Keep it simple, there's no need for a parent and child decoder. Also, it's basic regex, you need parentheses for the items you want to pull out:
<decoder name="attack data"> <prematch>^\d+ </prematch> <regex>^\d+ (\S+) (\S+)</regex> <order>srcip,extra_data</order> </decoder> Or something like that. Without something to differentiate it from other decoders (program_name, or something) there's possibility that this may screw up other decoders. On Mon, Sep 13, 2010 at 7:36 PM, jplee3 <[email protected]> wrote: > Hi all, > > I'm trying to write a [what should be] simple decoder rule but am > struggling. I'm just stuck at writing decoder rules in general and am > failing to understand all the parameters. The log is very simple and > looks like this: > > > 35 192.168.1.21 server25 > 55 192.168.1.21 server26 > 14 192.168.1.21 server27 > 60 192.168.1.35 server25 > > The first column is a count. The second is the source IP address. And > the third is the destination hostname. > I want to make sure OSSEC gets the src IPs and dest hostnames because > I will eventually want to trigger an active response to block the > source IP on the relevant destination host. > > So what would the decoder look like? So far I have this: > > <decoder name="attack-data"> > <prematch>^\d\d</prematch> > </decoder> > > <decoder name="attack-data-alert"> > <parent>attack-data</parent> > <regex offset="after_parent>^ (\d+.\d+.\d+.\d+) \w+\d+</regex> > <order>srcip,hostname</order> > </decoder> > > However, something must be off because I keep getting config errors/ > errors from OSSEC trying to read the decoder.xml - as soon as I remove > the snippet the error goes away. > > What am I doing wrong? And how can I get the decoder to do what I > want? > > > > TIA! >
