Dan, thanks for taking a quick look at the log line. I'll try to modify the iis6 decoder and see what happens then. I have a OSSEC test system I feed logs to so I can try it out on that system first.
I think this would give me enough info to work with. I am trying to catch multiple website registration attempts from the same ip but only on post actions. I need to filter out some http 500 errors alarms from google bots I work with web applications with about 90% being IIS based and 10% Apache based so I would love to see more progress on the Windows Client side and Windows support. Also was there discussion in the past about having a place for user contributed content? I know OSSEC has invited folks to help develop but I bet a LOT of the OSSEC userbase are more systems people than pure developers. But I bet those systems people have created really great decoders to fully utilize OSSEC that they would share if there were a place for them to do so. James Whittington On Wed, Jul 30, 2014 at 11:00 AM, dan (ddp) <[email protected]> wrote: > On Wed, Jul 30, 2014 at 10:55 AM, dan (ddp) <[email protected]> wrote: > > On Wed, Jul 30, 2014 at 10:28 AM, James Whittington > > <[email protected]> wrote: > >> I have seen several examples of decoders folks have written for IIS 7. > >> I have tried out a couple of different ones yet each time the > ossec-logtest > >> stops at the windows-date-format decoder. > >> > >> Additionally one of the examples of an IIS 7 decoder is in a OSSEC bug > >> "web-log category doesn't work" > >> (https://github.com/ossec/ossec-hids/issues/164). > >> > >> So I am left wondering if anyone is successfully decoding IIS logs on > >> Windows 2008-2012 servers? > >> > >> I am currently running OSSEC v2.7.1 , I see 2.8 is out but I didn't see > >> anything in the release notes about updates to IIS logs? > >> > >> I would like to write some custom rules on post actions to specific > urls but > >> the windows-date-format decoder doesn't extract the correct fields that > I > >> need. > > > > What fields do you need that are missing? > > > > (This gives me the POST: > > <decoder name="web-accesslog-iis6"> > <parent>windows-date-format</parent> > <type>web-log</type> > <use_own_name>true</use_own_name> > <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ </prematch> > <regex offset="after_prematch">^(\S+) (\S+ \S+) \d+ \S+ > (\d+.\d+.\d+.\d+) </regex> > <regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex> > <order>action, url, srcip, id</order> > </decoder> > > Just replace the current web-accesslog-iis6 entry. BUT TEST IT before > putting it into production.) > > >> Here is an example line and what I am seeing when I run a logtest on it: > >> > >> 2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D 10.207.230.34 POST > >> /register - 443 - 120.138.126.238 HTTP/1.1 > >> > Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 > >> _ga=GA1.2.1301279074.1406725635;+_dc=1 > https://www.cognitoforms.com/register > >> www.cognitoforms.com 302 0 0 949 2509 3667 > >> > >> > >> **Phase 1: Completed pre-decoding. > >> full event: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D > >> 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 > >> > Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 > >> _ga=GA1.2.1301279074.1406725635;+_dc=1 > https://www.cognitoforms.com/register > >> www.cognitoforms.com 302 0 0 949 2509 3667' > >> hostname: 'monitor' > >> program_name: '(null)' > >> log: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D > >> 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 > >> > Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 > >> _ga=GA1.2.1301279074.1406725635;+_dc=1 > https://www.cognitoforms.com/register > >> www.cognitoforms.com 302 0 0 949 2509 3667' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'windows-date-format' > >> url: '/register -' > >> srcip: '120.138.126.238' > >> id: '302' > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '120000' > >> Level: '5' > >> Description: 'Registration Attempt' > >> **Alert to be generated. > >> > >> > >> I am trying to track registration activity to a web service and trigger > a > >> custom AR script if multiple registration attempts occur from the same > >> source ip. > >> > >> If anyone would like to share their IIS decoders I would be most > >> appreciative, I don't know why OSSEC doesn't have a user contributed > >> exchange of decoders much like the nagios community used to have with > custom > >> plugins. > >> > >> Any thanks for any advice on decoding IIS. > >> > >> James Whittington > >> > >> > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
