Ah, thanks Dan that makes sense. Not use parent rules before but understand now. -- Thanks, Phil
----- Original Message ----- > <decoder name="iptables-drop"> > <parent>iptables</parent> > <prematch offset="after_parent">^OSSEC DROP: </prematch> > <regex> SRC=(\S+) DST=(\S+) LEN</regex> > <order>srcip, dstip</order> > </decoder> > > > On Thu, Aug 4, 2011 at 3:03 PM, --[ UxBoD ]-- <[email protected]> > wrote: > > Dan, > > > > here is my output: > > > > 2011/08/04 20:00:24 ossec-analysisd: DEBUG: FTSInit completed. > > ossec-testrule: Type one log per line. > > > > Aug 4 17:41:11 server01 kernel: OSSEC DROP: IN=eth0 OUT= > > MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.0.50 > > DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=9545 DF > > PROTO=TCP SPT=46180 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'Aug 4 17:41:11 server01 kernel: OSSEC DROP: > > IN=eth0 OUT= MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 > > SRC=192.168.0.50 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 > > TTL=44 ID=9545 DF PROTO=TCP SPT=46180 DPT=80 WINDOW=5840 > > RES=0x00 SYN URGP=0 ' > > hostname: 'server01' > > program_name: 'kernel' > > log: 'OSSEC DROP: IN=eth0 OUT= > > MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 > > SRC=192.168.0.50 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 > > TTL=44 ID=9545 DF PROTO=TCP SPT=46180 DPT=80 WINDOW=5840 > > RES=0x00 SYN URGP=0 ' > > > > **Phase 2: Completed decoding. > > decoder: 'iptables' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '111000' > > Level: '7' > > Description: 'Access attempt blocked by OSSEC chain' > > **Alert to be generated. > > > > So you can see that srcip and dstip are not being extracted :( > > -- > > Thanks, Phil > > > > ----- Original Message ----- > >> On Thu, Aug 4, 2011 at 5:27 AM, --[ UxBoD ]-- <[email protected]> > >> wrote: > >> > Am testing OSSEC 2.6 and created the following local rule: > >> > > >> > <rule id="111000" level="7"> > >> > <decoded_as>iptables</decoded_as> > >> > <match>OSSEC DROP</match> > >> > <regex>SRC=\S+</regex> > >> > <description>Access attempt blocked by OSSEC > >> > chain</description> > >> > </rule> > >> > > >> > The problem I am seeing is that the srcip is never populated in > >> > the > >> > MySQL > >> > database; it is always 0.0.0.0. Looking at the decoder for > >> > iptables > >> > one > >> > sees: > >> > > >> > <decoder name="iptables"> > >> > <program_name>^kernel</program_name> > >> > </decoder> > >> > > >> > <decoder name="iptables-1"> > >> > <parent>iptables</parent> > >> > <type>firewall</type> > >> > <prematch>^[\d+.\d+] \S+ IN=</prematch> > >> > > >> > <regex>^[\d+.\d+] (\S+) \.+ SRC=(\S+) DST=(\S+)</regex> > >> > <regex> \.+ PROTO=(\w+) </regex> > >> > <order>action,srcip,dstip,protocol</order> > >> > </decoder> > >> > > >> > <decoder name="iptables-1"> > >> > <parent>iptables</parent> > >> > <type>firewall</type> > >> > <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex> > >> > <order>srcport,dstport</order> > >> > </decoder> > >> > > >> > <decoder name="iptables-2"> > >> > <parent>iptables</parent> > >> > <type>firewall</type> > >> > <prematch>^\S+ IN=</prematch> > >> > > >> > <regex>^(\S+) \.+ SRC=(\S+) DST=(\S+) \.+ </regex> > >> > <regex>PROTO=(\w+) </regex> > >> > <order>action,srcip,dstip,protocol</order> > >> > </decoder> > >> > > >> > <decoder name="iptables-2"> > >> > <parent>iptables</parent> > >> > <type>firewall</type> > >> > <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex> > >> > <order>srcport,dstport</order> > >> > </decoder> > >> > > >> > From this my understanding was that the fields > >> > action,srcip,dstip,protocol,srcport,dstport would be populated > >> > dependent on > >> > what is matched ? Here is an excerpt from my logfile: > >> > > >> > OSSEC DROP: IN=eth0 OUT= > >> > MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 > >> > SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 > >> > TTL=44 > >> > ID=38303 > >> > DF PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > >> > > >> > Should this not have been been matched by iptables-2 ? > >> > -- > >> > Thanks, Phil > >> > > >> > > >> > >> # /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf > >> 2011/08/04 10:01:55 ossec-testrule: INFO: Reading local decoder > >> file. > >> 2011/08/04 10:01:55 ossec-testrule: INFO: Started (pid: 30351). > >> ossec-testrule: Type one log per line. > >> > >> OSSEC DROP: IN=eth0 OUT= > >> MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 > >> SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 > >> TTL=44 > >> ID=38303 DF PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN > >> URGP=0 > >> > >> > >> **Phase 1: Completed pre-decoding. > >> full event: 'OSSEC DROP: IN=eth0 OUT= > >> MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.1.50 > >> DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=38303 DF > >> PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0' > >> hostname: 'ix' > >> program_name: '(null)' > >> log: 'OSSEC DROP: IN=eth0 OUT= > >> MAC=00:16:3e:00:00:01:fe:ff:ff:ff:ff:ff:08:00 SRC=192.168.1.50 > >> DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=38303 DF > >> PROTO=TCP SPT=41299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0' > >> > >> **Phase 2: Completed decoding. > >> No decoder matched. > >> > > >
