On Thu, Feb 20, 2014 at 1:48 PM, Julien T <[email protected]> wrote: > Hello, > > I'm testing ossec (2.7.1) on Macos (Mavericks) and I'm trying to customize > configuration but most of my decoder/rules don't match. > Some because there is space in program_name (like 'Google Chrome Helper') > which is not supported > (https://groups.google.com/forum/#!topic/ossec-dev/_yD5W-axGG0), some for > unknow reason. > Outside of ossec-logtest, is there a way to validate regexp? what kind of > regexp is it? perl/sed/php/pcre/... ? it seems to complain everytime i'm > escaping '()' into '\(\)' (escaping '[]' seems ok). >
OSSEC has its own regex syntax. It's not very deep, but there is some documentation on the site. > I'm taking three examples > > * reference usb device > Feb 15 20:21:34 HOST kernel[0]: USBMSC Identifier (non-unique): > 574343344530333937339999 0x1058 0x1230 0x1050, 2 > > <decoder name="kernel"> > <program_name>^kernel</program_name> > </decoder> > Just use the iptables decoder. It already matches. > <decoder name="usb-insert"> > <parent>kernel</parent> > <prematch>USBMSC Identifier</prematch> > <regex offset="after_prematch">: (\S+) (\S+) (\S+) (\S+), \d+</regex> > <!-- Note: not sure why, but get 'decode-xml: Wrong field ' devicerelease' > in the order of decoder 'usb-insert'' > <order>serialid, vendorid, productid, devicerelease,</order> > --> > <order>serialid, vendorid, productid</order> > </decoder> > > * some chrome noise > Feb 20 11:20:36 HOST Google Chrome Helper[59050]: Process unable to create > connection because the sandbox denied the right to lookup > com.apple.coreservices.launchservicesd and so this process cannot talk to > launchservicesd. > > <decoder name="chrome"> > <!-- Note: not supported (program_name w space): > https://groups.google.com/forum/#!topic/ossec-dev/_yD5W-axGG0 > <program_name>Google Chrome Helper</program_name> > <prematch>^Google Chrome Helper</prematch> > --> > <prematch>^Google</prematch> > </decoder> > > <decoder name="unable-create-connection"> > <parent>chrome</parent> > <prematch>Process unable to create connection because the sandbox denied > the right to lookup</prematch> > </decoder> > > * some Preview noise > Feb 20 10:51:20 HOST Preview[33917]: It does not make sense to draw an image > when [NSGraphicsContext currentContext] is nil. This is a programming > error. Break on void _NSWarnForDrawingImageWithNoCurrentContext() to debug. > This will be logged only once. This may break in the future. > > <decoder name="preview"> > <program_name>Preview</program_name> > </decoder> > > <!-- > <decoder name="no-draw-image"> > <parent>preview</parent> > <prematch>It does not make sense to draw an image when [NSGraphicsContext > currentContext] is nil. This is a programming error. Break on void > _NSWarnForDrawingImageWithNoCurrentContext() to debug. This will be logged > only once. This may break in the future.</prematch> > <prematch>It does not make sense to draw an image when</prematch> > <regex>It does not make sense to draw an image when</regex> > </decoder> > --> > > In all those case, I didn't managed to get ossec-logtest match and don't > understand why? any help? > Without seeing the ossec-logtest output I can't be of much help (and of course I can't run it right now). > On a more general manners, I'm surprise to see that there is not much > decoders/rules for macos either included in ossec or shared by the > community. There are some installation tutorials but no public real-life > deployement as far as I've seen. Or is there any place/repository to find > some? > I tried googling to find more information on macos, but was unable to do so. Is it a Linux distro? Do you have a link? > Thanks a lot. > Cheers, > > Julien > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
