[ossec-list] Re: Error with web-accesslog decoder logs with and certain IP adresses + .htaccess

[Jb Cheng]

Try the attached patch which modifies analysisd/cleanevent.c and report 
back. Thanks!

On Friday, January 11, 2013 2:04:05 PM UTC-8, Jb Cheng wrote:
>
> Found the root cause at "analysisd/cleanevent.c".
> If you have an IP address which happens to meet the conditional statement, 
> the first 14 characters of the log will be stripped (and cause "No decoder 
> matched"). 
>
> You can modify the following code so there won't be false positives:
> 489     /* Checking for squid date format
> 490      * 1140804070.368  11623
> 491      * seconds from 00:00:00 1970-01-01 UTC
> 492      */
> 493     else if((loglen > 32) &&
> 494             (pieces[0] == '1') &&
> 495             (pieces[10] == '.') &&
> 496             (pieces[14] == ' ') &&
> 497             (isdigit((int)pieces[13])) &&
> 498             (isdigit((int)pieces[1])) &&
> 499             ((pieces[21] == ' ')||(pieces[22] == ' ')))
> 500     {
> 501         lf->log+=14;
>
>
> On Thursday, December 27, 2012 12:10:46 PM UTC-8, Ryan Schulze wrote:
>>
>> I stumbled across a weird phenomenon today. I noticed that some of my 
>> apache logs were being decoded as syslogs. 
>>
>> As far as I can tell, if the 1st, 3rd and 4th octet of the IP are 
>> three-digit and the 2nd octed is two-digit AND apache logged a username 
>> (e.g. due to .htaccess) then ossec doesn't decode it as web-accesslog. 
>>
>> Tests were done with a fresh install of ossec 2.7 on ubuntu 12.04, no 
>> local decoder or rules. 
>>
>> I can replicate the problem with the following two lines: 
>>
>> 111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 
>> 200 20 "somereferrer" "somebrowser" 
>> No decoder matched 
>>
>> 111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ 
>> HTTP/1.1" 200 20 "somereferrer" "somebrowser" 
>> decoder: 'web-accesslog' 
>>
>> 111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 
>> 200 20 "somereferrer" "somebrowser" 
>> decoder: 'web-accesslog' 
>>
>>
>> Does anyone have an idea where I would fix this? (which part of the 
>> source tree will I have to look at for the decoder regex logic)? 
>>
>> logs: 
>> > rtest:~# /var/ossec/bin/ossec-logtest 
>> > 2012/12/27 21:05:08 ossec-testrule: INFO: Reading local decoder file. 
>> > 2012/12/27 21:05:08 ossec-testrule: INFO: Started (pid: 17574). 
>> > ossec-testrule: Type one log per line. 
>> > 
>> > 111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ 
>> > HTTP/1.1" 200 20 "somereferrer" "somebrowser" 
>> > 
>> > 
>> > **Phase 1: Completed pre-decoding. 
>> >        full event: '111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] 
>> > "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"' 
>> >        hostname: 'rtest' 
>> >        program_name: '(null)' 
>> >        log: '- test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 
>> > 200 20 "somereferrer" "somebrowser"' 
>> > 
>> > **Phase 2: Completed decoding. 
>> >        No decoder matched. 
>> > 
>> > 111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ 
>> > HTTP/1.1" 200 20 "somereferrer" "somebrowser" 
>> > 
>> > 
>> > **Phase 1: Completed pre-decoding. 
>> >        full event: '111.222.111.111 - test [26/Dec/2012:17:51:27 
>> > +0100] "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"' 
>> >        hostname: 'rtest' 
>> >        program_name: '(null)' 
>> >        log: '111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST 
>> > /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"' 
>> > 
>> > **Phase 2: Completed decoding. 
>> >        decoder: 'web-accesslog' 
>> >        srcip: '111.222.111.111' 
>> >        url: '/api/' 
>> >        id: '200' 
>> > 
>> > **Phase 3: Completed filtering (rules). 
>> >        Rule id: '31108' 
>> >        Level: '0' 
>> >        Description: 'Ignored URLs (simple queries).' 
>> > 
>> > 111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 
>> > 200 20 "somereferrer" "somebrowser" 
>> > 
>> > 
>> > **Phase 1: Completed pre-decoding. 
>> >        full event: '111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] 
>> > "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"' 
>> >        hostname: 'rtest' 
>> >        program_name: '(null)' 
>> >        log: '111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST 
>> > /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"' 
>> > 
>> > **Phase 2: Completed decoding. 
>> >        decoder: 'web-accesslog' 
>> >        srcip: '111.22.111.111' 
>> >        url: '/api/' 
>> >        id: '200' 
>> > 
>> > **Phase 3: Completed filtering (rules). 
>> >        Rule id: '31108' 
>> >        Level: '0' 
>> >        Description: 'Ignored URLs (simple queries).' 
>>
>>
06 src/analysisd/cleanevent.c
--- a/src/analysisd/cleanevent.c        Thu Dec 27 12:15:18 2012 -0500
+++ b/src/analysisd/cleanevent.c        Fri Jan 11 14:12:27 2013 -0800
@@ -492,10 +492,12 @@
      */
     else if((loglen > 32) &&
             (pieces[0] == '1') &&
+            (isdigit((int)pieces[1])) &&
+            (isdigit((int)pieces[2])) &&
+            (isdigit((int)pieces[3])) &&
             (pieces[10] == '.') &&
+            (isdigit((int)pieces[13])) &&
             (pieces[14] == ' ') &&
-            (isdigit((int)pieces[13])) &&
-            (isdigit((int)pieces[1])) &&
             ((pieces[21] == ' ')||(pieces[22] == ' ')))
     {
         lf->log+=14;