On Wed, Jul 13, 2011 at 1:50 AM, GeorgeY <[email protected]> wrote: > Hi Dan, > > Thanks for your patient help with this. > I tried to paste the decoder you provided in decoder.xml. > As the previous post, I also have the following rule specified in > web_rules.xml: > <rule id="31164" level="5"> > <if_sid>31100</if_sid> > <id>^404</id> > <description>Web server 404 error code.</description> > </rule> > > When i paste this line into ossec-logtest, it only seems to "hit" one > rule; which is the 31100 rule and never the 31164 rule. Question, does > it read sequentially and the first rule it matches, it uses that or > can it look at multiple rules simultaneously? > > 2011-07-13 03:07:05 W3SVC1 hostname xx.xx.xx.xx GET /abcdef - 80 - > xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv: > 1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 2 > > > **Phase 1: Completed pre-decoding. > full event: '2011-07-13 03:07:05 W3SVC1 hostname xx.xx.xx.xx > GET /abcdef - 80 - xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT > +5.1;+en-US;+rv:1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 > 2' > hostname: 'stimgmtsvr1' > program_name: '(null)' > log: '2011-07-13 03:07:05 W3SVC1 hostname xx.xx.xx.xx GET / > abcdef - 80 - xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en- > US;+rv:1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 2' > > **Phase 2: Completed decoding. > decoder: 'windows-date-format' >
The decoder I gave you isn't working. There should be more goodies decoded in Phase 2. Paste it immediately after the windows-date-format decoder. Make sure you test this thoroughly! I don't know what else this will screw up. Seriously. This could break all other windows-date-format based decoders. > **Phase 3: Completed filtering (rules). > Rule id: '31100' > Level: '0' > Description: 'Access log messages grouped.' > > > On Jul 13, 1:15 am, "dan (ddp)" <[email protected]> wrote: >> I wouldn't consider this to be a good decoder, but it kind of works: >> >> <decoder name="iis-stuff"> >> <parent>windows-date-format</parent> >> <use_own_name>true</use_own_name> >> <prematch offset="after_parent">^\S+ \S+ \S+ \S+ /\S* </prematch> >> <regex offset="after_parent">^\S+ \S+ (\S+) (\S+) (\S*) - (\d+) - >> \S+ \S+\p\.\p\.+ \S+ \S+ (\d+)</regex> >> <order>srcip,action,url,dstport,id</order> >> </decoder> >> >> On Tue, Jul 12, 2011 at 12:59 PM, dan (ddp) <[email protected]> wrote: >> > Hi George, >> >> > On Tue, Jul 12, 2011 at 3:23 AM, GeorgeY <[email protected]> wrote: >> >> Hi Dan, >> >> >> Here is what i did. >> >> >> On OSSEC server web_rules.xml, I added the following and restarted >> >> OSSEC: >> >> >> <rule id="31164" level="5"> >> >> <if_sid>31100</if_sid> >> >> <id>^404</id> >> >> <description>Web server 404 error code.</description> >> >> </rule> >> >> >> on the OSSEC client, i restarted OSSEC and confirmed that the logs are >> >> being monitored: >> >> >> 2011/07/12 00:02:18 ossec-agent(1952): INFO: Monitoring variable log >> >> file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110712.log'. >> >> >> I opened the ex110712.log and noticed this entry: >> >> >> 2011-07-12 07:09:07 W3SVC1 hostname xx.xx.xx.xx GET /abcdef - 80 - >> >> xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv: >> >> 1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 2 >> >> >> However, nothing logged in alerts.log on the server. is there >> >> something i'm missing? >> >> > I passed the log message through ossec-logtest for you, and apparently >> > it's in the wrong format. >> > It doesn't seem to get recognized as an IIS formatted log message, or >> > IIS messages aren't decoded very well. >> > You'll need a decoder for this. >> >> >> On Jul 12, 5:37 am, "dan (ddp)" <[email protected]> wrote: >> >>> On Mon, Jul 11, 2011 at 6:20 AM, GeorgeY <[email protected]> wrote: >> >>> > Hi Dan, >> >> >>> > thanks for the reply. >> >>> > Is it possible for me to alert on all requests which lead to a 404 >> >>> > page error? >> >>> > How can I achieve this? >> >> >>> > Thanks, >> >>> > George >> >> >>> Base your rule off of: >> >>> <rule id="31101" level="5"> >> >>> <if_sid>31100</if_sid> >> >>> <id>^4</id> >> >>> <description>Web server 400 error code.</description> >> >>> </rule>
