Re: [ossec-list] Re: CheckPoint Firewall-1 decoder and rules

[Viktor Gazdag]

Hi!

Here is the new decoder! This log file record is a little bit different,
that's why it didn't work. But with my new decoder, it works well with both
record! ;)
I write you a quick & basic ossec decoder tutorial! If something isn't
good, I hope ddp will correct me!
First we have to give a name to our decoder and it has to be between the
decoder tags: <decoder name="custom_checkpoint"> </decoder>. So that's the
1. and 5. rows.
It is a good idea to use prematch and regex offset="after_prematch" (2. and
3. rows), which will do the following: ossec examine the log, if it
contains the value in the prematch tag (2. row). If it contains and if only
it contains, then will "run" the regex (3. row).
If we want to decode and log data like source ip (srcip) then we have to
put it in the parenthesis (3. row).
The <order></order> tags (4. row) tell the ossec the sequence of the
decoded data. Which data is the source ip, and which is the protocol etc.
OK, now some regex!
Here you can learn what is the syntax of regex in ossec:
http://www.ossec.net/wiki/Know_How:Regex_Readme
Examples: \w  ->  A-Z, a-z, 0-9 characters.
\s  ->  For spaces " "
\S  ->  For anything not \s
+  ->  To match one or more times (eg \w+ or \d+).

And after the lot of writing here is my decoder! :) The difference is I use
\S+ instead of \w+, because of the dstip contains dots.

<decoder name="custom_checkpoint">
 <prematch>"\d+" "\d+\w+\d+" "\d+:\d+:\d+" "(\S+)" "CHCKPNT1"</prematch>
<regex offset="after_prematch">"\w+" "(\w+)" "\S+" "(\d+)" "(\S+)" "(\S+)"
"(\w+)"</regex>
<order>action, srcport, srcip, dstip, protocol</order>
</decoder>

"13" "26Feb2012" "23:58:59" "bond0.405" "CHCKPNT1" "Log" "Accept" "http"
"3336" "wrk01" "192.168.209.167" "tcp" "53" ""
"53-Standard" "" "service_id: http" "VPN-1 Power/UTM" "" ""^M'

**Phase 2: Completed decoding.
       decoder: 'custom_checkpoint'
       action: 'Accept'
       srcport: '3336'
       srcip: 'wrk01'
       dstip: '192.168.209.167'
       proto: 'tcp'

"20" "26Feb2012" "23:58:59" "bond0.30" "CHCKPNT1" "Log" "Accept"
"domain-udp" "61347" "srv01" "srvdns" "udp" "82" "" "82-Standard" ""
"inzone: Internal; outzone: Internal; service_id: domain-udp" "VPN-1
Power/UTM" "" ""

**Phase 2: Completed decoding.
       decoder: 'custom_checkpoint'
       action: 'Accept'
       srcport: '61347'
       srcip: 'srv01'
       dstip: 'srvdns'
       proto: 'udp'

Best regards
woodspeed