[ossec-list] Re: Monitoring ssl certificate accesses

Sat, 23 Oct 2010 07:41:10 -0700 

Uau!!

Thank you so much, it worked like a charm :)

Pastebin really did the trick :D

Thanks for your time, I'll be around your blog trying to learn how to
write these decoders for myself :)

Vitor

On Oct 23, 4:08 am, "dan (ddp)" <[email protected]> wrote:
> Here's the output for ossec-logtest for me:
> # /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf
> 2010/10/22 23:04:34 ossec-testrule: INFO: Reading local decoder file.
> 2010/10/22 23:04:34 ossec-testrule: INFO: Started (pid: 10010).
> ossec-testrule: Type one log per line.
>
> "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100]
> "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U;
> Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11"
>
> **Phase 1: Completed pre-decoding.
>        full event: '"Vitor Correia" "PT" 89.155.91.201 - -
> [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970
> "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11)
> Gecko/20101012 Firefox/3.6.11"'
>        hostname: 'ix'
>        program_name: '(null)'
>        log: '"Vitor Correia" "PT" 89.155.91.201 - -
> [21/Oct/2010:01:48:13 +0100] "GET /collect/main/ HTTP/1.1" 200 2970
> "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11)
> Gecko/20101012 Firefox/3.6.11"'
>
> **Phase 2: Completed decoding.
>        decoder: 'ssl-cert'
>        srcuser: 'Vitor Correia'
>        id: 'PT'
>        srcip: '89.155.91.201'
>        action: 'GET'
>        url: '/collect/main/'
>        status: '200'
>        extra_data: 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
> rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11"'
>
> Here's exactly what I have in local_decoder.xml:
> <!--
> "Vitor Correia" "PT" 89.155.91.201 - - [21/Oct/2010:01:48:13 +0100]
> "GET /collect/main/ HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows; U;
> Windows NT 6.1; en-US; rv:1.9.2
> .11) Gecko/20101012 Firefox/3.6.11"
> -->
>
> <decoder name="ssl-cert">
>   <prematch>^"\.+" "\S+" \S+ - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d \S+]
> </prematch>
>   <regex>^"(\.+)" "(\S+)" (\S+) - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d
> \p\d+] "(\S+) (\.+) HTTP/\d.\d" (\d+) \d+ "\.+" "(\.+)</regex>
>   <order>srcuser,id,srcip,action,url,status,extra_data</order>
> </decoder>
>
> I've copied the decoder to pastebin to make sure it isn't getting
> messed up in the email:http://pastebin.com/HD5rhx2F

Reply via email to