Le vendredi 21 février 2014 14:43:15 UTC-5, dan (ddpbsd) a écrit :
> >>> <decoder name="usb-stuff"> > >>> <parent>iptables</parent> > >>> <prematch offset="after_parent">^USBMSC Identifier </prematch> > >>> <regex offset="after_prematch">: (\S+) (\S+) (\S+) (\S+), \d+</regex> > >>> <order>extra_data, extra_data, extra_data, extra_data</order> > >>> </decoder> > >> > > It is documented that there is a limited dictionary for this: > > http://ossec-docs.readthedocs.org/en/latest/syntax/head_decoders.html#element-decoder.order > > => perfect, that's what I was looking for. > Looks like they all default to "id." => what do you mean ? all extra_data fields are inside id field? still no matching for me :( > No idea what is wrong, there should always be a Phase 2, even if it's > just reporting that no decoder matched. > # strings /opt/local/var/ossec/bin/ossec-logtest |grep -i "phase" **Phase 3: Completed filtering (rules). **Phase 1: Completed pre-decoding. > I didn't try the rule, but I don't have to. Rule 5100 matches > program_name kernel. > Chances are if the program_name is kernel, the event gets decoded as > "iptables." > yeah, this part is working. no matching the usb-insert decoder. > > => for me, simple program decoder with match rules seems to be ok, but > not > > with regex. Example w iTunes > > Feb 21 09:13:11 HOST iTunes[5206]: _send_message (thread 0x1166e0000): > Could > > not securely send message size 406: SSL_ERROR_SYSCALL errno (Broken > pipe). > > > > I just put a program_name decoder for itunes and the following rules and > see > > if logcheck validates/matchs > > <match>Could not securely send message size</match> OK/OK > > <regex>_send_message \(thread 0x[0-9a-f]+\): Could not securely send > > 'thread 0x[0-9a-f]+' does not appear in the log message, it shouldn't > surprise anyone that this does not match. > > That's just different try to regexp a hexa code "(thread 0x1166e0000):", but no luck 0[xX][0-9a-fA-F]+ 0x[0-9a-f]+ 0x[0-9a-f].+ /w+ .+ parenthesis are probably also part of the problem. > > message size \d+: SSL_ERROR_SYSCALL errno \(Broken pipe\).</regex> OK > > /NOK > > <regex>_send_message (thread 0x\w+): Could not securely send message > > size \d+: SSL_ERROR_SYSCALL errno (Broken pipe).</regex> OK/NOK > > <regex>_send_message (thread 0x.+): Could not securely send message > size > > \d+: SSL_ERROR_SYSCALL errno (Broken pipe).</regex> OK/NOK > > > > > > So what would be the correct regex ? > > > > I'd have to play with it, and that won't be happening today. > > No problem. Thanks. Julien -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
