Dan,
here is my output:
2011/08/04 20:00:24 ossec-analysisd: DEBUG: FTSInit completed.
ossec-testrule: Type one log per line.
Aug 4 17:41:11 server01 kernel: OSSEC DROP: IN=eth0 OUT=
MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.0.50
DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=9545 DF PROTO=TCP
SPT=46180 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
**Phase 1: Completed pre-decoding.
full event: 'Aug 4 17:41:11 server01 kernel: OSSEC DROP: IN=eth0 OUT=
MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.0.50
DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=9545 DF PROTO=TCP
SPT=46180 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 '
hostname: 'server01'
program_name: 'kernel'
log: 'OSSEC DROP: IN=eth0 OUT=
MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.0.50
DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=9545 DF PROTO=TCP
SPT=46180 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 '
**Phase 2: Completed decoding.
decoder: 'iptables'
**Phase 3: Completed filtering (rules).
Rule id: '111000'
Level: '7'
Description: 'Access attempt blocked by OSSEC chain'
**Alert to be generated.
So you can see that srcip and dstip are not being extracted :(
--
Thanks, Phil
----- Original Message -----
> On Thu, Aug 4, 2011 at 5:27 AM, --[ UxBoD ]-- <[email protected]>
> wrote:
> > Am testing OSSEC 2.6 and created the following local rule:
> >
> > <rule id="111000" level="7">
> > <decoded_as>iptables</decoded_as>
> > <match>OSSEC DROP</match>
> > <regex>SRC=\S+</regex>
> > <description>Access attempt blocked by OSSEC
> > chain</description>
> > </rule>
> >
> > The problem I am seeing is that the srcip is never populated in the
> > MySQL
> > database; it is always 0.0.0.0. Looking at the decoder for iptables
> > one
> > sees:
> >
> > <decoder name="iptables">
> > <program_name>^kernel</program_name>
> > </decoder>
> >
> > <decoder name="iptables-1">
> > <parent>iptables</parent>
> > <type>firewall</type>
> > <prematch>^[\d+.\d+] \S+ IN=</prematch>
> >
> > <regex>^[\d+.\d+] (\S+) \.+ SRC=(\S+) DST=(\S+)</regex>
> > <regex> \.+ PROTO=(\w+) </regex>
> > <order>action,srcip,dstip,protocol</order>
> > </decoder>
> >
> > <decoder name="iptables-1">
> > <parent>iptables</parent>
> > <type>firewall</type>
> > <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
> > <order>srcport,dstport</order>
> > </decoder>
> >
> > <decoder name="iptables-2">
> > <parent>iptables</parent>
> > <type>firewall</type>
> > <prematch>^\S+ IN=</prematch>
> >
> > <regex>^(\S+) \.+ SRC=(\S+) DST=(\S+) \.+ </regex>
> > <regex>PROTO=(\w+) </regex>
> > <order>action,srcip,dstip,protocol</order>
> > </decoder>
> >
> > <decoder name="iptables-2">
> > <parent>iptables</parent>
> > <type>firewall</type>
> > <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
> > <order>srcport,dstport</order>
> > </decoder>
> >
> > From this my understanding was that the fields
> > action,srcip,dstip,protocol,srcport,dstport would be populated
> > dependent on
> > what is matched ? Here is an excerpt from my logfile:
> >
> > OSSEC DROP: IN=eth0 OUT=
> > MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00
> > SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44
> > ID=38303
> > DF PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> >
> > Should this not have been been matched by iptables-2 ?
> > --
> > Thanks, Phil
> >
> >
>
> # /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf
> 2011/08/04 10:01:55 ossec-testrule: INFO: Reading local decoder file.
> 2011/08/04 10:01:55 ossec-testrule: INFO: Started (pid: 30351).
> ossec-testrule: Type one log per line.
>
> OSSEC DROP: IN=eth0 OUT=
> MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00
> SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44
> ID=38303 DF PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN
> URGP=0
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'OSSEC DROP: IN=eth0 OUT=
> MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.1.50
> DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=38303 DF
> PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0'
> hostname: 'ix'
> program_name: '(null)'
> log: 'OSSEC DROP: IN=eth0 OUT=
> MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.1.50
> DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=38303 DF
> PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
