On Mon, Feb 3, 2014 at 12:41 PM, Sean Jackson <[email protected]> wrote: > Wonder of wonders, etc. > > I caught that you had a space after the ^bash in the first decoder. I added > it. Huzzah, it works. > > Thank you Dan. Thank you very much. >
Glad it works. I kind of wish whitespace wasn't as important as it is, but I don't know if we could do that without losing something in the translation. > --Sean > > > > On Monday, February 3, 2014 10:25:33 AM UTC-7, Sean Jackson wrote: >> >> So confusing. I'm doing exactly as you are. I dropped the logs into a >> file. I *copied and pasted* your decoders. I ran the same command. >> >> I'm getting the same response I posed earlier. >> >> I'll continue beating my head against it, but if you have any ideas, I'd >> enjoy some enlightenment. >> >> >> On Monday, February 3, 2014 9:40:07 AM UTC-7, dan (ddpbsd) wrote: >>> >>> On Mon, Feb 3, 2014 at 11:25 AM, dan (ddp) <[email protected]> wrote: >>> > On Mon, Feb 3, 2014 at 10:58 AM, Sean Jackson <[email protected]> >>> > wrote: >>> >> Hope everyone had a good weekend. >>> >> >>> >> I'm wondering if ossec is actually parsing the regex now. Here's what >>> >> I >>> >> have in decoder.xml: >>> >> >>> >> >>> >> <decoder name="bash"> >>> >> <prematch>^bash</prematch> >>> >> </decoder> >>> >> >>> >> <decoder name="bash-command"> >>> >> <parent>bash</parent> >>> >> <regex offset="after_parent">^(\S+)[\d+] (\S+ \d+ \S+) \d+: >>> >> (\.+)$</regex> >>> >> <order>user, extra_data, action</order> >>> >> </decoder> >>> >> >>> >> Here are the logs I'm running through logtest (just found out I don't >>> >> need >>> >> to restart ossec-control to do that, just save decoder.xml): >>> >> >>> >> Jan 29 17:07:41 clu bash sjackson[11132] 10.207.50.143 40313 >>> >> 10.207.53.15 >>> >> 22: vim /etc/sysconfig/iptables-config >>> >> >>> >> >>> >> >>> >> Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 15374 10.7.20.28 22: >>> >> ssh >>> >> aws-control1 >>> >> >>> >> >>> >> >>> >> Jan 29 17:04:14 clu bash update-users[12773] : cat known_hosts >>> >> >>> >> >>> >> >>> >> Jan 29 17:03:26 clu bash jtanner[11132] 10.207.50.143 40313 >>> >> 10.207.53.15 22: >>> >> service iptables stop >>> >> >>> >> >>> >> And then this is what I see in ossec-logtest: >>> >> >>> >> >>> >> Jan 29 17:07:41 clu bash root[11132] 10.207.50.143 40313 10.207.53.15 >>> >> 22: >>> >> vim /etc/sysconfig/iptables-config >>> >> >>> >> >>> >> **Phase 1: Completed pre-decoding. >>> >> full event: 'Jan 29 17:07:41 clu bash root[11132] 10.207.50.143 >>> >> 40313 >>> >> 10.207.53.15 22: vim /etc/sysconfig/iptables-config' >>> >> hostname: 'clu' >>> >> program_name: '(null)' >>> >> log: 'bash root[11132] 10.207.50.143 40313 10.207.53.15 22: vim >>> >> /etc/sysconfig/iptables-config' >>> >> >>> >> **Phase 2: Completed decoding. >>> >> decoder: 'bash' >>> >> >>> >> >>> >> >>> >> Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 15374 10.7.20.28 22: >>> >> ssh >>> >> aws-control1 >>> >> >>> >> **Phase 1: Completed pre-decoding. >>> >> full event: 'Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 >>> >> 15374 >>> >> 10.7.20.28 22: ssh aws-control1' >>> >> hostname: 'clu' >>> >> program_name: '(null)' >>> >> log: 'bash root[13365] 64.55.86.101 15374 10.7.20.28 22: ssh >>> >> aws-control1' >>> >> >>> >> **Phase 2: Completed decoding. >>> >> decoder: 'bash' >>> >> >>> >> >>> >> >>> >> Jan 29 17:04:14 clu bash update-users[12773] : cat known_hosts >>> >> >>> >> **Phase 1: Completed pre-decoding. >>> >> full event: 'Jan 29 17:04:14 clu bash update-users[12773] : cat >>> >> known_hosts' >>> >> hostname: 'clu' >>> >> program_name: '(null)' >>> >> log: 'bash update-users[12773] : cat known_hosts' >>> >> >>> >> **Phase 2: Completed decoding. >>> >> decoder: 'bash' >>> >> >>> >> >>> >> >>> >> Jan 29 17:03:26 clu bash root[11132] 10.207.50.143 40313 10.207.53.15 >>> >> 22: >>> >> service iptables stop >>> >> >>> >> **Phase 1: Completed pre-decoding. >>> >> full event: 'Jan 29 17:03:26 clu bash root[11132] 10.207.50.143 >>> >> 40313 >>> >> 10.207.53.15 22: service iptables stop' >>> >> hostname: 'clu' >>> >> program_name: '(null)' >>> >> log: 'bash root[11132] 10.207.50.143 40313 10.207.53.15 22: >>> >> service >>> >> iptables stop' >>> >> >>> >> **Phase 2: Completed decoding. >>> >> decoder: 'bash' >>> >> >>> >> >>> >> Am I correct that the regex isn't being parsed at all? >>> >> >>> > >>> > Probably not. It's probably being parsed, just not matching for some >>> > reason. >>> > >>> >>> What follows will be the log samples I used, the output of >>> ossec-logtest, and then the decoders in local_decoder.xml: >>> >>> # cat /tmp/logsamples >>> Jan 29 17:07:41 clu bash sjackson[11132] 10.207.50.143 40313 >>> 10.207.53.15 22: vim /etc/sysconfig/iptables-config >>> Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 15374 10.7.20.28 22: >>> ssh aws-control1 >>> Jan 29 17:04:14 clu bash update-users[12773] : cat known_hosts >>> Jan 29 17:03:26 clu bash jtanner[11132] 10.207.50.143 40313 >>> 10.207.53.15 22: service iptables stop >>> >>> # cat /tmp/logsamples | /var/ossec/ossec-hybrid/bin/ossec-logtest 2>&1 | >>> more >>> 2014/02/03 11:39:32 ossec-testrule: INFO: Reading local decoder file. >>> 2014/02/03 11:39:32 ossec-testrule: INFO: Started (pid: 14749). >>> ossec-testrule: Type one log per line. >>> >>> >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'Jan 29 17:07:41 clu bash sjackson[11132] >>> 10.207.50.143 40313 10.207.53.15 22: vim >>> /etc/sysconfig/iptables-config' >>> hostname: 'clu' >>> program_name: '(null)' >>> log: 'bash sjackson[11132] 10.207.50.143 40313 10.207.53.15 22: >>> vim /etc/sysconfig/iptables-config' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'bash' >>> srcuser: 'sjackson' >>> extra_data: '10.207.50.143 40313 10.207.53.15' >>> extra_data: 'vim /etc/sysconfig/iptables-config' >>> >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 >>> 15374 10.7.20.28 22: ssh aws-control1' >>> hostname: 'clu' >>> program_name: '(null)' >>> log: 'bash root[13365] 64.55.86.101 15374 10.7.20.28 22: ssh >>> aws-control1' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'bash' >>> srcuser: 'root' >>> extra_data: '64.55.86.101 15374 10.7.20.28' >>> extra_data: 'ssh aws-control1' >>> >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'Jan 29 17:04:14 clu bash update-users[12773] : cat >>> known_hosts' >>> hostname: 'clu' >>> program_name: '(null)' >>> log: 'bash update-users[12773] : cat known_hosts' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'bash' >>> >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'Jan 29 17:03:26 clu bash jtanner[11132] >>> 10.207.50.143 40313 10.207.53.15 22: service iptables stop' >>> hostname: 'clu' >>> program_name: '(null)' >>> log: 'bash jtanner[11132] 10.207.50.143 40313 10.207.53.15 22: >>> service iptables stop' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'bash' >>> srcuser: 'jtanner' >>> extra_data: '10.207.50.143 40313 10.207.53.15' >>> extra_data: 'service iptables stop' >>> >>> >>> <decoder name="bash"> >>> <prematch>^bash </prematch> >>> </decoder> >>> >>> <decoder name="bash2"> >>> <parent>bash</parent> >>> <regex offset="after_parent">^(\S+)[\d+] (\S+ \d+ \S+) \d+: >>> (\.+)$</regex> >>> <order>srcuser,extra_data, extra_data</order> >>> </decoder> >>> >>> >>> > >>> >> --Sean >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> On Tuesday, January 28, 2014 1:57:21 PM UTC-7, Sean Jackson wrote: >>> >>> >>> >>> Hello all, >>> >>> >>> >>> I'm tracking bash commands through syslogging and the logs look like >>> >>> this: >>> >>> >>> >>> Jan 27 15:33:46 [HOSTNAME] bash [USERNAME] [SESSION ID] [SSH >>> >>> CONNECTION >>> >>> INFO]: [THE BASH COMMAND] >>> >>> >>> >>> The command to save these logs is: >>> >>> PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p >>> >>> local6.debug -t "bash $USER[$$] $SSH_CONNECTION")' >>> >>> >>> >>> >>> >>> The logs are saved thusly (hostnames and IPs edited): >>> >>> Jan 27 15:29:54 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX >>> >>> 22: cd >>> >>> jskains >>> >>> Jan 27 15:33:46 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX >>> >>> 22: tar >>> >>> -cvf chef-dev.tar *.pem >>> >>> Jan 28 10:47:48 XXX bash root[25510] 64.55.41.120 40348 XX.XX.XX.XX >>> >>> 22: >>> >>> traceroute bing.com >>> >>> >>> >>> Here's what I'm doing right now, and my mind is telling me that I'm >>> >>> going >>> >>> down the wrong path. >>> >>> >>> >>> <decoder name="bash"> >>> >>> >>> >>> <program_name>^bash</program_name> >>> >>> >>> >>> </decoder> >>> >>> >>> >>> >>> >>> >>> >>> <decoder name="bash-activity"> >>> >>> >>> >>> <parent>bash</parent> >>> >>> >>> >>> <regex>???</regex> >>> >>> >>> >>> </decoder> >>> >>> >>> >>> >>> >>> >>> >>> Can anyone help me figure out how to get OSSEC watching these logs so >>> >>> I >>> >>> can then create alerts if I see certain commands executed? I want to >>> >>> know >>> >>> the time, the host, the user, the ssh connection info, and then the >>> >>> command. >>> >>> >>> >>> >>> >>> Thank you in advance (and likely afterwards)! >>> >> >>> >> -- >>> >> >>> >> --- >>> >> You received this message because you are subscribed to the Google >>> >> Groups >>> >> "ossec-list" group. >>> >> To unsubscribe from this group and stop receiving emails from it, send >>> >> an >>> >> email to [email protected]. >>> >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
