Hi,
Ok! Getting closer to figuring this out. The full_command data is getting
from the client to the server (and being logged in the archives.log file after
using the global.logall option.) It looks like the message is NOT being
decoded as Rule 530 though.
This is from my archives.log:
2010 Oct 18 09:14:29 (SERVER01) 172.1.3.1->netstat -an | find "LISTEN" ossec:
output: 'netstat -an | find "LISTEN"':
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1164 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
Pasting the first line into the logtest application gives me this output:
2010 Oct 18 09:14:29 (SERVER01) 172.1.3.1->netstat -an | find "LISTEN" ossec:
output: 'netstat -an | find "LISTEN"':
**Phase 1: Completed pre-decoding.
full event: '2010 Oct 18 09:14:29 (SERVER01) 172.1.3.1->netstat -an |
find "LISTEN" ossec: output: 'netstat -an | find "LISTEN"':'
hostname: 'ossecsvr'
program_name: '(null)'
log: '2010 Oct 18 09:14:29 (SERVER01) 172.1.3.1->netstat -an | find
"LISTEN" ossec: output: 'netstat -an | find "LISTEN"':'
**Phase 2: Completed decoding.
No decoder matched.
And the rule 530 that is in the ossec_rules.xml file:
<!-- Process monitoring rules -->
<rule id="530" level="0">
<if_sid>500</if_sid>
<match>^ossec: output: </match>
<description>OSSEC process monitoring rules.</description>
<group>process_monitor,</group>
</rule>
