Thanks Dan! That helped a bunch... btw: I'm trying to get the 'destination hostname' (server25, server26, etc) passed as an Active response parameter but am having some issues. I tried passing this as "extra_data" (specified in the Active Response setup in ossec.conf as well as in the decoder.xml). Do I need to specify anything in the active response script? I can get the hostname of the server where the alert was generated, but I need to grab that actual destination hostname field.
What I want to do is for Active Response to block the relevant IPs local on each destination hostname with whom they are associated. Any ideas on how to extract that to pass as a parameter? On Sep 13, 4:52 pm, "dan (ddp)" <[email protected]> wrote: > Keep it simple, there's no need for a parent and child decoder. Also, > it's basic regex, you need parentheses for the items you want to pull > out: > > <decoder name="attack data"> > <prematch>^\d+ </prematch> > <regex>^\d+ (\S+) (\S+)</regex> > <order>srcip,extra_data</order> > </decoder> > > Or something like that. Without something to differentiate it from > other decoders (program_name, or something) there's possibility that > this may screw up other decoders. > > On Mon, Sep 13, 2010 at 7:36 PM, jplee3 <[email protected]> wrote: > > Hi all, > > > I'm trying to write a [what should be] simple decoder rule but am > > struggling. I'm just stuck at writing decoder rules in general and am > > failing to understand all the parameters. The log is very simple and > > looks like this: > > > 35 192.168.1.21 server25 > > 55 192.168.1.21 server26 > > 14 192.168.1.21 server27 > > 60 192.168.1.35 server25 > > > The first column is a count. The second is the source IP address. And > > the third is the destination hostname. > > I want to make sure OSSEC gets the src IPs and dest hostnames because > > I will eventually want to trigger an active response to block the > > source IP on the relevant destination host. > > > So what would the decoder look like? So far I have this: > > > <decoder name="attack-data"> > > <prematch>^\d\d</prematch> > > </decoder> > > > <decoder name="attack-data-alert"> > > <parent>attack-data</parent> > > <regex offset="after_parent>^ (\d+.\d+.\d+.\d+) \w+\d+</regex> > > <order>srcip,hostname</order> > > </decoder> > > > However, something must be off because I keep getting config errors/ > > errors from OSSEC trying to read the decoder.xml - as soon as I remove > > the snippet the error goes away. > > > What am I doing wrong? And how can I get the decoder to do what I > > want? > > > TIA!
