and found out the parsing logical changed in the function OS_CleanMSG and a
new xml tag program_name was introduced. The new decoder.xml try to use this
new tag but was not able to parse my log format as it could before.
The sample format of my snort log:
snort[3769]: [1:1420:11] SNMP trap tcp [Classification: Attempted
Information Leak] [Priority: 2]: {TCP} 10.4.12.26:37020 -> 10.4.10.231:162
Then I noticed the difference of decoder.xml between 0.92 and 1.0. I did a
slight modification for decoder.xml and it works perfectly now. The patch is
attached as snippet with this email.
Finally I realized I should go to decoder.xml directly without digging into
code first if I just want to save some time. Hey, at least I learned. :-)
Great stuff. Keep on.
John Li
Snippet:
--- decoder.xml 2007-02-01 16:26:11.000000000 -0500
+++ decoder-new.xml 2007-02-01 16:25:59.000000000 -0500
@@ -807,16 +807,23 @@
<decoder name="snort">
<type>ids</type>
+ <prematch>^snort[\d+]: [\d+:\d+:\d+] </prematch>
+</decoder>
+
+<decoder name="snort">
+ <type>ids</type>
<prematch>^[**] [\d+:\d+:\d+] </prematch>
</decoder>
<decoder name="snort2">
<parent>snort</parent>
<type>ids</type>
- <prematch>^[**] |^[\d+:\d+:\d+] </prematch>
+ <prematch>^[**] |^[\d+:\d+:\d+] |^snort[\d+]: </prematch>
<regex>^[**] [(\d+:\d+:\d+)] \.+ (\d+.\d+.\d+.\d+)\p*\d* -> </regex>
<regex>(\d+.\d+.\d+.\d+)|^[(\d+:\d+:\d+)] \.+ </regex>
<regex>(\d+.\d+.\d+.\d+)\p*\d* -> (\d+.\d+.\d+.\d+)</regex>
+ <regex>|^snort[\d+]: [(\d+:\d+:\d+)] \.+ </regex>
+ <regex>(\d+.\d+.\d+.\d+)\p*\d* -> (\d+.\d+.\d+.\d+)</regex>
<order>id,srcip,dstip</order>
<fts>name,id,srcip,dstip</fts>
</decoder>
