Ok, an update.
I got the default decoder for Netscreen to work even for the SSG-320M by
removing line 1128 ( <program_name /> ) in decoder.xml. This doesn't seem
to work with the logs where
the date is provided in parenthesis at the end of the line.
For the SA2500 secure gateway, I created a decoder which seems to work.
It's probably not a beauty but it seems to work at least.
local_decoder.xml
=============
<decoder name="sa2500">
<prematch>^Juniper: \d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d - \w\w-\d\d -
</prematch>
<regex offset="after_prematch">[ (\S+) ] (\S+) [] - </regex>
<order>srcip, user</order>
</decoder>
<decoder name="sa2500-decode">
<parent>sa2500</parent>
<regex offset="after_parent">(\S+) : (\S+)</regex>
<order>action, data</order>
</decoder>
Corresponding rule which tags everything alert lever 12. A good start for
further development and gives a head up to react.
local_rules.xml
============
<rule id="100080" level="12">
<decoded_as>sa2500</decoded_as>
<description>Alert from the SA2500 Secure Gateway</description>
</rule>
Suggestions how to improve the work above is appreciated but remember - Im
a newbie on writing this stuff..
Regards,
Daniel
On Thursday, April 3, 2014 10:13:39 PM UTC+2, Daniel Kertby wrote:
>
> Hi people,
>
> Anyone have decoders and rule for the SA2500 and the SSG-320M and would
> like to share their work?
>
> Anything is more than nothing for me, thanks! :)
>
> Regards,
> Daniel
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
