-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm in the middle of writing up a Week of OSSEC entry on decoding and rules and 
came across what I *think* is a bug in ossec-logtest.

I'm using the standard decoders and rulesets and passing the following into the 
log tester :

Oct 21 00:01:00 dev sshd[31409]: Failed password for invalid user postfix from 
189.126.97.181 port 57608 ssh2


The results are as follows :

**Phase 1: Completed pre-decoding.
       full event: 'Oct 21 00:01:00 dev sshd[31409]: Failed password for 
invalid user postfix from 189.126.97.181 port 57608 ssh2'
       hostname: 'dev'
       program_name: 'sshd'
       log: 'Failed password for invalid user postfix from 189.126.97.181 port 
57608 ssh2'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       srcip: '189.126.97.181'

**Phase 3: Completed filtering (rules).
       Rule id: '5710'
       Level: '5'
       Description: 'Attempt to login using a non-existent user'
**Alert to be generated.


Ok, all well and good.  However, what caught my eye is the name of the decoder. 
 The sshd decoder is defined as follows :

<decoder name="sshd">
  <program_name>^sshd</program_name>
</decoder>

While this does match, it doesn't have a srcip variable, so that's definitely 
not the real decoder being used.  Sure, it's the parent, but this is still 
misleading.  I believe the actual decoder being used is this one, ssh-invfailed 
:

<decoder name="ssh-invfailed">
  <parent>sshd</parent>
  <prematch>^Failed \S+ for invalid user|^Failed \S+ for illegal user</prematch>
  <regex offset="after_prematch">from (\S+) port \d+ \w+$</regex>
  <order>srcip</order>
</decoder>

So shouldn't the decoder line identify this as such?

- ---------------------------
Jason 'XenoPhage' Frisvold
[email protected]
- ---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iEYEARECAAYFAky3yK4ACgkQ8CjzPZyTUTSYuwCfaKxA65bxd7+2+GWt6sr0x2wj
h8cAoIv53VXeev9IdgK/MAPWRJJNvxCX
=2Hyw
-----END PGP SIGNATURE-----

Reply via email to