Hi Dan,
Thanks for your patient help with this.
I tried to paste the decoder you provided in decoder.xml.
As the previous post, I also have the following rule specified in
web_rules.xml:
<rule id="31164" level="5">
<if_sid>31100</if_sid>
<id>^404</id>
<description>Web server 404 error code.</description>
</rule>
When i paste this line into ossec-logtest, it only seems to "hit" one
rule; which is the 31100 rule and never the 31164 rule. Question, does
it read sequentially and the first rule it matches, it uses that or
can it look at multiple rules simultaneously?
2011-07-13 03:07:05 W3SVC1 hostname xx.xx.xx.xx GET /abcdef - 80 -
xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:
1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 2
**Phase 1: Completed pre-decoding.
full event: '2011-07-13 03:07:05 W3SVC1 hostname xx.xx.xx.xx
GET /abcdef - 80 - xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT
+5.1;+en-US;+rv:1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0
2'
hostname: 'stimgmtsvr1'
program_name: '(null)'
log: '2011-07-13 03:07:05 W3SVC1 hostname xx.xx.xx.xx GET /
abcdef - 80 - xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-
US;+rv:1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 2'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
**Phase 3: Completed filtering (rules).
Rule id: '31100'
Level: '0'
Description: 'Access log messages grouped.'
On Jul 13, 1:15 am, "dan (ddp)" <[email protected]> wrote:
> I wouldn't consider this to be a good decoder, but it kind of works:
>
> <decoder name="iis-stuff">
> <parent>windows-date-format</parent>
> <use_own_name>true</use_own_name>
> <prematch offset="after_parent">^\S+ \S+ \S+ \S+ /\S* </prematch>
> <regex offset="after_parent">^\S+ \S+ (\S+) (\S+) (\S*) - (\d+) -
> \S+ \S+\p\.\p\.+ \S+ \S+ (\d+)</regex>
> <order>srcip,action,url,dstport,id</order>
> </decoder>
>
> On Tue, Jul 12, 2011 at 12:59 PM, dan (ddp) <[email protected]> wrote:
> > Hi George,
>
> > On Tue, Jul 12, 2011 at 3:23 AM, GeorgeY <[email protected]> wrote:
> >> Hi Dan,
>
> >> Here is what i did.
>
> >> On OSSEC server web_rules.xml, I added the following and restarted
> >> OSSEC:
>
> >> <rule id="31164" level="5">
> >> <if_sid>31100</if_sid>
> >> <id>^404</id>
> >> <description>Web server 404 error code.</description>
> >> </rule>
>
> >> on the OSSEC client, i restarted OSSEC and confirmed that the logs are
> >> being monitored:
>
> >> 2011/07/12 00:02:18 ossec-agent(1952): INFO: Monitoring variable log
> >> file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110712.log'.
>
> >> I opened the ex110712.log and noticed this entry:
>
> >> 2011-07-12 07:09:07 W3SVC1 hostname xx.xx.xx.xx GET /abcdef - 80 -
> >> xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:
> >> 1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 2
>
> >> However, nothing logged in alerts.log on the server. is there
> >> something i'm missing?
>
> > I passed the log message through ossec-logtest for you, and apparently
> > it's in the wrong format.
> > It doesn't seem to get recognized as an IIS formatted log message, or
> > IIS messages aren't decoded very well.
> > You'll need a decoder for this.
>
> >> On Jul 12, 5:37 am, "dan (ddp)" <[email protected]> wrote:
> >>> On Mon, Jul 11, 2011 at 6:20 AM, GeorgeY <[email protected]> wrote:
> >>> > Hi Dan,
>
> >>> > thanks for the reply.
> >>> > Is it possible for me to alert on all requests which lead to a 404
> >>> > page error?
> >>> > How can I achieve this?
>
> >>> > Thanks,
> >>> > George
>
> >>> Base your rule off of:
> >>> <rule id="31101" level="5">
> >>> <if_sid>31100</if_sid>
> >>> <id>^4</id>
> >>> <description>Web server 400 error code.</description>
> >>> </rule>
