Hi all and Merry Christmas/Happy Holidays, I have a general question based on the below thread.
In the element <prematch>, it's a mix of regexp and strings. I don't claim to be a regexp expert by any means, but I thought that the brackets , [ and ], had to be escaped when used as values in an XML file. Does it not matter for this xml file for OSSEC? Or is this actually handled through an XSL or some other language? If there is a reference for OSSEC that someone can't point me to about this, I am happy to dig it out myself. Thanks, DW From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Sunday, December 25, 2011 3:10 PM To: [email protected] Subject: Re: [ossec-list] Need help writing new child decoder similar to an included decoder. I don't think you'll have any luck without modifying the decoder.xml directly. If this is a normal log we can probably include a decoder in the default decoder.xml. On Thu, Dec 22, 2011 at 11:49 PM, Alan Frisch <[email protected]> wrote: I am trying to design an additional child decoder in local_decoder.xml for an Asterisk log entry not covered by the built-in Asterisk Decoder: This is the log line I am trying to parse: Dec 22 00:07:55 local1 asterisk[21792]: NOTICE[30573]: chan_iax2.c:7711 in register_verify: Host 11.22.33.44 denied access to register peer 'testaccount' I added the following to my existing local_decoders.xml: <decoder name="asterisk-iax-peer-fail"> <parent>asterisk</parent> <prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch> <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) denied access to register peer (\S+)</regex> <order>srcip, user</order> </decoder> Now the problem is that in osset-logtest it never gets caught due to a similar Asterisk child decoder that comes with the default decoder.xml, this is the existing one that catches it: <decoder name="asterisk-iax-authentication-denied"> <parent>asterisk</parent> <prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch> <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) failed MD5 authentication for (\S+)</regex> <order>srcip, user</order> </decoder> ....which works on log entries similar to this one: Dec 22 04:19:30 local1 asterisk[21792]: NOTICE[30576]: chan_iax2.c:7764 in register_verify: Host 99.228.252.229 failed MD5 authentication for 'testaccount' (e434414ccd1b7e40b04454e4baf338b6 != e9e03ea09899fbbe4c6b871424c1a176) I am quite new to writing decoders/rules, so I am not quite sure how to get OSSEC to differentiate between the two. Any help is greatly appreciated! Error! Filename not specified. AF.
