Re: [ossec-list] Problem with custom decoder

Fri, 22 Oct 2010 11:45:35 -0700 

On Fri, Oct 22, 2010 at 2:34 PM, Chow, Dennis <[email protected]> wrote:
> Same problem, and I have no clue why. Phase 1 keeps trying to decode the 
> first IP address into the actual 'hostname' before I can even attempt to 
> decode.
>

Quoting myself:
> The message looks like a syslog message, so the timestamp and source
> host are removed during pre-decoding.

You will not get access to the timestamp and the first IP in Phase 2
(decoding). These are handled in Phase 1. What you get access to in
your decoder is the log field. Nothing more.
Your decoder must deal with everything after 'Oct 22 00:00:21 192.168.1.2'
The decoder will not have access to the information 'Oct 22 00:00:21
192.168.1.2'

> <decoder name="test">
> <prematch>^\w\w\w\s\d\d\s\d\d:\d\d:\d\d\s192.168.1.2</prematch>
> </decoder>
>
> 2010/10/22 13:33:21 ossec-testrule: INFO: Started (pid: 1069).
> ossec-testrule: Type one log per line.
> Oct 22 00:00:21 192.168.1.2 8  1       67edc812-ad7c-11de-16da-e5103aff9121   
>  00000001-0001-0001-0001-000000005780    5780: Tunneling: Teamviewer Remote 
> Access       5780    tcp     100.100.100.1    5938    100.100.100.2    4068   
>  1       3       3       SOMEHOSTNAME   67447548        1287723528058
>
> **Phase 1: Completed pre-decoding.
>       full event: 'Oct 22 00:00:21 129.106.48.5 8  1       
> 67edc812-ad7c-11de-16da-e5103aff9121    00000001-0001-0001-0001-000000005780  
>   5780: Tunneling: Teamviewer Remote Access       5780    tcp     
> 100.100.100.1    5938    100.100.100.2    4068    1       3       3       
> SOMEHOSTNAME   67447548        1287723528058'
>       hostname: '129.106.48.5'
>       program_name: '(null)'
>       log: '8  1       67edc812-ad7c-11de-16da-e5103aff9121    
> 00000001-0001-0001-0001-000000005780    5780: Tunneling: Teamviewer Remote 
> Access       5780    tcp     100.100.100.1    5938    100.100.100.2    4068   
>  1       3       3       SOMEHOSTNAME   67447548        1287723528058'
> **Phase 2: Completed decoding.
>       No decoder matched.
> ^C
>
>
>
> ________________________________________
> From: [email protected] [[email protected]] On Behalf Of 
> dan (ddp) [[email protected]]
> Sent: Friday, October 22, 2010 1:15 PM
> To: [email protected]
> Subject: Re: [ossec-list] Problem with custom decoder
>
> On Fri, Oct 22, 2010 at 12:49 PM, Chow, Dennis <[email protected]> wrote:
>> Hello,
>>
>> I'm trying to write a custom decoder for an appliance. I'm running on an
>> older OSSEC 2.1.x  server. When using the ossec-logtest tool, the test never
>> completes phase1 or phase2 properly. Please advise if this is something I'm
>> doing incorrectly when the pre-decoder is processing the log. The only time
>> when I can get "test" to even match is utilizing only the beginning IP
>> address, 192.168.1.2... but then a regex extraction later just calls it an
>> IP address.
>>
>
> Phase 1 and 2 are completed successfully.
>
>> Goal: Decode by prematching on MM DD HH:MM:SS 192.168.1.2, parse rest of
>> data by protocol, source ip, source port, dest ip, dest port.
>>
>
> The message looks like a syslog message, so the timestamp and source
> host are removed during pre-decoding. Notice the 'log:' entry in your
> ossec-logtest:
> log: '8  2       00000002-0002-0002-0002-000000000290
> 00000001-0001-0001-0001-000000000290    0290: Invalid TCP Traffic:
> Possible Recon Scan (SYN FIN) 290      tcp     100.100.100.100  52007
>  100.100.100.101    443     1       3     '
>
> This is the bit you'll have to work with during Phase 2 (decoding).
> Everything before that is part of Phase 1 (pre-decoding).
>
>> <!-- <decoder name="test">
>> <prematch>^\w\w\w\s\d\d\s\d\d:\d\d:\d\d\s129.168.1.2</prematch>
>> </decoder>
>
> This decoder would essentially match EVERY syslog message from host 
> 129.168.1.2.
>
>> Sample log:
>>
>> Oct 22 08:19:15 192.168.1.2 8  2
>> 00000002-0002-0002-0002-000000000290
>> 00000001-0001-0001-0001-000000000290    0290: Invalid TCP Traffic: Possible
>> Recon Scan (SYN FIN) 290      tcp     100.100.100.100  52007
>> 100.100.100.101    443     1       3       3       SOMEHOSTNAME
>> 100741885       1287753542044
>>
>> Results:
>> ossec-testrule: Type one log per line.
>> Oct 22 08:19:15 192.168.1.2 8  2
>> 00000002-0002-0002-0002-000000000290
>> 00000001-0001-0001-0001-000000000290    0290: Invalid TCP Traffic: Possible
>> Recon Scan (SYN FIN) 290      tcp     100.100.100.100  52007
>> 100.100.100.101    443     1       3
>> **Phase 1: Completed pre-decoding.
>>        full event: 'Oct 22 08:19:15 192.168.1.2 8  2
>> 00000002-0002-0002-0002-000000000290
>> 00000001-0001-0001-0001-000000000290    0290: Invalid TCP Traffic: Possible
>> Recon Scan (SYN FIN) 290      tcp     100.100.100.100  52007
>> 100.100.100.101    443     1       3     '
>>        hostname: '192.168.1.2'
>>        program_name: '(null)'
>>        log: '8  2       00000002-0002-0002-0002-000000000290
>> 00000001-0001-0001-0001-000000000290    0290: Invalid TCP Traffic: Possible
>> Recon Scan (SYN FIN) 290      tcp     100.100.100.100  52007
>> 100.100.100.101    443     1       3     '
>> **Phase 2: Completed decoding.
>>        No decoder matched.
>> ^C
>>

Reply via email to