Ah, thanks Dan that makes sense. Not use parent rules before but understand now.
--
Thanks, Phil

----- Original Message -----
> <decoder name="iptables-drop">
>   <parent>iptables</parent>
>   <prematch offset="after_parent">^OSSEC DROP: </prematch>
>   <regex> SRC=(\S+) DST=(\S+) LEN</regex>
>   <order>srcip, dstip</order>
> </decoder>
>
>
> On Thu, Aug 4, 2011 at 3:03 PM, --[ UxBoD ]-- <[email protected]>
> wrote:
> > Dan,
> >
> > here is my output:
> >
> > 2011/08/04 20:00:24 ossec-analysisd: DEBUG: FTSInit completed.
> > ossec-testrule: Type one log per line.
> >
> > Aug  4 17:41:11 server01 kernel: OSSEC DROP: IN=eth0 OUT=
> > MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.0.50
> > DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=9545 DF
> > PROTO=TCP SPT=46180 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> >
> >
> > **Phase 1: Completed pre-decoding.
> >       full event: 'Aug  4 17:41:11 server01 kernel: OSSEC DROP:
> >       IN=eth0 OUT= MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00
> >       SRC=192.168.0.50 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00
> >       TTL=44 ID=9545 DF PROTO=TCP SPT=46180 DPT=80 WINDOW=5840
> >       RES=0x00 SYN URGP=0 '
> >       hostname: 'server01'
> >       program_name: 'kernel'
> >       log: 'OSSEC DROP: IN=eth0 OUT=
> >       MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00
> >       SRC=192.168.0.50 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00
> >       TTL=44 ID=9545 DF PROTO=TCP SPT=46180 DPT=80 WINDOW=5840
> >       RES=0x00 SYN URGP=0 '
> >
> > **Phase 2: Completed decoding.
> >       decoder: 'iptables'
> >
> > **Phase 3: Completed filtering (rules).
> >       Rule id: '111000'
> >       Level: '7'
> >       Description: 'Access attempt blocked by OSSEC chain'
> > **Alert to be generated.
> >
> > So you can see that srcip and dstip are not being extracted :(
> > --
> > Thanks, Phil
> >
> > ----- Original Message -----
> >> On Thu, Aug 4, 2011 at 5:27 AM, --[ UxBoD ]-- <[email protected]>
> >> wrote:
> >> > Am testing OSSEC 2.6 and created the following local rule:
> >> >
> >> >  <rule id="111000" level="7">
> >> >     <decoded_as>iptables</decoded_as>
> >> >     <match>OSSEC DROP</match>
> >> >     <regex>SRC=\S+</regex>
> >> >     <description>Access attempt blocked by OSSEC
> >> >     chain</description>
> >> >   </rule>
> >> >
> >> > The problem I am seeing is that the srcip is never populated in
> >> > the
> >> > MySQL
> >> > database; it is always 0.0.0.0. Looking at the decoder for
> >> > iptables
> >> > one
> >> > sees:
> >> >
> >> > <decoder name="iptables">
> >> >    <program_name>^kernel</program_name>
> >> > </decoder>
> >> >
> >> > <decoder name="iptables-1">
> >> >    <parent>iptables</parent>
> >> >    <type>firewall</type>
> >> >    <prematch>^[\d+.\d+] \S+ IN=</prematch>
> >> >
> >> >    <regex>^[\d+.\d+] (\S+) \.+ SRC=(\S+) DST=(\S+)</regex>
> >> >    <regex> \.+ PROTO=(\w+) </regex>
> >> >    <order>action,srcip,dstip,protocol</order>
> >> > </decoder>
> >> >
> >> > <decoder name="iptables-1">
> >> >    <parent>iptables</parent>
> >> >    <type>firewall</type>
> >> >    <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
> >> >    <order>srcport,dstport</order>
> >> > </decoder>
> >> >
> >> > <decoder name="iptables-2">
> >> >    <parent>iptables</parent>
> >> >    <type>firewall</type>
> >> >    <prematch>^\S+ IN=</prematch>
> >> >
> >> >    <regex>^(\S+) \.+ SRC=(\S+) DST=(\S+) \.+ </regex>
> >> >    <regex>PROTO=(\w+) </regex>
> >> >    <order>action,srcip,dstip,protocol</order>
> >> > </decoder>
> >> >
> >> > <decoder name="iptables-2">
> >> >    <parent>iptables</parent>
> >> >    <type>firewall</type>
> >> >    <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
> >> >    <order>srcport,dstport</order>
> >> > </decoder>
> >> >
> >> > From this my understanding was that the fields
> >> > action,srcip,dstip,protocol,srcport,dstport would be populated
> >> > dependent on
> >> > what is matched ? Here is an excerpt from my logfile:
> >> >
> >> > OSSEC DROP: IN=eth0 OUT=
> >> > MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00
> >> > SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00
> >> > TTL=44
> >> > ID=38303
> >> > DF PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> >> >
> >> > Should this not have been been matched by iptables-2 ?
> >> > --
> >> > Thanks, Phil
> >> >
> >> >
> >>
> >> # /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf
> >> 2011/08/04 10:01:55 ossec-testrule: INFO: Reading local decoder
> >> file.
> >> 2011/08/04 10:01:55 ossec-testrule: INFO: Started (pid: 30351).
> >> ossec-testrule: Type one log per line.
> >>
> >> OSSEC DROP: IN=eth0 OUT=
> >> MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00
> >> SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00
> >> TTL=44
> >> ID=38303 DF PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN
> >> URGP=0
> >>
> >>
> >> **Phase 1: Completed pre-decoding.
> >>        full event: 'OSSEC DROP: IN=eth0 OUT=
> >> MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.1.50
> >> DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=38303 DF
> >> PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0'
> >>        hostname: 'ix'
> >>        program_name: '(null)'
> >>        log: 'OSSEC DROP: IN=eth0 OUT=
> >> MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.1.50
> >> DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=38303 DF
> >> PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0'
> >>
> >> **Phase 2: Completed decoding.
> >>        No decoder matched.
> >>
> >
>

Reply via email to