Hi;
There's just something about these decoders that I'm just not getting.
Hopefully, something fairly simple so someone can say "Hey, dummy! It's
this!" Any rate, here are two sample log messages that I'm trying to
decode:
2012-08-30 03:24:02 pop3-login: Info: Aborted login (auth failed, 1
attempts): user=<test>, method=PLAIN, rip=173.166.38.101, lip=11.222.333.44
2012-08-30 03:25:14 pop3-login: Info: Login: user=<dkoleary>, method=PLAIN,
rip=74.82.81.231, lip=11.222.333.44, mpid=452
Without any entries in local_decoder.xml, I get the following for logtest:
==================================================
# ossec-logtest
2012/09/01 14:05:31 ossec-testrule: INFO: Reading local decoder file.
2012/09/01 14:05:31 ossec-testrule: INFO: Reading loading the lists file:
'valid_users'
2012/09/01 14:05:31 ossec-testrule: INFO: Started (pid: 28444).
ossec-testrule: Type one log per line.
2012-08-30 03:24:02 pop3-login: Info: Aborted login (auth failed, 1
attempts): user=<test>, method=PLAIN, rip=173.166.38.101, lip=11.222.333.44
**Phase 1: Completed pre-decoding.
full event: '2012-08-30 03:24:02 pop3-login: Info: Aborted login
(auth failed, 1 attempts): user=<test>, method=PLAIN, rip=173.166.38.101,
lip=11.222.333.44'
hostname: 'fw'
program_name: '(null)'
log: '2012-08-30 03:24:02 pop3-login: Info: Aborted login (auth
failed, 1 attempts): user=<test>, method=PLAIN, rip=173.166.38.101,
lip=11.222.333.44'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
2012-08-30 03:25:14 pop3-login: Info: Login: user=<dkoleary>, method=PLAIN,
rip=74.82.81.231, lip=11.222.333.44, mpid=452
**Phase 1: Completed pre-decoding.
full event: '2012-08-30 03:25:14 pop3-login: Info: Login:
user=<dkoleary>, method=PLAIN, rip=74.82.81.231, lip=11.222.333.44,
mpid=452'
hostname: 'fw'
program_name: '(null)'
log: '2012-08-30 03:25:14 pop3-login: Info: Login: user=<dkoleary>,
method=PLAIN, rip=74.82.81.231, lip=11.222.333.44, mpid=452'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
==================================================
If I have these decoders in the local_decoder.xml file, I get an error
about pop3 being an invalid parent. Same thing if i change the name to
something that can't possibly be a reserved word. I assume that means
there can be one and only one parent - the top level - and that I'm stuck
with the windows-date-format as the parent unless I do some hacking of the
decoder.xml file.
=============================================================
<decoder name="pop3">
<parent>windows-date-format</parent>
<prematch offset="after_parent">pop3-login: Info: </prematch>
</decoder>
<decoder name="pop3-bad">
<parent>pop3</parent>
<regex offset="after_parent">Aborted login \.*user=\p(\w+)\p,
\.*rip=(\d+.\d+.\d+.\d+),\.*</regex>
<order>user, srcip</order>
</decoder>
<decoder name="pop3-good">
<parent>pop3</parent>
<regex offset="after_parent">Login: user=\p(\w+)\p,
\.*rip=(\d+.\d+.\d+.\d+),\.*</regex>
<order>user, srcip</order>
</decoder>
# ossec-logtest
2012/09/01 14:08:58 ossec-analysisd(2101): ERROR: Parent decoder name
invalid: 'pop3'.
=============================================================
The closest I've come is with these decoders:
=============================================================
<decoder name="pop3-bad">
<parent>windows-date-format</parent>
<prematch offset="after_parent">pop3-login: Info: </prematch>
<regex offset="after_prematch">Aborted login \.*user=\p(\w+)\p,
\.*rip=(\d+.\d+.\d+.\d+),\.*</regex>
<order>user, srcip</order>
</decoder>
<decoder name="pop3-good">
<parent>windows-date-format</parent>
<prematch offset="after_parent">pop3-login: Info: </prematch>#
ossec-logtest
2012/09/01 14:11:52 ossec-testrule: INFO: Reading local decoder file.
2012/09/01 14:11:52 ossec-testrule: INFO: Reading loading the lists file:
'valid_users'
2012/09/01 14:11:52 ossec-testrule: INFO: Started (pid: 28455).
ossec-testrule: Type one log per line.
2012-08-30 03:24:02 pop3-login: Info: Aborted login (auth failed, 1
attempts): user=<test>, method=PLAIN, rip=173.166.38.101, lip=11.222.333.44
**Phase 1: Completed pre-decoding.
[[snip]]
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
dstuser: 'test'
srcip: '173.166.38.101'
<regex offset="after_prematch">Login: user=\p(\w+)\p,
\.*rip=(\d+.\d+.\d+.\d+),\.*</regex>
<order>user, srcip</order>
</decoder>
=============================================================
In that order, a bad login provides the right information; but a successful
one is seemingly ignored:
=============================================================
# ossec-logtest
2012/09/01 14:11:52 ossec-testrule: INFO: Reading local decoder file.
[[snip]]
2012-08-30 03:24:02 pop3-login: Info: Aborted login (auth failed, 1
attempts): user=<test>, method=PLAIN, rip=173.166.38.101, lip=11.222.333.44
**Phase 1: Completed pre-decoding.
[[snip]]
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
dstuser: 'test'
srcip: '173.166.38.101'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
2012-08-30 03:25:14 pop3-login: Info: Login: user=<dkoleary>, method=PLAIN,
rip=74.82.81.231, lip=11.222.333.44, mpid=452
**Phase 1: Completed pre-decoding.
[[snip]]
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
=============================================================
If I change the order of the decoders, the successful log in gets
processed, but the bad one doesn't...
The goal is to be able to set rules based on both of these decoders. I
want to automatically block the IP of someone who's trying to log into my
system using an invalid ID and scream loudly if someone does successfully
login using an invalid ID. It seems, though, that I can't even make the
first step on that journey...
Any help/hints/tips/suggestions greatly appreciated.
Doug O'Leary
