Re: [ossec-list] Re: CheckPoint Firewall-1 decoder and rules

Wed, 29 Feb 2012 08:38:40 -0800 

Hi!

I made quickly this decoder and after that, you can see the ossec-logtest
output! The interface is not there, i know. :/
I hope it is good for you or help something! :) If you have any question,
feel free to ask!

<decoder name="custom_checkpoint">
 <prematch>"\d+" "\d+\w+\d+" "\d+:\d+:\d+" "(\S+)" "CHCKPNT1"</prematch>
<regex offset="after_prematch">"\w+" "(\w+)" "\S+" "(\d+)" "(\S+)" "(\w+)"
"(\w+)"</regex>
<order>action, srcport, srcip, dstip, protocol</order>
</decoder>


**Phase 2: Completed decoding.
       decoder: 'custom_checkpoint'
       action: 'Accept'
       srcport: '61347'
       srcip: 'srv01'
       dstip: 'srvdns'
       proto: 'udp'

Best regards
woodspeed


2012. február 29. 15:34 C. L. Martinez írta, <[email protected]>:

> On Wed, Feb 29, 2012 at 12:40 PM, C. L. Martinez <[email protected]>
> wrote:
> >>>>  I am trying to write this decoder, without luck. My sample log:
> >>>>
> >>>> "Number" "Date" "Time" "Interface" "Origin" "Type" "Action" "Service"
> >>>> "Source Port" "Source" "Destination" "Protocol" "Rule" "Rule Name"
> >>>> "Current Rule Number" "User" "Information" "Product" "Source Machine
> >>>> Name" "Source User Name"
> >>>>  "2" "26Feb2012" "23:58:58" "Lan2" "CHCKPNT1" "Log" "Accept" "https"
> >>>> "1638" "192.168.55.23" "10.45.23.11" "tcp" "52" "WK01" "52-Standard"
> >>>> "" "service_id: https" "VPN-1 Power/UTM" "" ""
> >>>>
> >>>> My first try:
> >>>>
> >>>> <decoder name="custom-checkpoint">
> >>>>  <program_name>^CHCKPNT1</program_name>
> >>>
> >>> Is that what ossec-logtest says the program_name is?
> >>>
> >>
> >> Nop, Another mistake of mine. ... program_name doesn't exists in my
> >> logs. I need to filter by firewall name, CHKPNT1 and after by
> >> action,port,srcip,dstip ....
> >
> > Ok, now it seems pre-decoder works:
> >
> > <decoder name="custom-checkpoint">
> >  <prematch>^"\d" "\w+" "(\d\d:\d\d:\d\d)" "\w+" "CHCKPNT1"</prematch>
> > </decoder>
> >
> > is it correct??
> >
> > But exists one problem, with some logs like this:
> >
> > "20" "26Feb2012" "23:58:59" "bond0.30" "CHCKPNT1" "Log" "Accept"
> > "domain-udp" "61347" "srv01" "srvdns" "udp" "82" "" "82-Standard" ""
> > "inzone: Internal; outzone: Internal; service_id: domain-udp" "VPN-1
> > Power/UTM" "" ""
> >
> >  ... doesn't works ...
>
> Any help please??
>

Reply via email to