On Thu, Aug 4, 2011 at 5:27 AM, --[ UxBoD ]-- <[email protected]> wrote:
> Am testing OSSEC 2.6 and created the following local rule:
>
> <rule id="111000" level="7">
> <decoded_as>iptables</decoded_as>
> <match>OSSEC DROP</match>
> <regex>SRC=\S+</regex>
> <description>Access attempt blocked by OSSEC chain</description>
> </rule>
>
> The problem I am seeing is that the srcip is never populated in the MySQL
> database; it is always 0.0.0.0. Looking at the decoder for iptables one
> sees:
>
> <decoder name="iptables">
> <program_name>^kernel</program_name>
> </decoder>
>
> <decoder name="iptables-1">
> <parent>iptables</parent>
> <type>firewall</type>
> <prematch>^[\d+.\d+] \S+ IN=</prematch>
>
> <regex>^[\d+.\d+] (\S+) \.+ SRC=(\S+) DST=(\S+)</regex>
> <regex> \.+ PROTO=(\w+) </regex>
> <order>action,srcip,dstip,protocol</order>
> </decoder>
>
> <decoder name="iptables-1">
> <parent>iptables</parent>
> <type>firewall</type>
> <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
> <order>srcport,dstport</order>
> </decoder>
>
> <decoder name="iptables-2">
> <parent>iptables</parent>
> <type>firewall</type>
> <prematch>^\S+ IN=</prematch>
>
> <regex>^(\S+) \.+ SRC=(\S+) DST=(\S+) \.+ </regex>
> <regex>PROTO=(\w+) </regex>
> <order>action,srcip,dstip,protocol</order>
> </decoder>
>
> <decoder name="iptables-2">
> <parent>iptables</parent>
> <type>firewall</type>
> <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
> <order>srcport,dstport</order>
> </decoder>
>
> From this my understanding was that the fields
> action,srcip,dstip,protocol,srcport,dstport would be populated dependent on
> what is matched ? Here is an excerpt from my logfile:
>
> OSSEC DROP: IN=eth0 OUT= MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00
> SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=38303
> DF PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
>
> Should this not have been been matched by iptables-2 ?
> --
> Thanks, Phil
>
>
# /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf
2011/08/04 10:01:55 ossec-testrule: INFO: Reading local decoder file.
2011/08/04 10:01:55 ossec-testrule: INFO: Started (pid: 30351).
ossec-testrule: Type one log per line.
OSSEC DROP: IN=eth0 OUT= MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00
SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44
ID=38303 DF PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
**Phase 1: Completed pre-decoding.
full event: 'OSSEC DROP: IN=eth0 OUT=
MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.1.50
DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=38303 DF
PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0'
hostname: 'ix'
program_name: '(null)'
log: 'OSSEC DROP: IN=eth0 OUT=
MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.1.50
DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=38303 DF
PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0'
**Phase 2: Completed decoding.
No decoder matched.
