On Thu, Feb 20, 2014 at 3:35 PM, Julien T <[email protected]> wrote: > > > Le jeudi 20 février 2014 14:02:59 UTC-5, dan (ddpbsd) a écrit : > >> OSSEC has its own regex syntax. It's not very deep, but there is some >> documentation on the site. > > > ok > >> >> > * reference usb device >> > Feb 15 20:21:34 HOST kernel[0]: USBMSC Identifier (non-unique): >> > 574343344530333937339999 0x1058 0x1230 0x1050, 2 >> > >> > <decoder name="kernel"> >> > <program_name>^kernel</program_name> >> > </decoder> >> > >> >> Just use the iptables decoder. It already matches. >> > > ok. But I would think for the future, kernel (be it linux, darwin, bsd or > whatever) would be more appropriate. tagging a rule w iptables on something > other than linux can be confusing at first. >
We thought the same thing a few years ago too, but decided that backwards compatibility was more important. >> > >> > In all those case, I didn't managed to get ossec-logtest match and don't >> > understand why? any help? >> > >> >> Without seeing the ossec-logtest output I can't be of much help (and >> of course I can't run it right now). >> > > Here, we are for the first and second example >>>> > /opt/local/var/ossec/bin/ossec-logtest -v 2>&1 Verbose mode isn't necessary. O_o > 2014/02/20 15:19:23 ossec-testrule: INFO: Reading decoder file > /opt/local/var/ossec/etc/decoder.xml. > 2014/02/20 15:19:23 ossec-testrule: INFO: Reading decoder file > /opt/local/var/ossec/etc/decoder_local_mac.xml. > 2014/02/20 15:19:23 ossec-testrule: INFO: Started (pid: 68920). > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > full event: 'Feb 15 20:21:34 HOST kernel[0]: USBMSC Identifier > (non-unique): 574343344530333937333935 0x1058 0x1230 0x1050, 2' > hostname: 'HOST' > program_name: 'kernel' > log: 'USBMSC Identifier (non-unique): 574343344530333937333935 0x1058 > 0x1230 0x1050, 2' > [SNIP] > > > **Phase 1: Completed pre-decoding. > full event: 'Feb 20 11:20:36 HOST Google Chrome Helper[59050]: > Process unable to create connection because the sandbox denied the right to > lookup com.apple.coreservices.launchservicesd and so this process cannot > talk to launchservicesd.' > hostname: 'HOST' > program_name: '(null)' > log: 'Google Chrome Helper[59050]: Process unable to create > connection because the sandbox denied the right to lookup > com.apple.coreservices.launchservicesd and so this process cannot talk to > launchservicesd.' > [SNIP] > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > <<< > This will have to wait until I have some free time tonight. > There is no decoder matching as describe in doc: > http://www.ossec.net/doc/manual/rules-decoders/create-custom.html > so obviously rules don't either. > Looking at other syslog_rules, I'm adding on mine '<if_sid>5100</if_sid>' > but it doesn't change a thing. also maybe better to use <match> instead of > <regex> if we don't extract data ? but in this case how do we escape the PID > in case of non-recognized program_name (space), just a '[*]' ? > >> I tried googling to find more information on macos, but was unable to >> do so. Is it a Linux distro? Do you have a link? > > > Macos = Mac OS = OS X = Mac = Darwin = Apple = http://www.apple.com/osx/ > Oh ok, sorry. I was distracted so I didn't put too much thought into that. Seems silly of me. I haven't ever seen it called that, usually "OS X" or "Mac OS." The reason you don't see many decoders/rules for it is because OS X users don't give us rules or decoders. I don't know if any of the developers run OS X, but I know I have no need for it. > Thanks. > Cheers, > > Julien > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
