Hi all,
I have configured this decoder:
<decoder name="custom-decoder">
<prematch>^\w+ \d+ \d+:\d+:\d+ RT_FLOW: </prematch>
</decoder>
<decoder name="custom-decoder-action">
<parent>custom-decoder</parent>
<type>firewall</type>
<prematch offset="after_parent">^RT_FLOW_SESSION_CLOSE: </prematch>
<regex offset="after_prematch">session closed (\w+):
(\d+.\d+.\d+.\d+)/\d+->(\d+.\d+.\d+.\d+)/(\d+) (\S+)</regex>
<order>action,srcip,dstip,dstport,extra_data</order>
</decoder>
.. and this rule for alerts decoded with my decoder:
<group name="custfw,">
<rule id="100200" level="0">
<decoded_as>custom-decoder</decoded_as>
</rule>
<rule id="100201" level="14">
<if_sid>100200</if_sid>
<action>unset</action>
<group>custfw_accept,</group>
</rule>
</group>
.. but I try logtest:
[root@ossecsrv tmp]# /data/ossec/slave/bin/ossec-logtest
2012/03/15 10:50:18 ossec-testrule: INFO: Reading local decoder file.
2012/03/15 10:50:20 ossec-testrule: INFO: Started (pid: 20714).
ossec-testrule: Type one log per line.
Mar 15 10:45:45 172.31.0.2 Mar 15 11:45:45 RT_FLOW:
RT_FLOW_SESSION_CLOSE: session closed unset:
10.196.0.8/58378->22.1.2.3/53 dns-udp 22.1.3.4/34622->22.1.2.3/53 r1
None 17 DNS trust untrust 6552 1(82) 1(458) 60
**Phase 1: Completed pre-decoding.
full event: 'Mar 15 11:45:45 RT_FLOW: RT_FLOW_SESSION_CLOSE:
session closed unset: 10.196.0.8/58378->22.1.2.3/53 dns-udp
22.1.3.4/34622->22.1.2.3/53 r1 None 17 DNS trust untrust 6552 1(82)
1(458) 60'
hostname: '172.31.0.2'
program_name: '(null)'
log: 'Mar 15 11:45:45 RT_FLOW: RT_FLOW_SESSION_CLOSE: session
closed unset: 10.196.0.8/58378->22.1.2.3/53 dns-udp
22.1.3.4/34622->22.1.2.3/53 r1 None 17 DNS trust untrust 6552 1(82)
1(458) 60'
**Phase 2: Completed decoding.
decoder: 'custom-decoder'
action: 'unset'
srcip: '10.196.0.8'
dstip: '22.1.2.3'
dstport: '53'
extra_data: 'dns-udp'
.. It doesn't works. I have defined action "unset" as an alert, then.
why alert is not triggered??
Thanks.
