Hi Daniel, Thank you for the tip! It worked now!
/x On Thu, Nov 15, 2012 at 7:45 PM, Daniel Cid <[email protected]> wrote: > This decoder is a bit broken :/ > > It is actually matching for: > > ^Mon OR > ^Tue OR > ^Wed OR .. OR .. > ^Sun \S\S\S\s+\d+.. > > We should probably just change it for: > > <prematch>^\w\w\w \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+ > /\.+/active-response</prematch> > > Can you try to see if it fixes ? > > thanks, > > -- > Daniel B. Cid > http://dcid.me > > On Thu, Nov 15, 2012 at 10:17 AM, Xavier Mertens <[email protected]> > wrote: > > Hello OSSEC'ers! > > > > Is there a woking decoder for 'xferlog' FTP files somwhere? I'm trying to > > write my own but I'm facing a strange issue: > > > > xferlog samples are detected as active-response logs (decoder: ar_log). I > > slightly modified the orginal <prematch> regex but the problem remains!? > > > > Why this decoder: > > > > <decoder name="ar_log"> > > <prematch>^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun \S\S\S\s+\d+ > > \d\d:\d\d:\d\d \D\D\D \d\d\d\d /\S+/active-response</prematch> > > <regex offset="after_prematch">/bin/(\S+) (\S+) - (\S+) (\d+.\d+) > > (\d+)</regex> > > <order>action, status, srcip, id, extra_data</order> > > </decoder> > > > > Matches this event: > > > > Thu Nov 15 13:51:15 2012 744 fakehost.be 2045663232 /home/ftp/file.txt > b _ o > > r ftpread ftp 0 * c > > > > ossec-logtest reports: > > > > # ../bin/ossec-logtest > > 2012/11/15 15:16:12 ossec-testrule: INFO: Reading local decoder file. > > 2012/11/15 15:16:12 ossec-testrule: INFO: Started (pid: 21697). > > ossec-testrule: Type one log per line. > > > > Thu Nov 15 13:51:15 2012 744 fakehost.be 2045663232 /home/ftp/file.txt > b _ o > > r ftpread ftp 0 * c > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'Thu Nov 15 13:51:15 2012 744 fakehost.be 2045663232 > > /home/ftp/file.txt b _ o r ftpread ftp 0 * c' > > hostname: 'boogey' > > program_name: '(null)' > > log: 'Thu Nov 15 13:51:15 2012 744 fakehost.be 2045663232 > > /home/ftp/file.txt b _ o r ftpread ftp 0 * c' > > > > **Phase 2: Completed decoding. > > decoder: 'ar_log' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '600' > > Level: '0' > > Description: 'Active Response Messages Grouped' > > > > I'm lost... :-) > > > > /x > > > > -- > > My server is com<script src=http://owned.cn/js.js>pletely secure. > > > -- My server is com<script src=http://owned.cn/js.js>pletely secure.
