What's the regex look like to also parse IPv6 addresses?
Jeremy Rossi wrote: > You do not need to use perl or python for this. You will need to use > decode.xml to pull the info you want out. here is a completely untested just > typed in email snippet for decode.xml. > > > decoder.xml: > > <decoder name="openvpn"> > <program_name>^openvpnserver</program_name> > </decoder> > > <decoder name="openvpn-invalid-cert"> > <parent>openvpn</parent> > <regex offset="after_parent">(\d+.\d+.\d+.\d+):\d+ TLS Error</regex> > <order>srcip</order> > </decoder> > > Please see http://www.ossec.net/wiki/Decoder_rules_relation for full details. > > > On Dec 4, 2009, at 11:24 AM, Jeremy Lee wrote: > > >> I'm thinking a perl/python script to do the job, otherwise a combination of >> awk, sed, and cut ? >> >> 2009/12/3 Lfi <[email protected]> >> Hi, I created rule for OpenVPN log with a "bad word" "TLS Error: TLS >> handshake failed". I'm getting a mail alert like this: >> >> OSSEC HIDS Notification. >> 2009 Dec 01 13:25:12 >> >> Received From: (OPENVPN) 192.168.30.200->/var/log/messages >> Rule: 1009 fired (level 10) -> "Certificate not valid/expired or connection >> error" >> Portion of the log(s): >> >> Dec 1 13:23:15 thunderstruck openvpnserver[813]: 82.42.227.22:1194 TLS >> Error: TLS handshake failed >> >> >> >> --END OF NOTIFICATION >> >> I want to extract IP from this portion of log (in this case 82.42.227.22) >> and block it by Active Response :) >> >>
