Re: [ossec-list] custom predecoder

[Saul D]

Hi Dan,

An example of the type of log it would be handy to be able to define a 
pre-decoder for is oddly-formatted Cisco logs.

I have log entries with the following format coming from a Cisco router:

Aug 24 06:38:50 routerHostName 9564499: Aug 23 20:38:49.217: 
%SEC-6-IPACCESSLOGP: list 120 denied tcp 1.125.236.165(0) -> 
119.225.120.9(0), 1 packet

The problem I have with defining a custom decoder for it is that the 
default syslog pre-decoder seems to "take over" as soon as my regex covers 
more than the first "Aug 24 06:38:50 " part of the message.  Presumably 
this is because it matches the pattern of a standard syslog message?  What 
I want to do however, is define a prematch that extends further into the 
log message to enable OSSEC to be able to understand my version of the 
Cisco messages.  e.g.:

<decoder name="cisco-ios">
    <prematch>^\w+\s+\d+\s+\d\d:\d\d:\d\d\s+\S+\s+\d+: 
\w+\s+\d+\\s+\d\d:\d\d:\d\d.\d\d\d: </prematch>
</decoder>

Is there any way to get this to work?

For now, it seems the only way to enable OSSEC to understand my Cisco logs 
is by redefining every single Cisco rule, basing them on a parent rule that 
matches on the second timestamp like this:

<rule id="100023" level="0">
    <if_sid>1002</if_sid>
    <regex>^\w\w\w\s+\d+\s+\d\d:\d\d:\d\d.\d\d\d: </regex>
    <description>Cisco messages (custom log style) grouped.</description>
</rule>

But this seems like more work than it should be.

Is there a better way to decode these messages than this?  Please tell me 
there is!

Thanks for your help,

Saul



On Saturday, January 9, 2010 6:31:17 AM UTC+11, Daniel Cid wrote:
>
> Hi Abey,
>
> The pre decoders are very simple and we only use them for very common
> log formats, like
> syslog, apache, squid, etc. Look at src/analysisd/cleanevent.c to see
> how we do them..
>
> Can you share what log you are trying to parse? Maybe a pre decoder
> isn't needed and
> you can use just the xml (way easier).
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On Tue, Jan 5, 2010 at 7:33 AM, Abey <abe...@gmail.com <javascript:>> 
> wrote:
> > Hi ,
> >
> > I was wondering if it is possible to define custom predecoders in
> > ossec ?
> >
> > I also have decoders and rule matching working ok on syslog . but i
> > have another log file which has format different from syslog and would
> > need to do predecoding before the decoding .
> >
> >
> > Thanks
> > Abey
> >
>
>