Le vendredi 21 février 2014 02:02:58 UTC-5, dan (ddpbsd) a écrit :
>> <decoder name="usb-stuff">
>> <parent>iptables</parent>
>> <prematch offset="after_parent">^USBMSC Identifier </prematch>
>> <regex offset="after_prematch">: (\S+) (\S+) (\S+) (\S+), \d+</regex>
>> <order>extra_data, extra_data, extra_data, extra_data</order>
>> </decoder>
>
> from http://www.ossec.net/doc/manual/rules-decoders/create-custom.html
> "<order>srcip, protocol</order> - Defines what the entries in the regex
line are labeled as. The IP address will be labeled as srcip, and the
protocol by proto."
>
> So it don't give the expression that we need to use specific word and
after how we label those data to say what it is?
>
What?
=> From official documentation, I don't read anything to say there is a
specific dictionary to use to match the regexp. is it the case or the admin
choose whichever words he wants?
> <order>extra_data, extra_data, extra_data, extra_data</order> OK
> <order>serialid, vendorid, productid, devicerelease,</order> NOK
> <order>serialid, vendorid, productid, devicerelease</order> NOK
> <order>serialid, vendorid, productid, extra_data</order> OK
>
I don't think those should work. Serialid and vendorid do not exist.
=> the OK rules are validated by ossec-logtest but are not matching the log
line
> but neither above decoder, nor the rules match
The decoder I provided works.
=> sadly, not on my setup. And as I don't have 'Phase 2' information, I
don't know which is at fault, the decoder or the rule below. only got
===
**Phase 1: Completed pre-decoding.
full event: 'Feb 14 01:14:54 HOST kernel[0]: USBMSC Identifier
(non-unique): 574343344530333937333935 0x1058 0x1230 0x1050, 2'
hostname: 'HOST'
program_name: 'kernel'
log: 'USBMSC Identifier (non-unique): 574343344530333937333935 0x1058
0x1230 0x1050, 2'
===
> ===
> <group name="syslog,kernel,">
> <rule id="110000" level="0">
> <if_sid>5100</if_sid>
> <decoded_as>usb-insert</decoded_as>
> <description>USB device app group.</description>
> </rule>
>
> </group>
> ===
=> as a reminder 5100 is rule for kernel/syslog, so If I understand well,
if in 5100 and matching decoder, it should be recognized but it is not.
>> > * some chrome noise
> ===
> <decoder name="chrome">
> <prematch>^Google</prematch>
> </decoder>
> ===
> with rules
> ===
> <group name="syslog,chrome,">
> <rule id="120000" level="0">
> <match>Process unable to create connection because the sandbox denied the
right to lookup</match>
> <description>Google Chrome log noise</description>
> <options>no_email_alert</options>
> </rule>
> <rule id="120001" level="0">
> <match>CGSLookupServerRootPort: Failed to look up the port for
"com.apple.windowserver.active"</match>
> <description>Google Chrome log noise</description>
> <options>no_email_alert</options>
> </rule>
> </group>
These rules do not reference the decoder at all.
=> just by the group asking for syslog/chrome subtree. it works.
=> for me, simple program decoder with match rules seems to be ok, but not
with regex. Example w iTunes
Feb 21 09:13:11 HOST iTunes[5206]: _send_message (thread 0x1166e0000):
Could not securely send message size 406: SSL_ERROR_SYSCALL errno (Broken
pipe).
I just put a program_name decoder for itunes and the following rules and
see if logcheck validates/matchs
<match>Could not securely send message size</match> OK/OK
<regex>_send_message \(thread 0x[0-9a-f]+\): Could not securely send
message size \d+: SSL_ERROR_SYSCALL errno \(Broken pipe\).</regex> OK
/NOK
<regex>_send_message (thread 0x\w+): Could not securely send message
size \d+: SSL_ERROR_SYSCALL errno (Broken pipe).</regex> OK/NOK
<regex>_send_message (thread 0x.+): Could not securely send message
size \d+: SSL_ERROR_SYSCALL errno (Broken pipe).</regex> OK/NOK
So what would be the correct regex ?
Thanks.
Cheers,
Julien
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
