Re: [ossec-list] Re: CheckPoint Firewall-1 decoder and rules

Thu, 01 Mar 2012 00:52:03 -0800 

On Wed, Feb 29, 2012 at 4:52 PM, Viktor Gazdag <[email protected]> wrote:
> Hi!
>
> I made quickly this decoder and after that, you can see the ossec-logtest
> output! The interface is not there, i know. :/
> I hope it is good for you or help something! :) If you have any question,
> feel free to ask!
>
> <decoder name="custom_checkpoint">
>  <prematch>"\d+" "\d+\w+\d+" "\d+:\d+:\d+" "(\S+)" "CHCKPNT1"</prematch>
> <regex offset="after_prematch">"\w+" "(\w+)" "\S+" "(\d+)" "(\S+)" "(\w+)"
> "(\w+)"</regex>
> <order>action, srcport, srcip, dstip, protocol</order>
> </decoder>
>
>
> **Phase 2: Completed decoding.
>        decoder: 'custom_checkpoint'
>        action: 'Accept'
>        srcport: '61347'
>        srcip: 'srv01'
>        dstip: 'srvdns'
>        proto: 'udp'
>
> Best regards
> woodspeed
>
>

Many thanks Viktor ... but with some logs works, but with anothers
not. For example:

a) works

**Phase 1: Completed pre-decoding.
       full event: '"14" "26Feb2012" "23:58:59" "bond0.30" "CHCKPNT1"
"Log" "Accept" "domain-udp" "49505" "mysrv01" "srvdns01" "udp" "82" ""
"82-Standard" "" "inzone: Internal; outzone: Internal; service_id:
domain-udp" "VPN-1 Power/UTM" "" ""^M'
       hostname: 'cosclunode02'
       program_name: '(null)'
       log: '"14" "26Feb2012" "23:58:59" "bond0.30" "CHCKPNT1" "Log"
"Accept" "domain-udp" "49505" "mysrv01" "srvdns01" "udp" "82" ""
"82-Standard" "" "inzone: Internal; outzone: Internal; service_id:
domain-udp" "VPN-1 Power/UTM" "" ""^M'

**Phase 2: Completed decoding.
       decoder: 'custom-checkpoint-fw'
       action: 'Accept'
       srcport: '49505'
       srcip: 'mysrv01'
       dstip: 'srvdns01'
       proto: 'udp'


b) here, doesn't works:

**Phase 1: Completed pre-decoding.
       full event: '"13" "26Feb2012" "23:58:59" "bond0.405" "CHCKPNT1"
"Log" "Accept" "http" "3336" "wrk01" "192.168.209.167" "tcp" "53" ""
"53-Standard" "" "service_id: http" "VPN-1 Power/UTM" "" ""^M'
       hostname: 'cosclunode02'
       program_name: '(null)'
       log: '"13" "26Feb2012" "23:58:59" "bond0.405" "CHCKPNT1" "Log"
"Accept" "http" "3336" "wrk01" "192.168.209.167" "tcp" "53" ""
"53-Standard" "" "service_id: http" "VPN-1 Power/UTM" "" ""^M'

**Phase 2: Completed decoding.
       decoder: 'custom-checkpoint-fw'

Reply via email to