I've been browsing your blog all afternoon, trying to come up with something. The httpd program line idea came from your blog, but yields no result.
On Oct 22, 9:09 pm, vcorreia <[email protected]> wrote: > It comes up with the same result with or without that line. > > On Oct 22, 8:39 pm, "dan (ddp)" <[email protected]> wrote: > > > Your decoder includes "<program_name>^httpd</program_name>", but the > > output from logtest has a null program_name: > > > > program_name: '(null)' > > > Remove that line and it may work (I can't test at the moment). > > > On Fri, Oct 22, 2010 at 3:29 PM, vcorreia <[email protected]> wrote: > > > No luck. > > > > I've created the following local_decoder.xml file in /var/ossec/etc: > > > > <decoder name="ssl-cert"> > > > <program_name>^httpd</program_name> > > > <prematch>^"\.+" "\S+" \S+ - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d \S+] > > > </prematch> > > > <regex>^"(\.+)" "(\S+)" (\S+) - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d > > > \p\d+] "(\S+) (\.+) HTTP/\d.\d" (\d+) \d+ "\.+" "(\.+)</regex> > > > <order>srcuser,id,srcip,action,url,status,extra_data</order> > > > </decoder> > > > > Then I've appended the following to apache_rules in /var/ossec/rules: > > > > <rule id="30203" level="7"> > > > <id>PT</id> > > > <description>Apache SSL Certificate access</description> > > > </rule> > > > > I run logtest and this is what I get: > > > > "Vitor Correia" "PT" 89.155.91.201 - - [22/Oct/2010:19:32:15 +0100] > > > "GET /collect/imagens/iconconnect.ico HTTP/1.1" 404 1419 "-" "Mozilla/ > > > 5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 > > > Firefox/3.6.11" > > > > **Phase 1: Completed pre-decoding. > > > full event: '"Vitor Correia" "PT" 89.155.91.201 - - [22/Oct/ > > > 2010:19:32:15 +0100] "GET /collect/imagens/iconconnect.ico HTTP/1.1" > > > 404 1419 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: > > > 1.9.2.11) Gecko/20101012 Firefox/3.6.11"' > > > hostname: 'www' > > > program_name: '(null)' > > > log: '"Vitor Correia" "PT" 89.155.91.201 - - [22/Oct/ > > > 2010:19:32:15 +0100] "GET /collect/imagens/iconconnect.ico HTTP/1.1" > > > 404 1419 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: > > > 1.9.2.11) Gecko/20101012 Firefox/3.6.11"' > > > > **Phase 2: Completed decoding. > > > No decoder matched. > > > > :( > > > > Vitor Correia > > > > On Oct 22, 7:49 pm, "dan (ddp)" <[email protected]> wrote: > > >> It worked fine for me. Make sure the decoder pasted nicely. It doesn't > > >> look very nice in gmail to me, and weird newlines might mess with > > >> things. > > > >> On Fri, Oct 22, 2010 at 2:44 PM, vcorreia <[email protected]> wrote: > > >> > I did what you said, but on logtest I keep getting this error: > > > >> > **Phase 2: Completed decoding. > > >> > No decoder matched. > > > >> > Vitor Correia > > > >> > On Oct 22, 5:02 pm, "dan (ddp)" <[email protected]> wrote: > > >> >> On Fri, Oct 22, 2010 at 11:35 AM, vcorreia <[email protected]> > > >> >> wrote: > > >> >> > Hello, > > > >> >> > It looks excelent :) > > > >> >> > I only posted one line of log because all the other lines are the > > >> >> > same, only changing the time, ip and the first field which is the > > >> >> > common name of the certificate. The second field 'PT' is always the > > >> >> > same, i set it up that way in order to have a way for ossec to catch > > >> >> > the log entry. > > > >> >> That's fine. I just wanted to make it clear that other log entries > > >> >> could be different (as far as I knew), and that they should be tested > > >> >> too. :) > > > >> >> > Where should I put your decoder? How can I go about making it send > > >> >> > me > > >> >> > email every time a log entry like the one appears? > > > >> >> Put the decoder in /var/ossec/etc/local_decoder.xml (change /var/ossec > > >> >> to where-ever you installed ossec). > > > >> >> Adding <options>alert_by_email</options> will make the rule always get > > >> >> emailed. Also setting the level high enough to be emailed (I think > > >> >> it's 7 and up by default) could do it. > > > >> >> > Thanks for your help. > > > >> >> > Vitor Correia > > > >> >> > On Oct 21, 3:09 pm, "dan (ddp)" <[email protected]> wrote: > > >> >> >> This is a bit rough. I've tested it to make sure it doesn't hurt > > >> >> >> anything else, but my tests aren't exhaustive. Also, it's tough > > >> >> >> with > > >> >> >> only 1 log sample to make sure I've got everything. And last but > > >> >> >> not > > >> >> >> least, I didn't look at the other web decoders to make sure the > > >> >> >> items > > >> >> >> I placed in <order> match up to what they use. But here's a > > >> >> >> decoder: > > > >> >> >> <decoder name="ssl-cert"> > > >> >> >> <prematch>^"\.+" "\S+" \S+ - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d > > >> >> >> \S+] > > >> >> >> </prematch> > > >> >> >> <regex>^"(\.+)" "(\S+)" (\S+) - - > > >> >> >> [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d > > >> >> >> \p\d+] "(\S+) (\.+) HTTP/\d.\d" (\d+) \d+ "\.+" "(\.+)</regex> > > >> >> >> <order>srcuser,id,srcip,action,url,status,extra_data</order> > > >> >> >> </decoder> > > > >> >> >> Here's what it looks like going through logtest: > > >> >> >> # /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf > > >> >> >> 2010/10/21 10:01:02 ossec-testrule: INFO: Reading local decoder > > >> >> >> file. > > >> >> >> 2010/10/21 10:01:02 ossec-testrule: INFO: Started (pid: 23246). > > >> >> >> ossec-testrule: Type one log per line. > > > >> >> >> "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100] > > >> >> >> "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; > > >> >> >> U; > > >> >> >> Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11" > > > >> >> >> **Phase 1: Completed pre-decoding. > > >> >> >> full event: '"Vitor Correia" "PT" 89.155.91.201 - - > > >> >> >> [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970 > > >> >> >> "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) > > >> >> >> Gecko/20101012 Firefox/3.6.11"' > > >> >> >> hostname: 'ix' > > >> >> >> program_name: '(null)' > > >> >> >> log: '"Vitor Correia" "PT" 89.155.91.201 - - > > >> >> >> [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970 > > >> >> >> "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) > > >> >> >> Gecko/20101012 Firefox/3.6.11"' > > > >> >> >> **Phase 2: Completed decoding. > > >> >> >> decoder: 'ssl-cert' > > >> >> >> srcuser: 'Vitor Correia' > > >> >> >> id: 'PT' > > >> >> >> srcip: '89.155.91.201' > > >> >> >> action: 'GET' > > >> >> >> url: '/collect/main/' > > >> >> >> status: '200' > > >> >> >> extra_data: 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; > > >> >> >> rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11"' > > > >> >> >> To write a rule you'd use something like: > > >> >> >> <rule id="NUMBER" level="NUMBER"> > > >> >> >> <id>PT</id> > > >> >> >> <description>something</description> > > >> >> >> </rule> > > > >> >> >> I'd run a bunch of logs through ossec-logtest to make sure it > > >> >> >> works on > > >> >> >> all of them and not just the one you posted. But this should be > > >> >> >> enough > > >> >> >> to get you started. If it doesn't work for another log, feel free > > >> >> >> to > > >> >> >> post back with that log. I can help tune it if you need it. > > > >> >> >> Also, a little self > > >> >> >> promotion:http://ddpbsd.blogspot.com/2010/10/ossec-decoders-101.htmlThatblog > > >> >> >> post describes writing decoders bit by bit using ossec-logtest to > > >> >> >> test > > >> >> >> it out. > > >> >> >> HTH! > > >> >> >> dan > > > >> >> >> On Wed, Oct 20, 2010 at 8:56 PM, vcorreia <[email protected]> > > >> >> >> wrote: > > >> >> >> > Hello everyone, > > > >> >> >> > How can I go about writing a decoder/rule to send me an email > > >> >> >> > every > > >> >> >> > time a log entry like this is registered? > > > >> >> >> > "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 > > >> >> >> > +0100] > > >> >> >> > "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 > > >> >> >> > (Windows; U; > > >> >> >> > Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 > > >> >> >> > Firefox/3.6.11" > > > >> >> >> > I'm interested in catching the bit which says "PT", that will be > > >> >> >> > the > > >> >> >> > bit that will always appear. > > > >> >> >> > Thanks in advance. > > > >> >> >> > Vitor Correia
