Re: [ossec-list] Re: help with writing decoder rules for clavister firewall

Mon, 26 Nov 2012 05:44:24 -0800 

On Sun, Nov 25, 2012 at 7:29 PM, Kristy Truong <[email protected]> wrote:
> how do you use this?
>

Add the decoders to /var/ossec/etc/local_decoder.xml, rules to
/var/ossec/rules/local_rules.xml, and restart the OSSEC processes.

>
> On Wednesday, November 14, 2012 8:49:10 AM UTC-6, Michiel van Es wrote:
>>
>> Hello,
>>
>> I am trying to set up a local_decoder.xml entry to decode our Clavister
>> log entries.
>> The clavister logfiles show only outgoing dropped traffic, for example:
>>
>> Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: RULE: prio=6
>> id=06000051 rev=1 event=ruleset_drop_packet action=drop
>> rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14
>> destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511
>> ack=1 fin=1
>>
>> I could not find an existing clavister decoder so I am trying to write my
>> own.
>> I tried something as follows :
>>
>> <decoder name="clavister">
>>   <prematch>^\w+ \d+ \S+ </prematch>
>> </decoder>
>>
>> If I get it correct the ^ is beginning of the line,\w+ = Month, \d+ = day
>> of month, \S+=time , but its not working as expected, running logtest shows:
>>
>> **Phase 1: Completed pre-decoding.
>>        full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW:
>> RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet action=drop
>> rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14
>> destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511
>> ack=1 fin=1'
>>        hostname: '10.170.80.3'
>>        program_name: '(null)'
>>        log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1
>> event=ruleset_drop_packet action=drop rule=d_all_any_to_external
>> recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP
>> ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1'
>>
>> **Phase 2: Completed decoding.
>>        No decoder matched.
>>
>> It does not show the clavister field at Phase 2 which I would expect.
>>
>> Can anyone point out what I am doing wrong even with this simpel
>> <prematch> example?
>>
>> Thanks in advance.
>>
>> Regards,
>>
>> Michiel

Reply via email to