Re: [ossec-list] xferlog decoder

Thu, 15 Nov 2012 10:45:58 -0800 

This decoder is a bit broken :/

It is actually matching for:

^Mon OR
^Tue OR
^Wed OR .. OR ..
^Sun  \S\S\S\s+\d+..

We should probably just change it for:

<prematch>^\w\w\w \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+
/\.+/active-response</prematch>

Can you try to see if it fixes ?

thanks,

--
Daniel B. Cid
http://dcid.me

On Thu, Nov 15, 2012 at 10:17 AM, Xavier Mertens <[email protected]> wrote:
> Hello OSSEC'ers!
>
> Is there a woking decoder for 'xferlog' FTP files somwhere? I'm trying to
> write my own but I'm facing a strange issue:
>
> xferlog samples are detected as active-response logs (decoder: ar_log). I
> slightly modified the orginal <prematch> regex but the problem remains!?
>
> Why this decoder:
>
> <decoder name="ar_log">
>         <prematch>^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun \S\S\S\s+\d+
> \d\d:\d\d:\d\d \D\D\D \d\d\d\d /\S+/active-response</prematch>
>         <regex offset="after_prematch">/bin/(\S+) (\S+) - (\S+) (\d+.\d+)
> (\d+)</regex>
>         <order>action, status, srcip, id, extra_data</order>
> </decoder>
>
> Matches this event:
>
> Thu Nov 15 13:51:15 2012 744 fakehost.be 2045663232 /home/ftp/file.txt b _ o
> r ftpread ftp 0 * c
>
> ossec-logtest reports:
>
> # ../bin/ossec-logtest
> 2012/11/15 15:16:12 ossec-testrule: INFO: Reading local decoder file.
> 2012/11/15 15:16:12 ossec-testrule: INFO: Started (pid: 21697).
> ossec-testrule: Type one log per line.
>
> Thu Nov 15 13:51:15 2012 744 fakehost.be 2045663232 /home/ftp/file.txt b _ o
> r ftpread ftp 0 * c
>
>
> **Phase 1: Completed pre-decoding.
>        full event: 'Thu Nov 15 13:51:15 2012 744 fakehost.be 2045663232
> /home/ftp/file.txt b _ o r ftpread ftp 0 * c'
>        hostname: 'boogey'
>        program_name: '(null)'
>        log: 'Thu Nov 15 13:51:15 2012 744 fakehost.be 2045663232
> /home/ftp/file.txt b _ o r ftpread ftp 0 * c'
>
> **Phase 2: Completed decoding.
>        decoder: 'ar_log'
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '600'
>        Level: '0'
>        Description: 'Active Response Messages Grouped'
>
> I'm lost... :-)
>
> /x
>
> --
> My server is com<script src=http://owned.cn/js.js>pletely secure.
>

Reply via email to