Hello, It looks excelent :)
I only posted one line of log because all the other lines are the same, only changing the time, ip and the first field which is the common name of the certificate. The second field 'PT' is always the same, i set it up that way in order to have a way for ossec to catch the log entry. Where should I put your decoder? How can I go about making it send me email every time a log entry like the one appears? Thanks for your help. Vitor Correia On Oct 21, 3:09 pm, "dan (ddp)" <[email protected]> wrote: > This is a bit rough. I've tested it to make sure it doesn't hurt > anything else, but my tests aren't exhaustive. Also, it's tough with > only 1 log sample to make sure I've got everything. And last but not > least, I didn't look at the other web decoders to make sure the items > I placed in <order> match up to what they use. But here's a decoder: > > <decoder name="ssl-cert"> > <prematch>^"\.+" "\S+" \S+ - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d \S+] > </prematch> > <regex>^"(\.+)" "(\S+)" (\S+) - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d > \p\d+] "(\S+) (\.+) HTTP/\d.\d" (\d+) \d+ "\.+" "(\.+)</regex> > <order>srcuser,id,srcip,action,url,status,extra_data</order> > </decoder> > > Here's what it looks like going through logtest: > # /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf > 2010/10/21 10:01:02 ossec-testrule: INFO: Reading local decoder file. > 2010/10/21 10:01:02 ossec-testrule: INFO: Started (pid: 23246). > ossec-testrule: Type one log per line. > > "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100] > "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U; > Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11" > > **Phase 1: Completed pre-decoding. > full event: '"Vitor Correia" "PT" 89.155.91.201 - - > [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970 > "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) > Gecko/20101012 Firefox/3.6.11"' > hostname: 'ix' > program_name: '(null)' > log: '"Vitor Correia" "PT" 89.155.91.201 - - > [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970 > "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) > Gecko/20101012 Firefox/3.6.11"' > > **Phase 2: Completed decoding. > decoder: 'ssl-cert' > srcuser: 'Vitor Correia' > id: 'PT' > srcip: '89.155.91.201' > action: 'GET' > url: '/collect/main/' > status: '200' > extra_data: 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; > rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11"' > > To write a rule you'd use something like: > <rule id="NUMBER" level="NUMBER"> > <id>PT</id> > <description>something</description> > </rule> > > I'd run a bunch of logs through ossec-logtest to make sure it works on > all of them and not just the one you posted. But this should be enough > to get you started. If it doesn't work for another log, feel free to > post back with that log. I can help tune it if you need it. > > Also, a little self > promotion:http://ddpbsd.blogspot.com/2010/10/ossec-decoders-101.htmlThat blog > post describes writing decoders bit by bit using ossec-logtest to test > it out. > HTH! > dan > > On Wed, Oct 20, 2010 at 8:56 PM, vcorreia <[email protected]> wrote: > > Hello everyone, > > > How can I go about writing a decoder/rule to send me an email every > > time a log entry like this is registered? > > > "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100] > > "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U; > > Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11" > > > I'm interested in catching the bit which says "PT", that will be the > > bit that will always appear. > > > Thanks in advance. > > > Vitor Correia
