On Thu, Dec 27, 2012 at 3:10 PM, Ryan Schulze <[email protected]> wrote: > I stumbled across a weird phenomenon today. I noticed that some of my apache > logs were being decoded as syslogs. > > As far as I can tell, if the 1st, 3rd and 4th octet of the IP are > three-digit and the 2nd octed is two-digit AND apache logged a username > (e.g. due to .htaccess) then ossec doesn't decode it as web-accesslog. > > Tests were done with a fresh install of ossec 2.7 on ubuntu 12.04, no local > decoder or rules. > > I can replicate the problem with the following two lines: > > 111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 200 > 20 "somereferrer" "somebrowser" > No decoder matched > > 111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" > 200 20 "somereferrer" "somebrowser" > decoder: 'web-accesslog' > > 111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 200 20 > "somereferrer" "somebrowser" > decoder: 'web-accesslog' > > > Does anyone have an idea where I would fix this? (which part of the source > tree will I have to look at for the decoder regex logic)? >
src/os_regex ? > logs: >> >> rtest:~# /var/ossec/bin/ossec-logtest >> 2012/12/27 21:05:08 ossec-testrule: INFO: Reading local decoder file. >> 2012/12/27 21:05:08 ossec-testrule: INFO: Started (pid: 17574). >> ossec-testrule: Type one log per line. >> >> 111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" >> 200 20 "somereferrer" "somebrowser" >> >> >> **Phase 1: Completed pre-decoding. >> full event: '111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] >> "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"' >> hostname: 'rtest' >> program_name: '(null)' >> log: '- test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 200 >> 20 "somereferrer" "somebrowser"' >> >> **Phase 2: Completed decoding. >> No decoder matched. >> >> 111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" >> 200 20 "somereferrer" "somebrowser" >> >> >> **Phase 1: Completed pre-decoding. >> full event: '111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] >> "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"' >> hostname: 'rtest' >> program_name: '(null)' >> log: '111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST >> /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"' >> >> **Phase 2: Completed decoding. >> decoder: 'web-accesslog' >> srcip: '111.222.111.111' >> url: '/api/' >> id: '200' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '31108' >> Level: '0' >> Description: 'Ignored URLs (simple queries).' >> >> 111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 200 >> 20 "somereferrer" "somebrowser" >> >> >> **Phase 1: Completed pre-decoding. >> full event: '111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST >> /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"' >> hostname: 'rtest' >> program_name: '(null)' >> log: '111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/ >> HTTP/1.1" 200 20 "somereferrer" "somebrowser"' >> >> **Phase 2: Completed decoding. >> decoder: 'web-accesslog' >> srcip: '111.22.111.111' >> url: '/api/' >> id: '200' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '31108' >> Level: '0' >> Description: 'Ignored URLs (simple queries).' > >
