I altered this decoder to fix it to be more detailed:
<decoder name="web-accesslog-iis7">
<parent>windows-date-format</parent>
<prematch offset="after_parent">^\d+.\d+.\d+.\d+ \S+ </prematch>
<type>web-log</type>
<regex offset="after_prematch">^(/\S* \S+) (\d+) \S+ (\d+.\d+.\d+.\d
+) (\.*) (\d+)</regex>
<order>url, dstport, srcip, extra_data, id</order>
</decoder>
The output from your sample above, using my decoder is:
**Phase 1: Completed pre-decoding.
full event: '2011-08-08 11:49:54 172.16.1.69 GET /+union+select
+'+where - 80 - 172.16.1.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;rv:
5.0)+Gecko/20100101+Firefox/5.0 404 0 2 187'
hostname: 'ossec-server'
program_name: '(null)'
log: '2011-08-08 11:49:54 172.16.1.69 GET /+union+select
+'+where - 80 - 172.16.1.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;rv:
5.0)+Gecko/20100101+Firefox/5.0 404 0 2 187'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
url: '/+union+select+'+where -'
dstport: '80'
srcip: '172.16.1.21'
extra_data: 'Mozilla/5.0+(Windows+NT+6.1;+WOW64;rv:5.0)+Gecko/
20100101+Firefox/5.0'
id: '404'
On Aug 8, 7:50 am, Hermes <[email protected]> wrote:
> wtf...
> works like a charme!!
>
> Thank you very, very much :)
>
> On 8 Aug., 16:43, "dan (ddp)" <[email protected]> wrote:
>
>
>
>
>
>
>
> > I'm not an expert, but try this:
>
> > <decoder name="web-accesslog-iis7">
> > <parent>windows-date-format</parent>
> > <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \S+ </prematch>
> > <type>web-log</type>
> > <regex offset="after_parent">^\d+.\d+.\d+.\d+ (\S+) (/\S+) \S+ (\d+)
> > \S+ (\d+.\d+.\d+.\d+) \S+ (\d+)</regex>
> > <order>action,url, dstport, srcip, id</order>
> > </decoder>
>
> > On Mon, Aug 8, 2011 at 10:15 AM, Hermes <[email protected]> wrote:
> > > Hmm...
> > > Here are my first results:
>
> > > <!-- IIS7 WWW W3C log format.
> > > - Examples:
> > > - 2011-08-08 11:49:54 172.16.1.69 GET /+union+select+'+where - 80 -
> > > 172.16.1.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:5.0)+Gecko/
> > > 20100101+Firefox/5.0 404 0 2 187
> > > -->
>
> > > <decoder name="web-accesslog-iis7">
> > > <parent>windows-date-format</parent>
> > > <type>web-log</type>
> > > <use_own_name>true</use_own_name>
> > > <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \S+ </prematch>
> > > <regex offset="after_prematch">^(\S+ \S+) \S+ \d+ \S+ (\d+.\d+.\d+.\d
> > > +) </regex>
> > > <regex>\S+ \S+ \S+ \S+ (\d+) </regex>
> > > <order>url, srcip, id</order>
> > > </decoder>
>
> > > When I start the logtest, I get:
>
> > > **Phase 1: Completed pre-decoding.
> > > full event: '2011-08-08 11:49:54 172.16.1.69 GET /+union+select
> > > +'+where - 80 - 172.16.1.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:
> > > 5.0)+Gecko/20100101+Firefox/5.0 404 0 2 187'
> > > hostname: 'ubuntu'
> > > program_name: '(null)'
> > > log: '2011-08-08 11:49:54 172.16.1.69 GET /+union+select
> > > +'+where - 80 - 172.16.1.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:
> > > 5.0)+Gecko/20100101+Firefox/5.0 404 0 2 187'
>
> > > **Phase 2: Completed decoding.
> > > decoder: 'windows-date-format'
>
> > > **Phase 3: Completed filtering (rules).
> > > Rule id: '31100'
> > > Level: '0'
> > > Description: 'Access log messages grouped.'
>
> > > What I get, when logtest without my new decoder:
> > > **Phase 1: Completed pre-decoding.
> > > full event: '2011-08-08 11:49:54 172.16.1.69 GET /+union+select
> > > +'+where - 80 - 172.16.1.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:
> > > 5.0)+Gecko/20100101+Firefox/5.0 404 0 2 187'
> > > hostname: 'ubuntu'
> > > program_name: '(null)'
> > > log: '2011-08-08 11:49:54 172.16.1.69 GET /+union+select
> > > +'+where - 80 - 172.16.1.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:
> > > 5.0)+Gecko/20100101+Firefox/5.0 404 0 2 187'
>
> > > **Phase 2: Completed decoding.
> > > decoder: 'windows-date-format'
>
> > > **Phase 3: Completed filtering (rules).
> > > Rule id: '1012'
> > > Level: '11'
> > > Description: 'SQL Injection attempt'
> > > **Alert to be generated.
>
> > > *sigh*
>
> > > At least the malicous URL was detected with the old decoder. Some kind
> > > of regex expert out there?^^
>
> > > On 8 Aug., 14:59, Hermes <[email protected]> wrote:
> > >> Thanks :)
>
> > >> On 8 Aug., 14:48, "dan (ddp)" <[email protected]> wrote:
>
> > >> > Remember to add your decoder to local_decoder.xml so it won't be
> > >> > overwritten
> > >> > on upgrade.
>
> > >> > On Monday, August 8, 2011, Hermes <[email protected]> wrote:
> > >> > > Yes. I am already writing the new decoder^^
> > >> > > But something that really helped (and THANKS for that):
> > >> > > For every log decoder, there is an example directly above, so I can
> > >> > > instantly compare differences, without installing IIS5 and IIS6.
>
> > >> > > On 8 Aug., 14:39, "dan (ddp)" <[email protected]> wrote:
> > >> > >> Run the log message through ossec-logtest. Decoders.xml has
> > >> > >> examples, and
> > >> > >> they don't appear to be in the same format as the log you posted.
>
> > >> > >> On Monday, August 8, 2011, Hermes <[email protected]> wrote:
> > >> > >> > _Sorry_ for the double post!!
>
> > >> > >> > The more I appreciate the answers!
> > >> > >> > Is there something weird with the log file? Because, shouldn't it
> > >> > >> > already be in IIS style, ready for decode?
>
> > >> > >> > On 8 Aug., 14:28, "dan (ddp)" <[email protected]> wrote:
> > >> > >> >> On Mon, Aug 8, 2011 at 8:08 AM, Hermes <[email protected]>
> > >> > >> >> wrote:
> > >> > >> >> > Hello again!
>
> > >> > >> >> > After successfully troubleshooted another problem, here is a
> > >> > >> >> > new
> > >> > one.
>
> > >> > >> >> > First I will provide all necessary logs (etc), then I will
> > >> > >> >> > post my
> > >> > >> >> > problem:
>
> > >> > >> >> > Ossec WUI output on the manager (ubuntu):
> > >> > >> >> > 2011 Aug 08 04:49:52 Rule Id: 1012 level: 11
> > >> > >> >> > Location: (agent1) 192.168.0.69->\inetpub\logs\LogFiles
> > >> > >> >> > \W3SVC1\ex110808.log
> > >> > >> >> > Src IP: 08 11:49:54 192.168.0.69 GET /+union+select+'+where -
> > >> > >> >> > 80 -
> > >> > >> >> > 192.168.0.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:5.0)+Gecko/
> > >> > >> >> > 20100101+Firefox/5.0 404 0 2 187
> > >> > >> >> > hacking attempt
> > >> > >> >> > ** Alert 1312804227.157360: - apache,
> > >> > >> >> > 2011 Aug 08 04:50:27 ubuntu->/var/log/apache2/error.log
> > >> > >> >> > Rule: 31410 (level 3) -> 'PHP Warning message.'
> > >> > >> >> > Src IP: 172.16.1.21
> > >> > >> >> > [Mon Aug 08 04:50:27 2011] [error] [client 192.168.0.21] PHP
> > >> > Warning:
> > >> > >> >> > fseek() expects parameter 3 to be long, string given in
> > >> > /var/www/ossec-
> > >> > >> >> > wui-0.3/lib/os_lib_alerts.php on line 842, referer:
> > >> > >> >> >http://192.168.0.124/ossec-wui-0.3/index.php?f=s
>
> > >> > >> >> Yes, the WUI code is broken. One day the people that want to use
> > >> > >> >> it
> > >> > >> >> will get together and share the fixes they've had to put in
> > >> > >> >> place so
> > >> > >> >> we don't have to keep seeing the same posts about it. The above
> > >> > >> >> seems
> > >> > >> >> unrelated to anything else in this message though...
>
> > >> > >> >> > The referring "rule 1012":
> > >> > >> >> > <rule id="1012" level="11">
> > >> > >> >> > <match>$sqli_xss</match>
> > >> > >> >> > <options>alert_by_email</options>
> > >> > >> >> > <description>hacking attempt</description>
> > >> > >> >> > <group>attack,sql_injection,</group>
> > >> > >> >> > </rule>
>
> > >> > >> >> > To the agent conf:
> > >> > >> >> > <localfile>
> > >> > >> >> > <location>%WinDir%\\inetpub\\logs\\LogFiles\\W3SVC1\\ex%y%m%d.log</
> > >> > >> >> > location>
> > >> > >> >> > <log_format>iis</log_format>
> > >> > >> >> > </localfile>
>
> > >> > >> >> > Last but not least, the output of the ex110808.log at the
> > >> > >> >> > windows
> > >> > >> >> > server:
> > >> > >> >> > 2011-08-08 11:49:54 192.168.0.69 GET /+union+select+'+where -
> > >> > >> >> > 80 -
> > >> > >> >> > 192.168.0.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:5.0)+Gecko/
> > >> > >> >> > 20100101+Firefox/5.0 404 0 2 218
> > >> > >> >> > 2011-08-08 11:49:54 192.168.0.69 GET /+union+select+'+where -
> > >> > >> >> > 80 -
> > >> > >> >> > 192.168.0.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:5.0)+Gecko/
> > >> > >> >> > 20100101+Firefox/5.0 404 0 2 203
>
> > >> > >> >> This doesn't appear to be any IIS log format we have support for
> > >> > >> >> at
> > >> > the
> > >> > >> moment.
>
> > >> > >> >> > Maybe you already know the problem...somehow the IP is not
> > >> > >> >> > properly
> > >> > >> >> > extracted. So, the attack is logged, but the host isn't denied.
> > >> > >> >> > When I directly attack the manager (ubuntu), everything is
> > >> > >> >> > logged
> > >> > too
> > >> > >> >> > (of course with another rule) and the attacker is "denied":
> > >> > >> >> > 2011 Aug 08 00:49:13 Rule Id: 31103 level: 6
> > >> > >> >> > Location: ubuntu->/var/log/apache2/access.log
> > >> > >> >> > Src IP: 192.168.0.21
>
> > >> > >> >> > Thanks for any help!
> > >> > >> >> > SQL injection attempt.
>
> > >> > >> >> Write a decoder to grab the IP. I don't think it should be too
>
> > >> > difficul
