On Fri, Feb 21, 2014 at 2:36 PM, Julien T <[email protected]> wrote: > > > Le vendredi 21 février 2014 02:02:58 UTC-5, dan (ddpbsd) a écrit : > >>> <decoder name="usb-stuff"> >>> <parent>iptables</parent> >>> <prematch offset="after_parent">^USBMSC Identifier </prematch> >>> <regex offset="after_prematch">: (\S+) (\S+) (\S+) (\S+), \d+</regex> >>> <order>extra_data, extra_data, extra_data, extra_data</order> >>> </decoder> >> >> from http://www.ossec.net/doc/manual/rules-decoders/create-custom.html >> "<order>srcip, protocol</order> - Defines what the entries in the regex >> line are labeled as. The IP address will be labeled as srcip, and the >> protocol by proto." >> >> So it don't give the expression that we need to use specific word and >> after how we label those data to say what it is? >> > > What? > > => From official documentation, I don't read anything to say there is a > specific dictionary to use to match the regexp. is it the case or the admin > choose whichever words he wants? >
It is documented that there is a limited dictionary for this: http://ossec-docs.readthedocs.org/en/latest/syntax/head_decoders.html#element-decoder.order > > >> <order>extra_data, extra_data, extra_data, extra_data</order> OK >> <order>serialid, vendorid, productid, devicerelease,</order> NOK >> <order>serialid, vendorid, productid, devicerelease</order> NOK >> <order>serialid, vendorid, productid, extra_data</order> OK >> > > I don't think those should work. Serialid and vendorid do not exist. > > => the OK rules are validated by ossec-logtest but are not matching the log > line > > >> but neither above decoder, nor the rules match > > The decoder I provided works. > > => sadly, not on my setup. And as I don't have 'Phase 2' information, I > don't know which is at fault, the decoder or the rule below. only got > === > **Phase 1: Completed pre-decoding. > full event: 'Feb 14 01:14:54 HOST kernel[0]: USBMSC Identifier (non-unique): > 574343344530333937333935 0x1058 0x1230 0x1050, 2' > > hostname: 'HOST' > program_name: 'kernel' > log: 'USBMSC Identifier (non-unique): 574343344530333937333935 0x1058 0x1230 > 0x1050, 2' > === > No idea what is wrong, there should always be a Phase 2, even if it's just reporting that no decoder matched. > > > >> === >> <group name="syslog,kernel,"> >> <rule id="110000" level="0"> >> <if_sid>5100</if_sid> >> <decoded_as>usb-insert</decoded_as> >> <description>USB device app group.</description> >> </rule> >> >> </group> >> === > > => as a reminder 5100 is rule for kernel/syslog, so If I understand well, if > in 5100 and matching decoder, it should be recognized but it is not. > I didn't try the rule, but I don't have to. Rule 5100 matches program_name kernel. Chances are if the program_name is kernel, the event gets decoded as "iptables." > >>> > * some chrome noise >> === >> <decoder name="chrome"> >> <prematch>^Google</prematch> >> </decoder> >> === >> with rules >> === >> <group name="syslog,chrome,"> >> <rule id="120000" level="0"> >> <match>Process unable to create connection because the sandbox denied the >> right to lookup</match> >> <description>Google Chrome log noise</description> >> <options>no_email_alert</options> >> </rule> >> <rule id="120001" level="0"> >> <match>CGSLookupServerRootPort: Failed to look up the port for >> "com.apple.windowserver.active"</match> >> <description>Google Chrome log noise</description> >> <options>no_email_alert</options> >> </rule> >> </group> > > These rules do not reference the decoder at all. > > => just by the group asking for syslog/chrome subtree. it works. > > => for me, simple program decoder with match rules seems to be ok, but not > with regex. Example w iTunes > Feb 21 09:13:11 HOST iTunes[5206]: _send_message (thread 0x1166e0000): Could > not securely send message size 406: SSL_ERROR_SYSCALL errno (Broken pipe). > > I just put a program_name decoder for itunes and the following rules and see > if logcheck validates/matchs > <match>Could not securely send message size</match> OK/OK > <regex>_send_message \(thread 0x[0-9a-f]+\): Could not securely send 'thread 0x[0-9a-f]+' does not appear in the log message, it shouldn't surprise anyone that this does not match. > message size \d+: SSL_ERROR_SYSCALL errno \(Broken pipe\).</regex> OK > /NOK > <regex>_send_message (thread 0x\w+): Could not securely send message > size \d+: SSL_ERROR_SYSCALL errno (Broken pipe).</regex> OK/NOK > <regex>_send_message (thread 0x.+): Could not securely send message size > \d+: SSL_ERROR_SYSCALL errno (Broken pipe).</regex> OK/NOK > > > So what would be the correct regex ? > I'd have to play with it, and that won't be happening today. > Thanks. > Cheers, > > Julien > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
