On Wed, Jul 30, 2014 at 11:31 AM, James Whittington <[email protected]> wrote: > Dan, thanks for taking a quick look at the log line. > I'll try to modify the iis6 decoder and see what happens then. > I have a OSSEC test system I feed logs to so I can try it out on that system > first. > > I think this would give me enough info to work with. > > I am trying to catch multiple website registration attempts from the same ip > but only on post actions. > I need to filter out some http 500 errors alarms from google bots > > I work with web applications with about 90% being IIS based and 10% Apache > based so I would love to see more progress on the Windows Client side and > Windows support. >
Fire up a text editor and jump aboard. > Also was there discussion in the past about having a place for user > contributed content? I don't think there's been enough interest lately to even worry about that yet. Emailing decoders/rules or contributing via github are both easy to do. I try not to linger too long on decoder/rule contributions. > I know OSSEC has invited folks to help develop but I bet a LOT of the OSSEC > userbase are more systems people than pure developers. > But I bet those systems people have created really great decoders to fully > utilize OSSEC that they would share if there were a place for them to do so. > And most of those people have not tried to contribute those decoders. > James Whittington > > > > > > On Wed, Jul 30, 2014 at 11:00 AM, dan (ddp) <[email protected]> wrote: >> >> On Wed, Jul 30, 2014 at 10:55 AM, dan (ddp) <[email protected]> wrote: >> > On Wed, Jul 30, 2014 at 10:28 AM, James Whittington >> > <[email protected]> wrote: >> >> I have seen several examples of decoders folks have written for IIS 7. >> >> I have tried out a couple of different ones yet each time the >> >> ossec-logtest >> >> stops at the windows-date-format decoder. >> >> >> >> Additionally one of the examples of an IIS 7 decoder is in a OSSEC bug >> >> "web-log category doesn't work" >> >> (https://github.com/ossec/ossec-hids/issues/164). >> >> >> >> So I am left wondering if anyone is successfully decoding IIS logs on >> >> Windows 2008-2012 servers? >> >> >> >> I am currently running OSSEC v2.7.1 , I see 2.8 is out but I didn't >> >> see >> >> anything in the release notes about updates to IIS logs? >> >> >> >> I would like to write some custom rules on post actions to specific >> >> urls but >> >> the windows-date-format decoder doesn't extract the correct fields that >> >> I >> >> need. >> > >> > What fields do you need that are missing? >> > >> >> (This gives me the POST: >> >> <decoder name="web-accesslog-iis6"> >> <parent>windows-date-format</parent> >> <type>web-log</type> >> <use_own_name>true</use_own_name> >> <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ </prematch> >> <regex offset="after_prematch">^(\S+) (\S+ \S+) \d+ \S+ >> (\d+.\d+.\d+.\d+) </regex> >> <regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex> >> <order>action, url, srcip, id</order> >> </decoder> >> >> Just replace the current web-accesslog-iis6 entry. BUT TEST IT before >> putting it into production.) >> >> >> Here is an example line and what I am seeing when I run a logtest on >> >> it: >> >> >> >> 2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D 10.207.230.34 POST >> >> /register - 443 - 120.138.126.238 HTTP/1.1 >> >> >> >> Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 >> >> _ga=GA1.2.1301279074.1406725635;+_dc=1 >> >> https://www.cognitoforms.com/register >> >> www.cognitoforms.com 302 0 0 949 2509 3667 >> >> >> >> >> >> **Phase 1: Completed pre-decoding. >> >> full event: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D >> >> 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 >> >> >> >> Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 >> >> _ga=GA1.2.1301279074.1406725635;+_dc=1 >> >> https://www.cognitoforms.com/register >> >> www.cognitoforms.com 302 0 0 949 2509 3667' >> >> hostname: 'monitor' >> >> program_name: '(null)' >> >> log: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D >> >> 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 >> >> >> >> Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 >> >> _ga=GA1.2.1301279074.1406725635;+_dc=1 >> >> https://www.cognitoforms.com/register >> >> www.cognitoforms.com 302 0 0 949 2509 3667' >> >> >> >> **Phase 2: Completed decoding. >> >> decoder: 'windows-date-format' >> >> url: '/register -' >> >> srcip: '120.138.126.238' >> >> id: '302' >> >> >> >> **Phase 3: Completed filtering (rules). >> >> Rule id: '120000' >> >> Level: '5' >> >> Description: 'Registration Attempt' >> >> **Alert to be generated. >> >> >> >> >> >> I am trying to track registration activity to a web service and trigger >> >> a >> >> custom AR script if multiple registration attempts occur from the same >> >> source ip. >> >> >> >> If anyone would like to share their IIS decoders I would be most >> >> appreciative, I don't know why OSSEC doesn't have a user contributed >> >> exchange of decoders much like the nagios community used to have with >> >> custom >> >> plugins. >> >> >> >> Any thanks for any advice on decoding IIS. >> >> >> >> James Whittington >> >> >> >> >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
