On Mon, Nov 19, 2012 at 4:39 AM, Michiel van Es <[email protected]> wrote:
>
> Hello
>
> 2012/11/15 Jb Cheng <[email protected]>
>>
>> The OSSEC allowed fields are listed at the beginning of the file
>> etc/decoder.xml. In your case, 'dstport' is correct.
>> For the extra fields in the raw log which you want to skip (ipproto=
>> ipdatalen= ...), you need to count them out using <regex> like the
>> following:
>>
>> <decoder name="clavister">
>> <prematch>^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d] EFW: RULE: </prematch>
>> </decoder>
>>
>> <decoder name="clavister-alert">
>> <parent>clavister</parent>
>> <regex offset="after_parent">\.+ action=(\w+) rule=\w+ recvif=\w+
>> srcip=(\d+.\d+.\d+.\d+) destip=(\d+.\d+.\d+.\d+) ipproto=\w+ ipdatalen=\d+
>> srcport=(\d+) destport=(\d+) (\.*)</regex>
>> <order>action,srcip,dstip,srcport,dstport,extra_data</order>
>> </decoder>
>>
>
> Thanks! This works as a charm!
> I am now trying to generate alerts from every rule that is passing by with
> the following configuration:
>
> agent.conf:
>
> <agent_config name="machine">
> <localfile>
> <log_format>syslog</log_format>
> <location>/data/logs/host/fw-10.170.80.*.log</location>
> </localfile>
>
> and then in local_rules.xml:
>
> <group name="clavister">
> <rule id="700005" level="0">
> <decoded_as>clavister-alert</decoded_as>
The decoder is clavister, not clavister-alert.
Before changing the decoder name:
**Phase 1: Completed pre-decoding.
full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08]
EFW: RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet
action=drop rule=d_all_any_to_external recvif=cpub1003
srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20
srcport=80 destport=49511 ack=1 fin=1'
hostname: '10.170.80.3'
program_name: '(null)'
log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1
event=ruleset_drop_packet action=drop rule=d_all_any_to_external
recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP
ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1'
**Phase 2: Completed decoding.
decoder: 'clavister'
action: 'drop'
srcip: '10.170.83.14'
dstip: '81.83.145.188'
srcport: '80'
dstport: '49511'
extra_data: 'ack=1 fin=1'
After changing the decoder name:
**Phase 1: Completed pre-decoding.
full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08]
EFW: RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet
action=drop rule=d_all_any_to_external recvif=cpub1003
srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20
srcport=80 destport=49511 ack=1 fin=1'
hostname: '10.170.80.3'
program_name: '(null)'
log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1
event=ruleset_drop_packet action=drop rule=d_all_any_to_external
recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP
ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1'
**Phase 2: Completed decoding.
decoder: 'clavister'
action: 'drop'
srcip: '10.170.83.14'
dstip: '81.83.145.188'
srcport: '80'
dstport: '49511'
extra_data: 'ack=1 fin=1'
**Phase 3: Completed filtering (rules).
Rule id: '700006'
Level: '12'
Description: 'Clavister drop firewall!'
**Alert to be generated.
> <description>Custom Clavister firewall Alert</description>
> </rule>
> <rule id="700006" level="12">
> <if_sid>700005</if_sid>
> <description>Clavister drop firewall!</description>
> </rule>
> </group>
>
> Restarted ossec-hids on the ossec manager
>
> But it does not show any alert and firewall drop entries in the logfile
> are rapidly entered.
>
> For some reason the new clavister-alert entries are not showing in the
> alert.log log file..
>
> Any help is appreciated :)
>
> Regards,
>
> Michiel
>>
>>
>> On Wednesday, November 14, 2012 6:49:10 AM UTC-8, Michiel van Es wrote:
>>>
>>> Hello,
>>>
>>> I am trying to set up a local_decoder.xml entry to decode our Clavister
>>> log entries.
>>> The clavister logfiles show only outgoing dropped traffic, for example:
>>>
>>> Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: RULE: prio=6
>>> id=06000051 rev=1 event=ruleset_drop_packet action=drop
>>> rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14
>>> destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511
>>> ack=1 fin=1
>>>
>>> I could not find an existing clavister decoder so I am trying to write
>>> my own.
>>> I tried something as follows :
>>>
>>> <decoder name="clavister">
>>> <prematch>^\w+ \d+ \S+ </prematch>
>>> </decoder>
>>>
>>> If I get it correct the ^ is beginning of the line,\w+ = Month, \d+ =
>>> day of month, \S+=time , but its not working as expected, running logtest
>>> shows:
>>>
>>> **Phase 1: Completed pre-decoding.
>>> full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08]
>>> EFW: RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet action=drop
>>> rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14
>>> destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511
>>> ack=1 fin=1'
>>> hostname: '10.170.80.3'
>>> program_name: '(null)'
>>> log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1
>>> event=ruleset_drop_packet action=drop rule=d_all_any_to_external
>>> recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP
>>> ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1'
>>>
>>> **Phase 2: Completed decoding.
>>> No decoder matched.
>>>
>>> It does not show the clavister field at Phase 2 which I would expect.
>>>
>>> Can anyone point out what I am doing wrong even with this simpel
>>> <prematch> example?
>>>
>>> Thanks in advance.
>>>
>>> Regards,
>>>
>>> Michiel
>
>
