This patch has been committed and will be included in the next release.
If you cannot wait, you get the latest
from https://bitbucket.org/jbcheng/ossec-hids/get/tip.tar.gz.
On Monday, January 14, 2013 9:07:44 AM UTC-8, Ryan Schulze wrote:
>
>
> Awesome, thanks for the patch.
> I tried it out on or test servers, and then bumped it to our live servers.
> No problems, no side affects. Looks good :-)
>
>
>
> On 1/11/2013 4:18 PM, Jb Cheng wrote:
>
> Try the attached patch which modifies analysisd/cleanevent.c and report
> back. Thanks!
>
> On Friday, January 11, 2013 2:04:05 PM UTC-8, Jb Cheng wrote:
>>
>> Found the root cause at "analysisd/cleanevent.c".
>> If you have an IP address which happens to meet the conditional
>> statement, the first 14 characters of the log will be stripped (and cause
>> "No decoder matched").
>>
>> You can modify the following code so there won't be false positives:
>> 489 /* Checking for squid date format
>> 490 * 1140804070.368 11623
>> 491 * seconds from 00:00:00 1970-01-01 UTC
>> 492 */
>> 493 else if((loglen > 32) &&
>> 494 (pieces[0] == '1') &&
>> 495 (pieces[10] == '.') &&
>> 496 (pieces[14] == ' ') &&
>> 497 (isdigit((int)pieces[13])) &&
>> 498 (isdigit((int)pieces[1])) &&
>> 499 ((pieces[21] == ' ')||(pieces[22] == ' ')))
>> 500 {
>> 501 lf->log+=14;
>>
>>
>> On Thursday, December 27, 2012 12:10:46 PM UTC-8, Ryan Schulze wrote:
>>>
>>> I stumbled across a weird phenomenon today. I noticed that some of my
>>> apache logs were being decoded as syslogs.
>>>
>>> As far as I can tell, if the 1st, 3rd and 4th octet of the IP are
>>> three-digit and the 2nd octed is two-digit AND apache logged a username
>>> (e.g. due to .htaccess) then ossec doesn't decode it as web-accesslog.
>>>
>>> Tests were done with a fresh install of ossec 2.7 on ubuntu 12.04, no
>>> local decoder or rules.
>>>
>>> I can replicate the problem with the following two lines:
>>>
>>> 111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1"
>>> 200 20 "somereferrer" "somebrowser"
>>> No decoder matched
>>>
>>> 111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/
>>> HTTP/1.1" 200 20 "somereferrer" "somebrowser"
>>> decoder: 'web-accesslog'
>>>
>>> 111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1"
>>> 200 20 "somereferrer" "somebrowser"
>>> decoder: 'web-accesslog'
>>>
>>>
>>> Does anyone have an idea where I would fix this? (which part of the
>>> source tree will I have to look at for the decoder regex logic)?
>>>
>>> logs:
>>> > rtest:~# /var/ossec/bin/ossec-logtest
>>> > 2012/12/27 21:05:08 ossec-testrule: INFO: Reading local decoder file.
>>> > 2012/12/27 21:05:08 ossec-testrule: INFO: Started (pid: 17574).
>>> > ossec-testrule: Type one log per line.
>>> >
>>> > 111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/
>>> > HTTP/1.1" 200 20 "somereferrer" "somebrowser"
>>> >
>>> >
>>> > **Phase 1: Completed pre-decoding.
>>> > full event: '111.22.111.111 - test [26/Dec/2012:17:51:27 +0100]
>>> > "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'
>>> > hostname: 'rtest'
>>> > program_name: '(null)'
>>> > log: '- test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1"
>>> > 200 20 "somereferrer" "somebrowser"'
>>> >
>>> > **Phase 2: Completed decoding.
>>> > No decoder matched.
>>> >
>>> > 111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/
>>> > HTTP/1.1" 200 20 "somereferrer" "somebrowser"
>>> >
>>> >
>>> > **Phase 1: Completed pre-decoding.
>>> > full event: '111.222.111.111 - test [26/Dec/2012:17:51:27
>>> > +0100] "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'
>>> > hostname: 'rtest'
>>> > program_name: '(null)'
>>> > log: '111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST
>>> > /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'
>>> >
>>> > **Phase 2: Completed decoding.
>>> > decoder: 'web-accesslog'
>>> > srcip: '111.222.111.111'
>>> > url: '/api/'
>>> > id: '200'
>>> >
>>> > **Phase 3: Completed filtering (rules).
>>> > Rule id: '31108'
>>> > Level: '0'
>>> > Description: 'Ignored URLs (simple queries).'
>>> >
>>> > 111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1"
>>> > 200 20 "somereferrer" "somebrowser"
>>> >
>>> >
>>> > **Phase 1: Completed pre-decoding.
>>> > full event: '111.22.111.111 - - [26/Dec/2012:17:51:27 +0100]
>>> > "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'
>>> > hostname: 'rtest'
>>> > program_name: '(null)'
>>> > log: '111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST
>>> > /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'
>>> >
>>> > **Phase 2: Completed decoding.
>>> > decoder: 'web-accesslog'
>>> > srcip: '111.22.111.111'
>>> > url: '/api/'
>>> > id: '200'
>>> >
>>> > **Phase 3: Completed filtering (rules).
>>> > Rule id: '31108'
>>> > Level: '0'
>>> > Description: 'Ignored URLs (simple queries).'
>>>
>>>
>
