http://www.ossec.net/doc/syntax/regex.html
We do things a little bit differently. On Sun, Dec 25, 2011 at 4:18 PM, Dave Werden <[email protected]> wrote: > Hi all and Merry Christmas/Happy Holidays, > > I have a general question based on the below thread. > > In the element <prematch>, it’s a mix of regexp and strings. I don’t claim > to be a regexp expert by any means, but I thought that the brackets , [ and > ], had to be escaped when used as values in an XML file. Does it not matter > for this xml file for OSSEC? Or is this actually handled through an XSL or > some other language? If there is a reference for OSSEC that someone can’t > point me to about this, I am happy to dig it out myself. > > > > Thanks, > > DW > > > > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Sunday, December 25, 2011 3:10 PM > To: [email protected] > Subject: Re: [ossec-list] Need help writing new child decoder similar to an > included decoder. > > > > I don't think you'll have any luck without modifying the decoder.xml > directly. If this is a normal log we can probably include a decoder in the > default decoder.xml. > > On Thu, Dec 22, 2011 at 11:49 PM, Alan Frisch <[email protected]> wrote: > > I am trying to design an additional child decoder in local_decoder.xml for > an Asterisk log entry not covered by the built-in Asterisk Decoder: > > This is the log line I am trying to parse: > > Dec 22 00:07:55 local1 asterisk[21792]: NOTICE[30573]: chan_iax2.c:7711 in > register_verify: Host 11.22.33.44 denied access to register peer > 'testaccount' > > I added the following to my existing local_decoders.xml: > > <decoder name="asterisk-iax-peer-fail"> > <parent>asterisk</parent> > <prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch> > <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) denied access to > register peer (\S+)</regex> > > <order>srcip, user</order> > </decoder> > > Now the problem is that in osset-logtest it never gets caught due to a > similar Asterisk child decoder that comes with the default decoder.xml, this > is the existing one that catches it: > > <decoder name="asterisk-iax-authentication-denied"> > <parent>asterisk</parent> > <prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch> > <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) failed MD5 > authentication for (\S+)</regex> > <order>srcip, user</order> > </decoder> > > ....which works on log entries similar to this one: > > Dec 22 04:19:30 local1 asterisk[21792]: NOTICE[30576]: chan_iax2.c:7764 in > register_verify: Host 99.228.252.229 failed MD5 authentication for > 'testaccount' (e434414ccd1b7e40b04454e4baf338b6 != > e9e03ea09899fbbe4c6b871424c1a176) > > I am quite new to writing decoders/rules, so I am not quite sure how to get > OSSEC to differentiate between the two. Any help is greatly appreciated! > > Error! Filename not specified. > > AF. > > > >
