Same problem, and I have no clue why. Phase 1 keeps trying to decode the first
IP address into the actual 'hostname' before I can even attempt to decode.
<decoder name="test">
<prematch>^\w\w\w\s\d\d\s\d\d:\d\d:\d\d\s192.168.1.2</prematch>
</decoder>
2010/10/22 13:33:21 ossec-testrule: INFO: Started (pid: 1069).
ossec-testrule: Type one log per line.
Oct 22 00:00:21 192.168.1.2 8 1 67edc812-ad7c-11de-16da-e5103aff9121
00000001-0001-0001-0001-000000005780 5780: Tunneling: Teamviewer Remote
Access 5780 tcp 100.100.100.1 5938 100.100.100.2 4068
1 3 3 SOMEHOSTNAME 67447548 1287723528058
**Phase 1: Completed pre-decoding.
full event: 'Oct 22 00:00:21 129.106.48.5 8 1
67edc812-ad7c-11de-16da-e5103aff9121 00000001-0001-0001-0001-000000005780
5780: Tunneling: Teamviewer Remote Access 5780 tcp 100.100.100.1
5938 100.100.100.2 4068 1 3 3 SOMEHOSTNAME
67447548 1287723528058'
hostname: '129.106.48.5'
program_name: '(null)'
log: '8 1 67edc812-ad7c-11de-16da-e5103aff9121
00000001-0001-0001-0001-000000005780 5780: Tunneling: Teamviewer Remote
Access 5780 tcp 100.100.100.1 5938 100.100.100.2 4068
1 3 3 SOMEHOSTNAME 67447548 1287723528058'
**Phase 2: Completed decoding.
No decoder matched.
^C
________________________________________
From: [email protected] [[email protected]] On Behalf Of
dan (ddp) [[email protected]]
Sent: Friday, October 22, 2010 1:15 PM
To: [email protected]
Subject: Re: [ossec-list] Problem with custom decoder
On Fri, Oct 22, 2010 at 12:49 PM, Chow, Dennis <[email protected]> wrote:
> Hello,
>
> I'm trying to write a custom decoder for an appliance. I'm running on an
> older OSSEC 2.1.x server. When using the ossec-logtest tool, the test never
> completes phase1 or phase2 properly. Please advise if this is something I'm
> doing incorrectly when the pre-decoder is processing the log. The only time
> when I can get "test" to even match is utilizing only the beginning IP
> address, 192.168.1.2... but then a regex extraction later just calls it an
> IP address.
>
Phase 1 and 2 are completed successfully.
> Goal: Decode by prematching on MM DD HH:MM:SS 192.168.1.2, parse rest of
> data by protocol, source ip, source port, dest ip, dest port.
>
The message looks like a syslog message, so the timestamp and source
host are removed during pre-decoding. Notice the 'log:' entry in your
ossec-logtest:
log: '8 2 00000002-0002-0002-0002-000000000290
00000001-0001-0001-0001-000000000290 0290: Invalid TCP Traffic:
Possible Recon Scan (SYN FIN) 290 tcp 100.100.100.100 52007
100.100.100.101 443 1 3 '
This is the bit you'll have to work with during Phase 2 (decoding).
Everything before that is part of Phase 1 (pre-decoding).
> <!-- <decoder name="test">
> <prematch>^\w\w\w\s\d\d\s\d\d:\d\d:\d\d\s129.168.1.2</prematch>
> </decoder>
This decoder would essentially match EVERY syslog message from host 129.168.1.2.
> Sample log:
>
> Oct 22 08:19:15 192.168.1.2 8 2
> 00000002-0002-0002-0002-000000000290
> 00000001-0001-0001-0001-000000000290 0290: Invalid TCP Traffic: Possible
> Recon Scan (SYN FIN) 290 tcp 100.100.100.100 52007
> 100.100.100.101 443 1 3 3 SOMEHOSTNAME
> 100741885 1287753542044
>
> Results:
> ossec-testrule: Type one log per line.
> Oct 22 08:19:15 192.168.1.2 8 2
> 00000002-0002-0002-0002-000000000290
> 00000001-0001-0001-0001-000000000290 0290: Invalid TCP Traffic: Possible
> Recon Scan (SYN FIN) 290 tcp 100.100.100.100 52007
> 100.100.100.101 443 1 3
> **Phase 1: Completed pre-decoding.
> full event: 'Oct 22 08:19:15 192.168.1.2 8 2
> 00000002-0002-0002-0002-000000000290
> 00000001-0001-0001-0001-000000000290 0290: Invalid TCP Traffic: Possible
> Recon Scan (SYN FIN) 290 tcp 100.100.100.100 52007
> 100.100.100.101 443 1 3 '
> hostname: '192.168.1.2'
> program_name: '(null)'
> log: '8 2 00000002-0002-0002-0002-000000000290
> 00000001-0001-0001-0001-000000000290 0290: Invalid TCP Traffic: Possible
> Recon Scan (SYN FIN) 290 tcp 100.100.100.100 52007
> 100.100.100.101 443 1 3 '
> **Phase 2: Completed decoding.
> No decoder matched.
> ^C
>
