Hi all, I'm trying to write a [what should be] simple decoder rule but am struggling. I'm just stuck at writing decoder rules in general and am failing to understand all the parameters. The log is very simple and looks like this:
35 192.168.1.21 server25 55 192.168.1.21 server26 14 192.168.1.21 server27 60 192.168.1.35 server25 The first column is a count. The second is the source IP address. And the third is the destination hostname. I want to make sure OSSEC gets the src IPs and dest hostnames because I will eventually want to trigger an active response to block the source IP on the relevant destination host. So what would the decoder look like? So far I have this: <decoder name="attack-data"> <prematch>^\d\d</prematch> </decoder> <decoder name="attack-data-alert"> <parent>attack-data</parent> <regex offset="after_parent>^ (\d+.\d+.\d+.\d+) \w+\d+</regex> <order>srcip,hostname</order> </decoder> However, something must be off because I keep getting config errors/ errors from OSSEC trying to read the decoder.xml - as soon as I remove the snippet the error goes away. What am I doing wrong? And how can I get the decoder to do what I want? TIA!
