Daniel, Thanks for integrating them into the project. I've downloaded and installed the latest snapshot. I've also renamed my local_decoder.xml file so it wouldn't be included. I verified that the new decoder.xml file did have your decoders.
Ossec is not able to decode the logs with the decoders you created. I tested this via the ossec-logtest utility. When I enable my decoders, it works fine with the new rules file you created. I'm short on time this AM and can't troubleshoot much more at the moment. I'll see what I can do with it this afternoon or over the weekend. Thanks again, phishphreek On Thu, May 28, 2009 at 1:29 PM, Daniel Cid <[email protected]> wrote: > Hey, > > I included those on the latest snapshot. I did a few changes so I > would like you to take a look: > > -Modified the use of <match> to <id> > -Simplified the decoder to only extract the id, since we were not > using the other information > -Changed the ids to be in the 6300-6399 range (assigned now for MS DHCP) > -Changed the levels from some informative rules to 0 (like ip assigned, > etc). > > Can you test? Anyone here using ms dhcp to try it out? > > Link: http://ossec.net/files/snapshots/ossec-hids-090528.tar.gz > > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Wed, May 13, 2009 at 1:01 AM, phish phreek <[email protected]> > wrote: > > Here is the latest and *hopefully* final version. I've created three > > separate decoders for Windows DHCP server. One for Windows 2003 IPv4, one > > for Windows 2008 IPv4 and the last one for Windows 2008 IPv6. I'm not > using > > IPv6, so I could only test a few log entries against the decoder. If > someone > > is using 2K8 IPv6 and you can send me more logs, I'd be happy to test. > Also, > > I'm pretty new to writing rules in regular expression. If you look at my > > decoders and think "WTF!", please let me know what I could do to make it > > better. ;) > > > > I've moved my decoders from decoder.xml to local_decoder.xml as was > > recommended on the mailing list. > > > > I've updated the ms_dhcp_rules.xml file to include 2 new rules from 2008 > > IPv4 as well as a separate section for 2008 IPv6 rules. I've changed them > > from the 12200/12300 range to 120200 for 2k3/2k8 IPv4 and 120300 for 2k8 > > IPv6. I also updated the alert levels to a little more reasonable level > and > > I've changed the groups to match predefined groups when applicable. > > > > The decoders also fixed a "bug" when trying to filter out the MAC address > or > > "extra data". In the last decoder I posted, it didn't always get it > right. > > > > If you've followed my previous instructions, please remove the decoder > from > > your OSSEC server's decoder.xml file and use the attached > local_decoder.xml. > > If you're already using a local_decoder.xml file, then don't overwrite > your > > copy with mine! Copy and paste the contents of mine into yours... > Otherwise, > > the rest of the previous instructions still apply. > > > > I'm still working out some possible bugs with the OSSEC agent monitoring > the > > Windows logs. When I told the agent to monitor > > c:\windows\system32\dhcp\*.log it stopped monitoring on Sunday at > Midnight. > > I'm not sure if that was due to timestamps not being updated or not. I've > > since added an entry in the OSSEC agent's ossec.conf file for each day's > log > > and we'll see if that works better. > > > > Will the dev team take notice of this on the list and decide if they want > to > > include it in their project or do I need to send it elsewhere? > > >
