I'm new to OSSEC and just got my test environment set up as documented in the v2.7.0 manual. However, I'm encountering a problem when trying to get custom built decoder and rules working according to the manual. It appears to me that the custom built decoder and rules were not consulted when tests were run. Below is the detail:
[root@centos1 etc]# cat local_decoder.xml <decoder name="forcefield"> <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d \w+ ForceField</prematch> </decoder> [root@centos1 etc]# vi local_decoder.xml [root@centos1 etc]# cat local_decoder.xml <decoder name="forcefield"> <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d \w+ ForceField</prematch> </decoder> <decoder name="forcefield-alert"> <parent>forcefield</parent> <regex offset="after_parent">IP:(\d+.\d+.\d+.\d+)@(\w+): (forcefield \w+); (\.*)</regex> <order>srcip,url,action,extra_data</order> </decoder> [root@centos1 rules]# cat local_rules.xml <!-- @(#) $Id: ./etc/rules/local_rules.xml, 2011/09/08 dcid Exp $ - Example of local rules for OSSEC. - - Copyright (C) 2009 Trend Micro Inc. - All rights reserved. - - This program is a free software; you can redistribute it - and/or modify it under the terms of the GNU General Public - License (version 2) as published by the FSF - Free Software - Foundation. - - License details: http://www.ossec.net/en/licensing.html --> <!-- Modify it at your will. --> <group name="local,syslog,"> <!-- Note that rule id 5711 is defined at the ssh_rules file - as a ssh failed login. This is just an example - since ip 1.1.1.1 shouldn't be used anywhere. - Level 0 means ignore. --> <rule id="100001" level="0"> <if_sid>5711</if_sid> <srcip>1.1.1.1</srcip> <description>Example of rule that will ignore sshd </description> <description>failed logins from IP 1.1.1.1.</description> </rule> <!-- This example will ignore ssh failed logins for the user name XYZABC. --> <!-- <rule id="100020" level="0"> <if_sid>5711</if_sid> <user>XYZABC</user> <description>Example of rule that will ignore sshd </description> <description>failed logins for user XYZABC.</description> </rule> --> <!-- Specify here a list of rules to ignore. --> <!-- <rule id="100030" level="0"> <if_sid>12345, 23456, xyz, abc</if_sid> <description>List of rules to be ignored.</description> </rule> --> </group> <!-- SYSLOG,LOCAL --> <!-- EOF --> [root@centos1 bin]# /opt/ossec/bin/ossec-logtest 2013/10/17 10:25:30 ossec-testrule: INFO: Reading local decoder file. 2013/10/17 10:25:30 ossec-testrule: INFO: Started (pid: 32526). ossec-testrule: Type one log per line. 2010-09-25 15:28:42 WARN ForceField IP:127.0.0.1@script_x: forcefield on; enabled forcefield **Phase 1: Completed pre-decoding. full event: '2010-09-25 15:28:42 WARN ForceField IP:127.0.0.1@script_x: forcefield on; enabled forcefield' hostname: 'centos1' program_name: '(null)' log: '2010-09-25 15:28:42 WARN ForceField IP:127.0.0.1@script_x: forcefield on; enabled forcefield' **Phase 2: Completed decoding. decoder: 'windows-date-format' **Phase 3: Completed filtering (rules). Rule id: '2900' Level: '0' Description: 'Dpkg (Debian Package) log.' 2010-09-25 15:28:42 WARN ForceField IP:127.0.0.1@script_x: forcefield on; enabled forcefield arbitrarily! **Phase 1: Completed pre-decoding. full event: '2010-09-25 15:28:42 WARN ForceField IP:127.0.0.1@script_x: forcefield on; enabled forcefield arbitrarily!' hostname: 'centos1' program_name: '(null)' log: '2010-09-25 15:28:42 WARN ForceField IP:127.0.0.1@script_x: forcefield on; enabled forcefield arbitrarily!' **Phase 2: Completed decoding. decoder: 'windows-date-format' **Phase 3: Completed filtering (rules). Rule id: '2900' Level: '0' Description: 'Dpkg (Debian Package) log.' The running OS is CentOS 6.4 and the OSSEC version is 2.7, the latest. The path of the custom decoder is /opt/ossec/etc/local_decoder.xml and the add-on rules were added into /opt/ossec/rules/local_rules.xml. I'll highly appreciate it if someone can help by pointing me to the right direction and/or providing me with working examples. Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
