[ossec-list] Re: Problem with a rule, alert is not triggered

Sat, 17 Mar 2012 06:50:02 -0700 

On Saturday, March 17, 2012, dan (ddp) <[email protected]> wrote:
> Tour last message said everything was working as expected. Is this a
glitch in the Matrix or is it still not working?

It is working ... Maybe my android device is doing something wrong.

>
> On Mar 17, 2012 7:40 AM, "C. L. Martinez" <[email protected]> wrote:
>>
>> Please, any help?
>>
>> On Thursday, March 15, 2012, C. L. Martinez <[email protected]> wrote:
>> > Hi all,
>> >
>> >  I have configured this decoder:
>> >
>> > <decoder name="custom-decoder">
>> >  <prematch>^\w+ \d+ \d+:\d+:\d+ RT_FLOW: </prematch>
>> > </decoder>
>> >
>> > <decoder name="custom-decoder-action">
>> >  <parent>custom-decoder</parent>
>> >  <type>firewall</type>
>> >  <prematch offset="after_parent">^RT_FLOW_SESSION_CLOSE: </prematch>
>> >  <regex offset="after_prematch">session closed (\w+):
>> > (\d+.\d+.\d+.\d+)/\d+->(\d+.\d+.\d+.\d+)/(\d+) (\S+)</regex>
>> >  <order>action,srcip,dstip,dstport,extra_data</order>
>> > </decoder>
>> >
>> >  .. and this rule for alerts decoded with my decoder:
>> >
>> > <group name="custfw,">
>> >  <rule id="100200" level="0">
>> >    <decoded_as>custom-decoder</decoded_as>
>> >  </rule>
>> >  <rule id="100201" level="14">
>> >    <if_sid>100200</if_sid>
>> >    <action>unset</action>
>> >    <group>custfw_accept,</group>
>> >  </rule>
>> > </group>
>> >
>> >  .. but I try logtest:
>> >
>> > [root@ossecsrv tmp]# /data/ossec/slave/bin/ossec-logtest
>> > 2012/03/15 10:50:18 ossec-testrule: INFO: Reading local decoder file.
>> > 2012/03/15 10:50:20 ossec-testrule: INFO: Started (pid: 20714).
>> > ossec-testrule: Type one log per line.
>> >
>> > Mar 15 10:45:45 172.31.0.2 Mar 15 11:45:45 RT_FLOW:
>> > RT_FLOW_SESSION_CLOSE: session closed unset:
>> > 10.196.0.8/58378->22.1.2.3/53 dns-udp 22.1.3.4/34622->22.1.2.3/53 r1
>> > None 17 DNS trust untrust 6552 1(82) 1(458) 60
>> >
>> >
>> > **Phase 1: Completed pre-decoding.
>> >       full event: 'Mar 15 11:45:45 RT_FLOW: RT_FLOW_SESSION_CLOSE:
>> > session closed unset: 10.196.0.8/58378->22.1.2.3/53 dns-udp
>> > 22.1.3.4/34622->22.1.2.3/53 r1 None 17 DNS trust untrust 6552 1(82)
>> > 1(458) 60'
>> >       hostname: '172.31.0.2'
>> >       program_name: '(null)'
>> >       log: 'Mar 15 11:45:45 RT_FLOW: RT_FLOW_SESSION_CLOSE: session
>> > closed unset: 10.196.0.8/58378->22.1.2.3/53 dns-udp
>> > 22.1.3.4/34622->22.1.2.3/53 r1 None 17 DNS trust untrust 6552 1(82)
>> > 1(458) 60'
>> >
>> > **Phase 2: Completed decoding.
>> >       decoder: 'custom-decoder'
>> >       action: 'unset'
>> >       srcip: '10.196.0.8'
>> >       dstip: '22.1.2.3'
>> >       dstport: '53'
>> >       extra_data: 'dns-udp'
>> >
>> >  .. It doesn't works. I have defined action "unset" as an alert, then.
>> > why alert is not triggered??
>> >
>> > Thanks.
>> >

Reply via email to