Hi, I'm working with subdecoders and I have some doubts and questions. I do not understand very well how ossec works when using the option "parent" This is the "su decoder" in decoder.xml that ossec provides. Is this configuration right? I think that there is a problem here....
************************************************************************** <decoder name="su"> <program_name>^su$</program_name> </decoder> <decoder name="su-detail"> <parent>su</parent> <regex>^'su (\S+)' \S+ for (\S+) on \S+$</regex> <order>dstuser, srcuser</order> <fts>name, srcuser, location</fts> </decoder> <decoder name="su-detail2"> <parent>su</parent> <regex>^BAD SU (\S+) to (\S+) on|</regex> <regex>^failed: \S+ changing from (\S+) to (\S+)|</regex> <regex>^\S \S+ (\S+)\p(\S+)$|^(\S+) to (\S+) on </regex> <order>srcuser, dstuser</order> <fts>name, srcuser, location</fts> </decoder> <decoder name="su"> <prematch>^SU \S+ \S+ </prematch> <regex offset="after_prematch">^\S \S+ (\S+)-(\S+)$</regex> <order>srcuser, dstuser</order> <fts>name, srcuser, location</fts> </decoder> ************************************************************************** apparently, decoder "su-detail2" never works... This seems to work fine with the prematch option.... for example: <decoder name="su-detail"> <parent>su</parent> *<prematch>^'su</prematch> * *<regex> (\S+)' \S+ for (\S+) on \S+$</regex>* <order>dstuser, srcuser</order> <fts>name, srcuser, location</fts> </decoder> It is right? How this really works? Where I can find more information about decoders? I hope you will understand me. I do not speak English very well... thanks! Ricardo
