On Feb 21, 2014 1:55 AM, "Julien T" <[email protected]> wrote: > > > >> > * reference usb device >> > Feb 15 20:21:34 HOST kernel[0]: USBMSC Identifier (non-unique): >> > 574343344530333937339999 0x1058 0x1230 0x1050, 2 >> > >> > <decoder name="kernel"> >> > <program_name>^kernel</program_name> >> > </decoder> >> > >> > <decoder name="usb-insert"> >> > <parent>kernel</parent> >> > <prematch>USBMSC Identifier</prematch> >> > <regex offset="after_prematch">: (\S+) (\S+) (\S+) (\S+), \d+</regex> >> > <!-- Note: not sure why, but get 'decode-xml: Wrong field ' devicerelease' >> > in the order of decoder 'usb-insert'' >> > <order>serialid, vendorid, productid, devicerelease,</order> >> > --> >> > <order>serialid, vendorid, productid</order> >> >> The above aren't valid field names. I'm not sure what good ones would >> be for this, so this is very generic: >> >> <decoder name="usb-stuff"> >> <parent>iptables</parent> >> <prematch offset="after_parent">^USBMSC Identifier </prematch> >> <regex offset="after_prematch">: (\S+) (\S+) (\S+) (\S+), \d+$</regex> >> <order>extra_data, extra_data, extra_data, extra_data</order> >> </decoder> > > > from http://www.ossec.net/doc/manual/rules-decoders/create-custom.html > "<order>srcip, protocol</order> - Defines what the entries in the regex line are labeled as. The IP address will be labeled as srcip, and the protocol by proto." > > So it don't give the expression that we need to use specific word and after how we label those data to say what it is? >
What? > but when checking, I got > > # /opt/local/var/ossec/bin/ossec-logtest -v 2>&1 |tee /tmp/logtest > 2014/02/20 22:57:19 ossec-testrule: INFO: Reading decoder file /opt/local/var/ossec/etc/decoder.xml. > 2014/02/20 22:57:19 ossec-testrule: INFO: Reading decoder file /opt/local/var/ossec/etc/decoder_local_mac.xml. > 2014/02/20 22:57:19 decode-xml: Wrong field '' in the order of decoder 'usb-insert' > > with > === > <decoder name="usb-insert"> > <parent>iptables</parent> > > <prematch>USBMSC Identifier</prematch> > <regex offset="after_prematch">: (\S+) (\S+) (\S+) (\S+), \d+</regex> > <order>extra_data, extra_data, extra_data, extra_data,</order> You have an extra comma. > </decoder> > === > > after more tests, ossec-logtests validates like: > <order>extra_data, extra_data, extra_data, extra_data,</order> NOK Extra comma. > <order>extra_data, extra_data, extra_data, extra_data</order> OK > <order>serialid, vendorid, productid, devicerelease,</order> NOK > <order>serialid, vendorid, productid, devicerelease</order> NOK > <order>serialid, vendorid, productid, extra_data</order> OK > I don't think those should work. Serialid and vendorid do not exist. > but neither above decoder, nor the rules match The decoder I provided works. > === > <group name="syslog,kernel,"> > <rule id="110000" level="0"> > <if_sid>5100</if_sid> > <decoded_as>usb-insert</decoded_as> > <description>USB device app group.</description> > </rule> > > </group> > === > >> >> > * some chrome noise >> > Feb 20 11:20:36 HOST Google Chrome Helper[59050]: Process unable to create >> > connection because the sandbox denied the right to lookup >> > com.apple.coreservices.launchservicesd and so this process cannot talk to >> > launchservicesd. >> > >> > <decoder name="chrome"> >> > <!-- Note: not supported (program_name w space): >> > https://groups.google.com/forum/#!topic/ossec-dev/_yD5W-axGG0 >> > <program_name>Google Chrome Helper</program_name> >> > <prematch>^Google Chrome Helper</prematch> >> > --> >> > <prematch>^Google</prematch> >> > </decoder> >> > >> > <decoder name="unable-create-connection"> >> > <parent>chrome</parent> >> > <prematch>Process unable to create connection because the sandbox denied >> > the right to lookup</prematch> >> > </decoder> >> > >> >> This decoder doesn't do anything the chrome decoder doesn't do. >> Anything that matched "unable-create-connections" will identify as the >> chrome decoder. Maybe you should create a rule? > > > I do, but the decoder don't match. It's just a noise I want to ignore or at least put at a low level. > > I try this > === > <decoder name="chrome"> > <prematch>^Google</prematch> > </decoder> > === > with rules > === > <group name="syslog,chrome,"> > <rule id="120000" level="0"> > <match>Process unable to create connection because the sandbox denied the right to lookup</match> > <description>Google Chrome log noise</description> > <options>no_email_alert</options> > </rule> > <rule id="120001" level="0"> > <match>CGSLookupServerRootPort: Failed to look up the port for "com.apple.windowserver.active"</match> > <description>Google Chrome log noise</description> > <options>no_email_alert</options> > </rule> > </group> These rules do not reference the decoder at all. > === > => Like this, it seems working and identified even if ossec-logtest don't give any indications of phase 2/decoder match as said in above documentation. > I tried with basically the same decoder and it worked perfectly. >> >> > * some Preview noise >> > Feb 20 10:51:20 HOST Preview[33917]: It does not make sense to draw an image >> > when [NSGraphicsContext currentContext] is nil. This is a programming >> > error. Break on void _NSWarnForDrawingImageWithNoCurrentContext() to debug. >> > This will be logged only once. This may break in the future. >> > >> > <decoder name="preview"> >> > <program_name>Preview</program_name> >> > </decoder> >> > >> >> Maybe this is all you really need? Is there some actionable data in >> the log message that you want to pull out? >> >> > <!-- >> > <decoder name="no-draw-image"> >> > <parent>preview</parent> >> > <prematch>It does not make sense to draw an image when [NSGraphicsContext >> > currentContext] is nil. This is a programming error. Break on void >> > _NSWarnForDrawingImageWithNoCurrentContext() to debug. This will be logged >> > only once. This may break in the future.</prematch> >> > <prematch>It does not make sense to draw an image when</prematch> >> > <regex>It does not make sense to draw an image when</regex> >> >> Regexes need an <order>. They don't really make much sense without one. > > > I got it working like for chrome with just a program_name decoder and a rule w match this time. > So those 2 are working. > > Just need to make the first works and the way <order> functions still a bit confusing. > > Thanks a lot Dan! > Cheers, > > Julien > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
