<decoder name="iptables-drop"> <parent>iptables</parent> <prematch offset="after_parent">^OSSEC DROP: </prematch> <regex> SRC=(\S+) DST=(\S+) LEN</regex> <order>srcip, dstip</order> </decoder>
On Thu, Aug 4, 2011 at 3:03 PM, --[ UxBoD ]-- <[email protected]> wrote: > Dan, > > here is my output: > > 2011/08/04 20:00:24 ossec-analysisd: DEBUG: FTSInit completed. > ossec-testrule: Type one log per line. > > Aug 4 17:41:11 server01 kernel: OSSEC DROP: IN=eth0 OUT= > MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.0.50 > DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=9545 DF PROTO=TCP > SPT=46180 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > > **Phase 1: Completed pre-decoding. > full event: 'Aug 4 17:41:11 server01 kernel: OSSEC DROP: IN=eth0 OUT= > MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.0.50 > DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=9545 DF PROTO=TCP > SPT=46180 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 ' > hostname: 'server01' > program_name: 'kernel' > log: 'OSSEC DROP: IN=eth0 OUT= > MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.0.50 > DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=9545 DF PROTO=TCP > SPT=46180 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 ' > > **Phase 2: Completed decoding. > decoder: 'iptables' > > **Phase 3: Completed filtering (rules). > Rule id: '111000' > Level: '7' > Description: 'Access attempt blocked by OSSEC chain' > **Alert to be generated. > > So you can see that srcip and dstip are not being extracted :( > -- > Thanks, Phil > > ----- Original Message ----- >> On Thu, Aug 4, 2011 at 5:27 AM, --[ UxBoD ]-- <[email protected]> >> wrote: >> > Am testing OSSEC 2.6 and created the following local rule: >> > >> > <rule id="111000" level="7"> >> > <decoded_as>iptables</decoded_as> >> > <match>OSSEC DROP</match> >> > <regex>SRC=\S+</regex> >> > <description>Access attempt blocked by OSSEC >> > chain</description> >> > </rule> >> > >> > The problem I am seeing is that the srcip is never populated in the >> > MySQL >> > database; it is always 0.0.0.0. Looking at the decoder for iptables >> > one >> > sees: >> > >> > <decoder name="iptables"> >> > <program_name>^kernel</program_name> >> > </decoder> >> > >> > <decoder name="iptables-1"> >> > <parent>iptables</parent> >> > <type>firewall</type> >> > <prematch>^[\d+.\d+] \S+ IN=</prematch> >> > >> > <regex>^[\d+.\d+] (\S+) \.+ SRC=(\S+) DST=(\S+)</regex> >> > <regex> \.+ PROTO=(\w+) </regex> >> > <order>action,srcip,dstip,protocol</order> >> > </decoder> >> > >> > <decoder name="iptables-1"> >> > <parent>iptables</parent> >> > <type>firewall</type> >> > <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex> >> > <order>srcport,dstport</order> >> > </decoder> >> > >> > <decoder name="iptables-2"> >> > <parent>iptables</parent> >> > <type>firewall</type> >> > <prematch>^\S+ IN=</prematch> >> > >> > <regex>^(\S+) \.+ SRC=(\S+) DST=(\S+) \.+ </regex> >> > <regex>PROTO=(\w+) </regex> >> > <order>action,srcip,dstip,protocol</order> >> > </decoder> >> > >> > <decoder name="iptables-2"> >> > <parent>iptables</parent> >> > <type>firewall</type> >> > <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex> >> > <order>srcport,dstport</order> >> > </decoder> >> > >> > From this my understanding was that the fields >> > action,srcip,dstip,protocol,srcport,dstport would be populated >> > dependent on >> > what is matched ? Here is an excerpt from my logfile: >> > >> > OSSEC DROP: IN=eth0 OUT= >> > MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 >> > SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 >> > ID=38303 >> > DF PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 >> > >> > Should this not have been been matched by iptables-2 ? >> > -- >> > Thanks, Phil >> > >> > >> >> # /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf >> 2011/08/04 10:01:55 ossec-testrule: INFO: Reading local decoder file. >> 2011/08/04 10:01:55 ossec-testrule: INFO: Started (pid: 30351). >> ossec-testrule: Type one log per line. >> >> OSSEC DROP: IN=eth0 OUT= >> MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 >> SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 >> ID=38303 DF PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN >> URGP=0 >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'OSSEC DROP: IN=eth0 OUT= >> MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.1.50 >> DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=38303 DF >> PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0' >> hostname: 'ix' >> program_name: '(null)' >> log: 'OSSEC DROP: IN=eth0 OUT= >> MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.1.50 >> DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=38303 DF >> PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0' >> >> **Phase 2: Completed decoding. >> No decoder matched. >> >
