Am testing OSSEC 2.6 and created the following local rule: <rule id="111000" level="7"> <decoded_as>iptables</decoded_as> <match>OSSEC DROP</match> <regex>SRC=\S+</regex> <description>Access attempt blocked by OSSEC chain</description> </rule>
The problem I am seeing is that the srcip is never populated in the MySQL database; it is always 0.0.0.0. Looking at the decoder for iptables one sees: <decoder name="iptables"> <program_name>^kernel</program_name> </decoder> <decoder name="iptables-1"> <parent>iptables</parent> <type>firewall</type> <prematch>^[\d+.\d+] \S+ IN=</prematch> <regex>^[\d+.\d+] (\S+) \.+ SRC=(\S+) DST=(\S+)</regex> <regex> \.+ PROTO=(\w+) </regex> <order>action,srcip,dstip,protocol</order> </decoder> <decoder name="iptables-1"> <parent>iptables</parent> <type>firewall</type> <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex> <order>srcport,dstport</order> </decoder> <decoder name="iptables-2"> <parent>iptables</parent> <type>firewall</type> <prematch>^\S+ IN=</prematch> <regex>^(\S+) \.+ SRC=(\S+) DST=(\S+) \.+ </regex> <regex>PROTO=(\w+) </regex> <order>action,srcip,dstip,protocol</order> </decoder> <decoder name="iptables-2"> <parent>iptables</parent> <type>firewall</type> <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex> <order>srcport,dstport</order> </decoder> >From this my understanding was that the fields >action,srcip,dstip,protocol,srcport,dstport would be populated dependent on >what is matched ? Here is an excerpt from my logfile: OSSEC DROP: IN=eth0 OUT= MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=38303 DF PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Should this not have been been matched by iptables-2 ? -- Thanks, Phil
