On Mon, Oct 18, 2010 at 2:11 PM, Jefferson, Shawn <[email protected]> wrote: > Hi, > > Ok! Getting closer to figuring this out. The full_command data is getting > from the client to the server (and being logged in the archives.log file > after using the global.logall option.) It looks like the message is NOT > being decoded as Rule 530 though. > > This is from my archives.log: > 2010 Oct 18 09:14:29 (SERVER01) 172.1.3.1->netstat -an | find "LISTEN" ossec: > output: 'netstat -an | find "LISTEN"': > TCP 0.0.0.0:135 0.0.0.0:0 LISTENING > TCP 0.0.0.0:443 0.0.0.0:0 LISTENING > TCP 0.0.0.0:445 0.0.0.0:0 LISTENING > TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING > TCP 0.0.0.0:1164 0.0.0.0:0 LISTENING > TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING > > Pasting the first line into the logtest application gives me this output: > > 2010 Oct 18 09:14:29 (SERVER01) 172.1.3.1->netstat -an | find "LISTEN" ossec: > output: 'netstat -an | find "LISTEN"': > > **Phase 1: Completed pre-decoding. > full event: '2010 Oct 18 09:14:29 (SERVER01) 172.1.3.1->netstat -an | > find "LISTEN" ossec: output: 'netstat -an | find "LISTEN"':' > hostname: 'ossecsvr' > program_name: '(null)' > log: '2010 Oct 18 09:14:29 (SERVER01) 172.1.3.1->netstat -an | find > "LISTEN" ossec: output: 'netstat -an | find "LISTEN"':' > > **Phase 2: Completed decoding. > No decoder matched. > > And the rule 530 that is in the ossec_rules.xml file: > > <!-- Process monitoring rules --> > <rule id="530" level="0"> > <if_sid>500</if_sid> > <match>^ossec: output: </match> > <description>OSSEC process monitoring rules.</description> > <group>process_monitor,</group> > </rule> > >
I can't do it myself right now, but try pasting everything after the '->' into ossec-logtest: netstat -an | find "LISTEN" ossec: output: 'netstat -an | find "LISTEN"':
