Hey guys,
I have another one I can't figure out.
A couple sample logs:
Sep 18 08:01:03 linksux ser2sock[2515]:
[000003011000--------],004,[f70000071004030028020000000000],"FAULT
04 "#012
Sep 19 11:37:11 linksux ser2sock[2515]:
[100000011000--------],008,[f70000071008001c28020000000000]," DISARMED
CHIME Ready to Arm "#012
My decoder rule - I checked this on a regex builder site, but it may have
been different than what OSSEC uses:
<decoder name="ad2usb">
<!-- <prematch>\S\d+\S+</prematch> -->
<prematch>^\w+\s\d*\d*\s\d+\S\d+\S\d+\s\w+\s\w+\d\w+\S\d+\S+\s</prematch>
<regex
offset="after_prematch">\S\d+\S+\d+\S+\w\d+\w\d+\S+\s*\w+\s*\S*\S*\S*\w+\S*\S*\S*\s*\w+\s*\w+\s*\w+\s*\S+</regex>
<order>id</order>
</decoder>
And lastly, the rules, I setup:
<group name="local,syslog,errors,openvpnals,windows,ad2usb">
<rule id="100040" level="0"> // I also tried setting the level to 5
<decoded_as>ad2usb</decoded_as>
<description>AD2USB Alarm Status.</description>
</rule>
<rule id="100041" level="12">
<if_sid>100040</if_sid>
<match>100000011000</match>
<description>Alarm armed</description>
</rule>
</group>
I have debug turned on for analyzer, logcollector, and agent (on the server
and agent) and I see the logcolelctor reading hte file on the agent but the
server doesn't display any log messages (I'm guessing it would?).
Interestingly, I echoed the same log message into /var/log/syslog and
/var/log/messages on the server, which are supposed to be monitored by OSSEC
as well, but I didn't see anything show up from the debug output like it
wason the OSSEC agent.
On Tue, Sep 14, 2010 at 8:58 AM, dan (ddp) <[email protected]> wrote:
> I'm not sure. You may need to include it in the <expect> line. You can
> dump the values being sent to an AR script (on linux anways) with the
> following script:
>
> #!/bin/sh
> echo $@ >> /tmp/some/log/file
>
> On Tue, Sep 14, 2010 at 11:40 AM, jplee3 <[email protected]> wrote:
> > Thanks Dan! That helped a bunch... btw: I'm trying to get the
> > 'destination hostname' (server25, server26, etc) passed as an Active
> > response parameter but am having some issues. I tried passing this as
> > "extra_data" (specified in the Active Response setup in ossec.conf as
> > well as in the decoder.xml). Do I need to specify anything in the
> > active response script? I can get the hostname of the server where the
> > alert was generated, but I need to grab that actual destination
> > hostname field.
> >
> > What I want to do is for Active Response to block the relevant IPs
> > local on each destination hostname with whom they are associated.
> >
> > Any ideas on how to extract that to pass as a parameter?
> >
> > On Sep 13, 4:52 pm, "dan (ddp)" <[email protected]> wrote:
> >> Keep it simple, there's no need for a parent and child decoder. Also,
> >> it's basic regex, you need parentheses for the items you want to pull
> >> out:
> >>
> >> <decoder name="attack data">
> >> <prematch>^\d+ </prematch>
> >> <regex>^\d+ (\S+) (\S+)</regex>
> >> <order>srcip,extra_data</order>
> >> </decoder>
> >>
> >> Or something like that. Without something to differentiate it from
> >> other decoders (program_name, or something) there's possibility that
> >> this may screw up other decoders.
> >>
> >> On Mon, Sep 13, 2010 at 7:36 PM, jplee3 <[email protected]> wrote:
> >> > Hi all,
> >>
> >> > I'm trying to write a [what should be] simple decoder rule but am
> >> > struggling. I'm just stuck at writing decoder rules in general and am
> >> > failing to understand all the parameters. The log is very simple and
> >> > looks like this:
> >>
> >> > 35 192.168.1.21 server25
> >> > 55 192.168.1.21 server26
> >> > 14 192.168.1.21 server27
> >> > 60 192.168.1.35 server25
> >>
> >> > The first column is a count. The second is the source IP address. And
> >> > the third is the destination hostname.
> >> > I want to make sure OSSEC gets the src IPs and dest hostnames because
> >> > I will eventually want to trigger an active response to block the
> >> > source IP on the relevant destination host.
> >>
> >> > So what would the decoder look like? So far I have this:
> >>
> >> > <decoder name="attack-data">
> >> > <prematch>^\d\d</prematch>
> >> > </decoder>
> >>
> >> > <decoder name="attack-data-alert">
> >> > <parent>attack-data</parent>
> >> > <regex offset="after_parent>^ (\d+.\d+.\d+.\d+) \w+\d+</regex>
> >> > <order>srcip,hostname</order>
> >> > </decoder>
> >>
> >> > However, something must be off because I keep getting config errors/
> >> > errors from OSSEC trying to read the decoder.xml - as soon as I remove
> >> > the snippet the error goes away.
> >>
> >> > What am I doing wrong? And how can I get the decoder to do what I
> >> > want?
> >>
> >> > TIA!
>
