1. a request for new decoder;
2. ossec-logtest inconsistent with running ossec
using the current stable, or the 090417 snapshot on Debian lenny, ...
iptables LOG target writes to /var/log/kern.log as :
May 2 15:09:36 HOSTNAME kernel: IN=venet0 OUT= MAC= SRC=222.112.114.164
DST=1.2.3.4 LEN=102 TOS=0x00 PREC=0x00 TTL=47 ID=4841 PROTO=UDP SPT=62753
DPT=47680 LEN=82
The distributed decoders didn't read this, so I created in decoders.xml:
<decoder name="iptables-log">
<parent>iptables</parent>
<type>firewall</type>
<program_name>^kernel</program_name>
<prematch>^\.+ SRC=</prematch>
<regex>^\.+ SRC=(\S+) DST=(\S+) \.+ </regex>
<regex>DPT=(\w+) </regex>
<order>srcip,dstip,dstport</order>
</decoder>
and in local_rules:
<rule id="100100" level="1">
<if_sid>4100</if_sid>
<description>all entries</description>
</rule>
<rule id="100110" level="10" frequency="6" timeframe="30">
<if_matched_sid>100100</if_matched_sid>
<same_source_ip />
<description>Multiple iptable DROPs 6:30</description>
<group>attack,firewall_drop,</group>
</rule>
Pasting real log data to ossec-logtest shows anticipated and intended
decoding and rule matching :
**Phase 2: Completed decoding.
decoder: 'iptables'
srcip: '61.139.105.163'
dstip: '66.71.253.22'
dstport: '3124'
**Phase 3: Completed filtering (rules).
Rule id: '100110'
Level: '10'
Description: 'Multiple iptable DROPs 6:30'
**Alert to be generated.
Yet the running ossec doesn't even log the 100100 matches.
This stumps me :)
