On Thu, Oct 14, 2010 at 11:21 PM, Jason 'XenoPhage' Frisvold <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I'm in the middle of writing up a Week of OSSEC entry on decoding and rules > and came across what I *think* is a bug in ossec-logtest. > > I'm using the standard decoders and rulesets and passing the following into > the log tester : > > Oct 21 00:01:00 dev sshd[31409]: Failed password for invalid user postfix > from 189.126.97.181 port 57608 ssh2 > > > The results are as follows : > > **Phase 1: Completed pre-decoding. > full event: 'Oct 21 00:01:00 dev sshd[31409]: Failed password for > invalid user postfix from 189.126.97.181 port 57608 ssh2' > hostname: 'dev' > program_name: 'sshd' > log: 'Failed password for invalid user postfix from 189.126.97.181 port > 57608 ssh2' > > **Phase 2: Completed decoding. > decoder: 'sshd' > srcip: '189.126.97.181' > > **Phase 3: Completed filtering (rules). > Rule id: '5710' > Level: '5' > Description: 'Attempt to login using a non-existent user' > **Alert to be generated. > > > Ok, all well and good. However, what caught my eye is the name of the > decoder. The sshd decoder is defined as follows : > > <decoder name="sshd"> > <program_name>^sshd</program_name> > </decoder> > > While this does match, it doesn't have a srcip variable, so that's definitely > not the real decoder being used. Sure, it's the parent, but this is still > misleading. I believe the actual decoder being used is this one, > ssh-invfailed : > > <decoder name="ssh-invfailed"> > <parent>sshd</parent> > <prematch>^Failed \S+ for invalid user|^Failed \S+ for illegal > user</prematch> > <regex offset="after_prematch">from (\S+) port \d+ \w+$</regex> > <order>srcip</order> > </decoder> > > So shouldn't the decoder line identify this as such? >
No, the parent's name is used (root of the tree, top of the chain). This makes referencing decoders easier. A rule that could match a couple of different decoders (depending on what mangling the OS/distro has done to the log message) can use just the sshd decoder and get by. There is a <use_own_name> variable that can be set, but I think there is a bug in ossec-logtest where this doesn't work there for some reason. > - --------------------------- > Jason 'XenoPhage' Frisvold > [email protected] > - --------------------------- > "Any sufficiently advanced magic is indistinguishable from technology." > - - Niven's Inverse of Clarke's Third Law > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.14 (Darwin) > > iEYEARECAAYFAky3yK4ACgkQ8CjzPZyTUTSYuwCfaKxA65bxd7+2+GWt6sr0x2wj > h8cAoIv53VXeev9IdgK/MAPWRJJNvxCX > =2Hyw > -----END PGP SIGNATURE----- >
