Hi Ricardo, This is indeed a bug and I just fixed it on the following snapshot:
http://www.ossec.net/files/snapshots/ossec-hids-081103.tar.gz The first decoder (su-detail) requires a prematch. Basically, the way it works is that all the sub-decoders with a prematch are evaluated and if none succeeds, if there is one without any, it is going to be checked anyway. Since the first one (su-detail) didn't have a prematch it was being treated as the last resort and su-detail2 never checked... Hope it makes sense. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Oct 31, 2008 at 3:35 PM, Ricardo Stocco <[EMAIL PROTECTED]> wrote: > Hi, > > I'm working with subdecoders and I have some doubts and questions. > I do not understand very well how ossec works when using the option "parent" > This is the "su decoder" in decoder.xml that ossec provides. Is this > configuration right? I think that there is a problem here.... > > ************************************************************************** > <decoder name="su"> > <program_name>^su$</program_name> > </decoder> > > <decoder name="su-detail"> > <parent>su</parent> > <regex>^'su (\S+)' \S+ for (\S+) on \S+$</regex> > <order>dstuser, srcuser</order> > <fts>name, srcuser, location</fts> > </decoder> > > <decoder name="su-detail2"> > <parent>su</parent> > <regex>^BAD SU (\S+) to (\S+) on|</regex> > <regex>^failed: \S+ changing from (\S+) to (\S+)|</regex> > <regex>^\S \S+ (\S+)\p(\S+)$|^(\S+) to (\S+) on </regex> > <order>srcuser, dstuser</order> > <fts>name, srcuser, location</fts> > </decoder> > > <decoder name="su"> > <prematch>^SU \S+ \S+ </prematch> > <regex offset="after_prematch">^\S \S+ (\S+)-(\S+)$</regex> > <order>srcuser, dstuser</order> > <fts>name, srcuser, location</fts> > </decoder> > ************************************************************************** > > apparently, decoder "su-detail2" never works... > > This seems to work fine with the prematch option.... for example: > > <decoder name="su-detail"> > <parent>su</parent> > <prematch>^'su</prematch> > <regex> (\S+)' \S+ for (\S+) on \S+$</regex> > <order>dstuser, srcuser</order> > <fts>name, srcuser, location</fts> > </decoder> > > > It is right? How this really works? Where I can find more information about > decoders? > > I hope you will understand me. I do not speak English very well... > > thanks! > > Ricardo
