-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm in the middle of writing up a Week of OSSEC entry on decoding and rules and
came across what I *think* is a bug in ossec-logtest.
I'm using the standard decoders and rulesets and passing the following into the
log tester :
Oct 21 00:01:00 dev sshd[31409]: Failed password for invalid user postfix from
189.126.97.181 port 57608 ssh2
The results are as follows :
**Phase 1: Completed pre-decoding.
full event: 'Oct 21 00:01:00 dev sshd[31409]: Failed password for
invalid user postfix from 189.126.97.181 port 57608 ssh2'
hostname: 'dev'
program_name: 'sshd'
log: 'Failed password for invalid user postfix from 189.126.97.181 port
57608 ssh2'
**Phase 2: Completed decoding.
decoder: 'sshd'
srcip: '189.126.97.181'
**Phase 3: Completed filtering (rules).
Rule id: '5710'
Level: '5'
Description: 'Attempt to login using a non-existent user'
**Alert to be generated.
Ok, all well and good. However, what caught my eye is the name of the decoder.
The sshd decoder is defined as follows :
<decoder name="sshd">
<program_name>^sshd</program_name>
</decoder>
While this does match, it doesn't have a srcip variable, so that's definitely
not the real decoder being used. Sure, it's the parent, but this is still
misleading. I believe the actual decoder being used is this one, ssh-invfailed
:
<decoder name="ssh-invfailed">
<parent>sshd</parent>
<prematch>^Failed \S+ for invalid user|^Failed \S+ for illegal user</prematch>
<regex offset="after_prematch">from (\S+) port \d+ \w+$</regex>
<order>srcip</order>
</decoder>
So shouldn't the decoder line identify this as such?
- ---------------------------
Jason 'XenoPhage' Frisvold
[email protected]
- ---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iEYEARECAAYFAky3yK4ACgkQ8CjzPZyTUTSYuwCfaKxA65bxd7+2+GWt6sr0x2wj
h8cAoIv53VXeev9IdgK/MAPWRJJNvxCX
=2Hyw
-----END PGP SIGNATURE-----
