Re: [ossec-list] Re: Monitoring ssl certificate accesses

Fri, 22 Oct 2010 20:11:45 -0700 

Here's the output for ossec-logtest for me:
# /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf
2010/10/22 23:04:34 ossec-testrule: INFO: Reading local decoder file.
2010/10/22 23:04:34 ossec-testrule: INFO: Started (pid: 10010).
ossec-testrule: Type one log per line.

"Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100]
"GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U;
Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11"


**Phase 1: Completed pre-decoding.
       full event: '"Vitor Correia" "PT" 89.155.91.201 - -
[21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970
"-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11)
Gecko/20101012 Firefox/3.6.11"'
       hostname: 'ix'
       program_name: '(null)'
       log: '"Vitor Correia" "PT" 89.155.91.201 - -
[21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970
"-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11)
Gecko/20101012 Firefox/3.6.11"'

**Phase 2: Completed decoding.
       decoder: 'ssl-cert'
       srcuser: 'Vitor Correia'
       id: 'PT'
       srcip: '89.155.91.201'
       action: 'GET'
       url: '/collect/main/'
       status: '200'
       extra_data: 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11"'


Here's exactly what I have in local_decoder.xml:
<!--
"Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100]
"GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U;
Windows NT 6.1; en-US; rv:1.9.2
.11) Gecko/20101012 Firefox/3.6.11"
-->

<decoder name="ssl-cert">
  <prematch>^"\.+" "\S+" \S+ - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d \S+]
</prematch>
  <regex>^"(\.+)" "(\S+)" (\S+) - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d
\p\d+] "(\S+) (\.+) HTTP/\d.\d" (\d+) \d+ "\.+" "(\.+)</regex>
  <order>srcuser,id,srcip,action,url,status,extra_data</order>
</decoder>


I've copied the decoder to pastebin to make sure it isn't getting
messed up in the email: http://pastebin.com/HD5rhx2F

Reply via email to