Wow that did it Josh, Thanks. I would have never thought it needed that since it doesn't comply with OSSEC's implementation of program_name
From: [email protected] [mailto:[email protected]] On Behalf Of Joshua Garnett Sent: Monday, March 03, 2014 7:47 PM To: [email protected] Subject: Re: [ossec-list] Decoder assistance Nathan, I just played around with this in a VM. It appears the decoder wants a program name defined. The following worked for me: <decoder name="swg"> <program_name></program_name> <prematch>M86 SWG Web Event</prematch> <regex offset="after_prematch"> - Action: (\w+);</regex> <order>action</order> </decoder> --Josh On Mon, Mar 3, 2014 at 3:57 PM, Nathaniel Bentzinger <[email protected]<mailto:[email protected]>> wrote: Just an update. When running this again today I still don't get the decoding. Does it make a difference that this is coming in via syslog to OSSEC? <!-- Mar 3 15:52:42 swg1 : M86 SWG Web Event - Action: Block; Block reason: Access Denied! Access to this URL: <b>https://upload.box.com/api/crossdomain.xml</b> is forbidden.<br>Transaction ID is 5314EB970246050B9FDE.; Client IP: 10.10.10.165; HTTPS Policy Name: Duplicate M86 HTTPS Policy; Site: upload.box.com<http://upload.box.com>; Transaction ID: 5314EB970246050B9FDE; Transaction time: 03/03/2014 15:52:39; URL: https://upload.box.com/api/crossdomain.xml; URL Category: Web Based Storage; X-Ray: --> <decoder name="swg"> <prematch>M86 SWG Web Event</prematch> <regex offset="after_prematch"> - Action: (\w+);</regex> <order>action</order> </decoder> From: Nathaniel Bentzinger Sent: Saturday, March 01, 2014 5:16 PM To: [email protected]<mailto:[email protected]> Subject: RE: [ossec-list] Decoder assistance Hi Josh, I tried that too but when I test with the whole syslog event that comes in (in my original message) it never decodes it. I'll triple check that the syslog event from the SWG is in fact what I'm testing against. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Joshua Garnett Sent: Saturday, March 01, 2014 9:13 AM To: [email protected]<mailto:[email protected]> Subject: Re: [ossec-list] Decoder assistance Correct me if I'm wrong, but I don't believe you need to setup the match statements for the date and hostname. I think that should just become.. <decoder name="swg1"> <prematch>^M86 SWG Web Event</prematch> <regex offset="after_prematch"> - Action: (\w+);</regex> <order>action</order> </decoder> --Josh On Fri, Feb 28, 2014 at 9:47 PM, Nathaniel Bentzinger <[email protected]<mailto:[email protected]>> wrote: Hi, I'm trying to write up a decoder for the Secure Web Gateway device. I believe I hit a snag but I am not able to figure out why. I'm hoping someone else will spot the issue. I've dumbed down the decoder (stripping IP,URL, and extra_data from it) and it still doesn't work as expected. <!-- Sample Event --> <!-- Feb 28 15:08:35 swg1 : M86 SWG Web Event - Action: Block; Block reason: ; Client IP: 10.10.10.10; HTTPS Policy Name: Duplicate M86 HTTPS Policy; Site: box.com<http://box.com>; Transaction ID: 5310ECBD95D1050BA3FC; Transaction time: 02/28/2014 15:08:29; URL: http://box.com:443; URL Category: Web Based Storage; X-Ray: --> <decoder name="swg1"> <prematch>\w+ \d+ \S+ \S+ : M86 SWG Web Event</prematch> <regex offset="after_prematch"> - Action: (\w+);</regex> <order>action</order> </decoder> Running this decoder never returns successful decode: [root@secserv ~]# /var/ossec/bin/ossec-logtest 2014/02/28 21:43:47 ossec-testrule: INFO: Reading local decoder file. 2014/02/28 21:43:47 ossec-testrule: INFO: Started (pid: 22685). ossec-testrule: Type one log per line. Feb 28 15:08:35 swg1 : M86 SWG Web Event - Action: Block; **Phase 1: Completed pre-decoding. full event: 'Feb 28 15:08:35 swg1 : M86 SWG Web Event - Action: Block;' hostname: 'swg1' program_name: '' log: 'M86 SWG Web Event - Action: Block;' **Phase 2: Completed decoding. No decoder matched. Unless I strip the first \w+ and only put in '28 15:08:35 swg1 : M86 SWG Web Event - Action: Block;' For that date prematch I have tried: \w\w\w \d\d \dd:\d\d:\d\d \S+ : \S+ \S+ \S+ \S+ : ^\w\w\w \d\d \dd:\d\d:\d\d \S+ : ^\S+ \S+ \S+ \S+ : \w+ \d+ \S+ \S+ : ^\w+ \d+ \S+ \S+ : And none work unless I strip out the first match (the month) then rerun the test without the month value. None of the other local_decoders have this syntax. I've even tried prematching on just SMG or M86 and it doesn't return anything. Thowing these strings into ww.regexpal.com<http://ww.regexpal.com> shows they will match on what I need them to. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:ossec-list%[email protected]>. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:ossec-list%[email protected]>. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
