On Mon, Feb 3, 2014 at 10:58 AM, Sean Jackson <[email protected]> wrote: > Hope everyone had a good weekend. > > I'm wondering if ossec is actually parsing the regex now. Here's what I > have in decoder.xml: > > > <decoder name="bash"> > <prematch>^bash</prematch> > </decoder> > > <decoder name="bash-command"> > <parent>bash</parent> > <regex offset="after_parent">^(\S+)[\d+] (\S+ \d+ \S+) \d+: > (\.+)$</regex> > <order>user, extra_data, action</order> > </decoder> > > Here are the logs I'm running through logtest (just found out I don't need > to restart ossec-control to do that, just save decoder.xml): > > Jan 29 17:07:41 clu bash sjackson[11132] 10.207.50.143 40313 10.207.53.15 > 22: vim /etc/sysconfig/iptables-config > > > > Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 15374 10.7.20.28 22: ssh > aws-control1 > > > > Jan 29 17:04:14 clu bash update-users[12773] : cat known_hosts > > > > Jan 29 17:03:26 clu bash jtanner[11132] 10.207.50.143 40313 10.207.53.15 22: > service iptables stop > > > And then this is what I see in ossec-logtest: > > > Jan 29 17:07:41 clu bash root[11132] 10.207.50.143 40313 10.207.53.15 22: > vim /etc/sysconfig/iptables-config > > > **Phase 1: Completed pre-decoding. > full event: 'Jan 29 17:07:41 clu bash root[11132] 10.207.50.143 40313 > 10.207.53.15 22: vim /etc/sysconfig/iptables-config' > hostname: 'clu' > program_name: '(null)' > log: 'bash root[11132] 10.207.50.143 40313 10.207.53.15 22: vim > /etc/sysconfig/iptables-config' > > **Phase 2: Completed decoding. > decoder: 'bash' > > > > Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 15374 10.7.20.28 22: ssh > aws-control1 > > **Phase 1: Completed pre-decoding. > full event: 'Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 15374 > 10.7.20.28 22: ssh aws-control1' > hostname: 'clu' > program_name: '(null)' > log: 'bash root[13365] 64.55.86.101 15374 10.7.20.28 22: ssh > aws-control1' > > **Phase 2: Completed decoding. > decoder: 'bash' > > > > Jan 29 17:04:14 clu bash update-users[12773] : cat known_hosts > > **Phase 1: Completed pre-decoding. > full event: 'Jan 29 17:04:14 clu bash update-users[12773] : cat > known_hosts' > hostname: 'clu' > program_name: '(null)' > log: 'bash update-users[12773] : cat known_hosts' > > **Phase 2: Completed decoding. > decoder: 'bash' > > > > Jan 29 17:03:26 clu bash root[11132] 10.207.50.143 40313 10.207.53.15 22: > service iptables stop > > **Phase 1: Completed pre-decoding. > full event: 'Jan 29 17:03:26 clu bash root[11132] 10.207.50.143 40313 > 10.207.53.15 22: service iptables stop' > hostname: 'clu' > program_name: '(null)' > log: 'bash root[11132] 10.207.50.143 40313 10.207.53.15 22: service > iptables stop' > > **Phase 2: Completed decoding. > decoder: 'bash' > > > Am I correct that the regex isn't being parsed at all? >
Probably not. It's probably being parsed, just not matching for some reason. > --Sean > > > > > > On Tuesday, January 28, 2014 1:57:21 PM UTC-7, Sean Jackson wrote: >> >> Hello all, >> >> I'm tracking bash commands through syslogging and the logs look like this: >> >> Jan 27 15:33:46 [HOSTNAME] bash [USERNAME] [SESSION ID] [SSH CONNECTION >> INFO]: [THE BASH COMMAND] >> >> The command to save these logs is: >> PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p >> local6.debug -t "bash $USER[$$] $SSH_CONNECTION")' >> >> >> The logs are saved thusly (hostnames and IPs edited): >> Jan 27 15:29:54 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX 22: cd >> jskains >> Jan 27 15:33:46 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX 22: tar >> -cvf chef-dev.tar *.pem >> Jan 28 10:47:48 XXX bash root[25510] 64.55.41.120 40348 XX.XX.XX.XX 22: >> traceroute bing.com >> >> Here's what I'm doing right now, and my mind is telling me that I'm going >> down the wrong path. >> >> <decoder name="bash"> >> >> <program_name>^bash</program_name> >> >> </decoder> >> >> >> >> <decoder name="bash-activity"> >> >> <parent>bash</parent> >> >> <regex>???</regex> >> >> </decoder> >> >> >> >> Can anyone help me figure out how to get OSSEC watching these logs so I >> can then create alerts if I see certain commands executed? I want to know >> the time, the host, the user, the ssh connection info, and then the command. >> >> >> Thank you in advance (and likely afterwards)! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
