Hello,
I'm trying to write a custom decoder for an appliance. I'm running on an older
OSSEC 2.1.x server. When using the ossec-logtest tool, the test never
completes phase1 or phase2 properly. Please advise if this is something I'm
doing incorrectly when the pre-decoder is processing the log. The only time
when I can get "test" to even match is utilizing only the beginning IP address,
192.168.1.2... but then a regex extraction later just calls it an IP address.
Goal: Decode by prematching on MM DD HH:MM:SS 192.168.1.2, parse rest of data
by protocol, source ip, source port, dest ip, dest port.
<!-- <decoder name="test">
<prematch>^\w\w\w\s\d\d\s\d\d:\d\d:\d\d\s129.168.1.2</prematch>
</decoder>
Sample log:
Oct 22 08:19:15 192.168.1.2 8 2 00000002-0002-0002-0002-000000000290
00000001-0001-0001-0001-000000000290 0290: Invalid TCP Traffic: Possible
Recon Scan (SYN FIN) 290 tcp 100.100.100.100 52007 100.100.100.101
443 1 3 3 SOMEHOSTNAME 100741885 1287753542044
Results:
ossec-testrule: Type one log per line.
Oct 22 08:19:15 192.168.1.2 8 2 00000002-0002-0002-0002-000000000290
00000001-0001-0001-0001-000000000290 0290: Invalid TCP Traffic: Possible
Recon Scan (SYN FIN) 290 tcp 100.100.100.100 52007 100.100.100.101
443 1 3
**Phase 1: Completed pre-decoding.
full event: 'Oct 22 08:19:15 192.168.1.2 8 2
00000002-0002-0002-0002-000000000290 00000001-0001-0001-0001-000000000290
0290: Invalid TCP Traffic: Possible Recon Scan (SYN FIN) 290 tcp
100.100.100.100 52007 100.100.100.101 443 1 3 '
hostname: '192.168.1.2'
program_name: '(null)'
log: '8 2 00000002-0002-0002-0002-000000000290
00000001-0001-0001-0001-000000000290 0290: Invalid TCP Traffic: Possible
Recon Scan (SYN FIN) 290 tcp 100.100.100.100 52007 100.100.100.101
443 1 3 '
**Phase 2: Completed decoding.
No decoder matched.
^C
