[ossec-list] Error with web-accesslog decoder logs with and certain IP adresses + .htaccess

Thu, 27 Dec 2012 12:12:59 -0800

I stumbled across a weird phenomenon today. I noticed that some of my apache logs were being decoded as syslogs.
As far as I can tell, if the 1st, 3rd and 4th octet of the IP are three-digit and the 2nd octed is two-digit AND apache logged a username (e.g. due to .htaccess) then ossec doesn't decode it as web-accesslog. 


Tests were done with a fresh install of ossec 2.7 on ubuntu 12.04, no 
local decoder or rules.


I can replicate the problem with the following two lines:


111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 
200 20 "somereferrer" "somebrowser"

No decoder matched


111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ 
HTTP/1.1" 200 20 "somereferrer" "somebrowser"

decoder: 'web-accesslog'


111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 
200 20 "somereferrer" "somebrowser"

decoder: 'web-accesslog'



Does anyone have an idea where I would fix this? (which part of the 
source tree will I have to look at for the decoder regex logic)?


logs:

rtest:~# /var/ossec/bin/ossec-logtest
2012/12/27 21:05:08 ossec-testrule: INFO: Reading local decoder file.
2012/12/27 21:05:08 ossec-testrule: INFO: Started (pid: 17574).
ossec-testrule: Type one log per line.


111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ 
HTTP/1.1" 200 20 "somereferrer" "somebrowser"



**Phase 1: Completed pre-decoding.

       full event: '111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] 
"POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'

       hostname: 'rtest'
       program_name: '(null)'

       log: '- test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 
200 20 "somereferrer" "somebrowser"'


**Phase 2: Completed decoding.
       No decoder matched.


111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ 
HTTP/1.1" 200 20 "somereferrer" "somebrowser"



**Phase 1: Completed pre-decoding.

       full event: '111.222.111.111 - test [26/Dec/2012:17:51:27 
+0100] "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'

       hostname: 'rtest'
       program_name: '(null)'

       log: '111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST 
/api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'


**Phase 2: Completed decoding.
       decoder: 'web-accesslog'
       srcip: '111.222.111.111'
       url: '/api/'
       id: '200'

**Phase 3: Completed filtering (rules).
       Rule id: '31108'
       Level: '0'
       Description: 'Ignored URLs (simple queries).'


111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 
200 20 "somereferrer" "somebrowser"



**Phase 1: Completed pre-decoding.

       full event: '111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] 
"POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'

       hostname: 'rtest'
       program_name: '(null)'

       log: '111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST 
/api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'


**Phase 2: Completed decoding.
       decoder: 'web-accesslog'
       srcip: '111.22.111.111'
       url: '/api/'
       id: '200'

**Phase 3: Completed filtering (rules).
       Rule id: '31108'
       Level: '0'
       Description: 'Ignored URLs (simple queries).'
























					Reply via email to