On Fri, Oct 22, 2010 at 11:35 AM, vcorreia <[email protected]> wrote: > Hello, > > It looks excelent :) > > I only posted one line of log because all the other lines are the > same, only changing the time, ip and the first field which is the > common name of the certificate. The second field 'PT' is always the > same, i set it up that way in order to have a way for ossec to catch > the log entry. >
That's fine. I just wanted to make it clear that other log entries could be different (as far as I knew), and that they should be tested too. :) > > Where should I put your decoder? How can I go about making it send me > email every time a log entry like the one appears? > Put the decoder in /var/ossec/etc/local_decoder.xml (change /var/ossec to where-ever you installed ossec). Adding <options>alert_by_email</options> will make the rule always get emailed. Also setting the level high enough to be emailed (I think it's 7 and up by default) could do it. > > Thanks for your help. > > > Vitor Correia > > > On Oct 21, 3:09 pm, "dan (ddp)" <[email protected]> wrote: >> This is a bit rough. I've tested it to make sure it doesn't hurt >> anything else, but my tests aren't exhaustive. Also, it's tough with >> only 1 log sample to make sure I've got everything. And last but not >> least, I didn't look at the other web decoders to make sure the items >> I placed in <order> match up to what they use. But here's a decoder: >> >> <decoder name="ssl-cert"> >> <prematch>^"\.+" "\S+" \S+ - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d \S+] >> </prematch> >> <regex>^"(\.+)" "(\S+)" (\S+) - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d >> \p\d+] "(\S+) (\.+) HTTP/\d.\d" (\d+) \d+ "\.+" "(\.+)</regex> >> <order>srcuser,id,srcip,action,url,status,extra_data</order> >> </decoder> >> >> Here's what it looks like going through logtest: >> # /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf >> 2010/10/21 10:01:02 ossec-testrule: INFO: Reading local decoder file. >> 2010/10/21 10:01:02 ossec-testrule: INFO: Started (pid: 23246). >> ossec-testrule: Type one log per line. >> >> "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100] >> "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U; >> Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11" >> >> **Phase 1: Completed pre-decoding. >> full event: '"Vitor Correia" "PT" 89.155.91.201 - - >> [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970 >> "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) >> Gecko/20101012 Firefox/3.6.11"' >> hostname: 'ix' >> program_name: '(null)' >> log: '"Vitor Correia" "PT" 89.155.91.201 - - >> [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970 >> "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) >> Gecko/20101012 Firefox/3.6.11"' >> >> **Phase 2: Completed decoding. >> decoder: 'ssl-cert' >> srcuser: 'Vitor Correia' >> id: 'PT' >> srcip: '89.155.91.201' >> action: 'GET' >> url: '/collect/main/' >> status: '200' >> extra_data: 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; >> rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11"' >> >> To write a rule you'd use something like: >> <rule id="NUMBER" level="NUMBER"> >> <id>PT</id> >> <description>something</description> >> </rule> >> >> I'd run a bunch of logs through ossec-logtest to make sure it works on >> all of them and not just the one you posted. But this should be enough >> to get you started. If it doesn't work for another log, feel free to >> post back with that log. I can help tune it if you need it. >> >> Also, a little self >> promotion:http://ddpbsd.blogspot.com/2010/10/ossec-decoders-101.htmlThat blog >> post describes writing decoders bit by bit using ossec-logtest to test >> it out. >> HTH! >> dan >> >> On Wed, Oct 20, 2010 at 8:56 PM, vcorreia <[email protected]> wrote: >> > Hello everyone, >> >> > How can I go about writing a decoder/rule to send me an email every >> > time a log entry like this is registered? >> >> > "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100] >> > "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U; >> > Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11" >> >> > I'm interested in catching the bit which says "PT", that will be the >> > bit that will always appear. >> >> > Thanks in advance. >> >> > Vitor Correia
