Re: [ossec-list] Problem with custom decoder

Fri, 22 Oct 2010 11:15:30 -0700 

On Fri, Oct 22, 2010 at 12:49 PM, Chow, Dennis <[email protected]> wrote:
> Hello,
>
> I'm trying to write a custom decoder for an appliance. I'm running on an
> older OSSEC 2.1.x  server. When using the ossec-logtest tool, the test never
> completes phase1 or phase2 properly. Please advise if this is something I'm
> doing incorrectly when the pre-decoder is processing the log. The only time
> when I can get "test" to even match is utilizing only the beginning IP
> address, 192.168.1.2... but then a regex extraction later just calls it an
> IP address.
>

Phase 1 and 2 are completed successfully.

> Goal: Decode by prematching on MM DD HH:MM:SS 192.168.1.2, parse rest of
> data by protocol, source ip, source port, dest ip, dest port.
>

The message looks like a syslog message, so the timestamp and source
host are removed during pre-decoding. Notice the 'log:' entry in your
ossec-logtest:
log: '8  2       00000002-0002-0002-0002-000000000290
00000001-0001-0001-0001-000000000290    0290: Invalid TCP Traffic:
Possible Recon Scan (SYN FIN) 290      tcp     100.100.100.100  52007
 100.100.100.101    443     1       3     '

This is the bit you'll have to work with during Phase 2 (decoding).
Everything before that is part of Phase 1 (pre-decoding).

> <!-- <decoder name="test">
> <prematch>^\w\w\w\s\d\d\s\d\d:\d\d:\d\d\s129.168.1.2</prematch>
> </decoder>

This decoder would essentially match EVERY syslog message from host 129.168.1.2.

> Sample log:
>
> Oct 22 08:19:15 192.168.1.2 8  2
> 00000002-0002-0002-0002-000000000290
> 00000001-0001-0001-0001-000000000290    0290: Invalid TCP Traffic: Possible
> Recon Scan (SYN FIN) 290      tcp     100.100.100.100  52007
> 100.100.100.101    443     1       3       3       SOMEHOSTNAME
> 100741885       1287753542044
>
> Results:
> ossec-testrule: Type one log per line.
> Oct 22 08:19:15 192.168.1.2 8  2
> 00000002-0002-0002-0002-000000000290
> 00000001-0001-0001-0001-000000000290    0290: Invalid TCP Traffic: Possible
> Recon Scan (SYN FIN) 290      tcp     100.100.100.100  52007
> 100.100.100.101    443     1       3
> **Phase 1: Completed pre-decoding.
>        full event: 'Oct 22 08:19:15 192.168.1.2 8  2
> 00000002-0002-0002-0002-000000000290
> 00000001-0001-0001-0001-000000000290    0290: Invalid TCP Traffic: Possible
> Recon Scan (SYN FIN) 290      tcp     100.100.100.100  52007
> 100.100.100.101    443     1       3     '
>        hostname: '192.168.1.2'
>        program_name: '(null)'
>        log: '8  2       00000002-0002-0002-0002-000000000290
> 00000001-0001-0001-0001-000000000290    0290: Invalid TCP Traffic: Possible
> Recon Scan (SYN FIN) 290      tcp     100.100.100.100  52007
> 100.100.100.101    443     1       3     '
> **Phase 2: Completed decoding.
>        No decoder matched.
> ^C
>

Reply via email to