I'm not sure. You may need to include it in the <expect> line. You can dump the values being sent to an AR script (on linux anways) with the following script:
#!/bin/sh echo $@ >> /tmp/some/log/file On Tue, Sep 14, 2010 at 11:40 AM, jplee3 <[email protected]> wrote: > Thanks Dan! That helped a bunch... btw: I'm trying to get the > 'destination hostname' (server25, server26, etc) passed as an Active > response parameter but am having some issues. I tried passing this as > "extra_data" (specified in the Active Response setup in ossec.conf as > well as in the decoder.xml). Do I need to specify anything in the > active response script? I can get the hostname of the server where the > alert was generated, but I need to grab that actual destination > hostname field. > > What I want to do is for Active Response to block the relevant IPs > local on each destination hostname with whom they are associated. > > Any ideas on how to extract that to pass as a parameter? > > On Sep 13, 4:52 pm, "dan (ddp)" <[email protected]> wrote: >> Keep it simple, there's no need for a parent and child decoder. Also, >> it's basic regex, you need parentheses for the items you want to pull >> out: >> >> <decoder name="attack data"> >> <prematch>^\d+ </prematch> >> <regex>^\d+ (\S+) (\S+)</regex> >> <order>srcip,extra_data</order> >> </decoder> >> >> Or something like that. Without something to differentiate it from >> other decoders (program_name, or something) there's possibility that >> this may screw up other decoders. >> >> On Mon, Sep 13, 2010 at 7:36 PM, jplee3 <[email protected]> wrote: >> > Hi all, >> >> > I'm trying to write a [what should be] simple decoder rule but am >> > struggling. I'm just stuck at writing decoder rules in general and am >> > failing to understand all the parameters. The log is very simple and >> > looks like this: >> >> > 35 192.168.1.21 server25 >> > 55 192.168.1.21 server26 >> > 14 192.168.1.21 server27 >> > 60 192.168.1.35 server25 >> >> > The first column is a count. The second is the source IP address. And >> > the third is the destination hostname. >> > I want to make sure OSSEC gets the src IPs and dest hostnames because >> > I will eventually want to trigger an active response to block the >> > source IP on the relevant destination host. >> >> > So what would the decoder look like? So far I have this: >> >> > <decoder name="attack-data"> >> > <prematch>^\d\d</prematch> >> > </decoder> >> >> > <decoder name="attack-data-alert"> >> > <parent>attack-data</parent> >> > <regex offset="after_parent>^ (\d+.\d+.\d+.\d+) \w+\d+</regex> >> > <order>srcip,hostname</order> >> > </decoder> >> >> > However, something must be off because I keep getting config errors/ >> > errors from OSSEC trying to read the decoder.xml - as soon as I remove >> > the snippet the error goes away. >> >> > What am I doing wrong? And how can I get the decoder to do what I >> > want? >> >> > TIA!
