On Wed, Jul 30, 2014 at 12:26 PM, James Whittington <[email protected]> wrote: > Okay this message is wandering into a whole separate topic but I have found > examples of rules and decoders scattered throughout OSSEC message lists that > may or may not be committed into OSSEC official source > - I found fixes to the broken Windows null route routines > - I found a decoder for IIS 7.5 FTP > - I also had written a simple decoder for Filezilla FTP Logs > > My point is there has been some really good user contributed content sitting > in OSSEC forums and I can only guess at reasons why those users never saw > fit to contribute officially to OSSEC. >
I can't test a lot of the Windows stuff, especially when there aren't log samples to go with it. So I was hoping other people would try them out and contribute. I'll try not to do that in the future. > In my case I would want others to provide feedback and improve upon a > decoder before I would offer it up as a decoder. > After all it may work for me but not for other setups. > > I think about places like splunkbase,nagiosexchange and osticket where users > could easily contribute to the project without having to dig into source > code. > Just my two cents. > Build it, I'll contribute. > > On Wed, Jul 30, 2014 at 11:40 AM, dan (ddp) <[email protected]> wrote: >> >> On Wed, Jul 30, 2014 at 11:31 AM, James Whittington >> <[email protected]> wrote: >> > Dan, thanks for taking a quick look at the log line. >> > I'll try to modify the iis6 decoder and see what happens then. >> > I have a OSSEC test system I feed logs to so I can try it out on that >> > system >> > first. >> > >> > I think this would give me enough info to work with. >> > >> > I am trying to catch multiple website registration attempts from the >> > same ip >> > but only on post actions. >> > I need to filter out some http 500 errors alarms from google bots >> > >> > I work with web applications with about 90% being IIS based and 10% >> > Apache >> > based so I would love to see more progress on the Windows Client side >> > and >> > Windows support. >> > >> >> Fire up a text editor and jump aboard. >> >> > Also was there discussion in the past about having a place for user >> > contributed content? >> >> I don't think there's been enough interest lately to even worry about >> that yet. Emailing decoders/rules or contributing via github are both >> easy to do. I try not to linger too long on decoder/rule >> contributions. >> >> > I know OSSEC has invited folks to help develop but I bet a LOT of the >> > OSSEC >> > userbase are more systems people than pure developers. >> > But I bet those systems people have created really great decoders to >> > fully >> > utilize OSSEC that they would share if there were a place for them to do >> > so. >> > >> >> And most of those people have not tried to contribute those decoders. >> >> > James Whittington >> > >> > >> > >> > >> > >> > On Wed, Jul 30, 2014 at 11:00 AM, dan (ddp) <[email protected]> wrote: >> >> >> >> On Wed, Jul 30, 2014 at 10:55 AM, dan (ddp) <[email protected]> wrote: >> >> > On Wed, Jul 30, 2014 at 10:28 AM, James Whittington >> >> > <[email protected]> wrote: >> >> >> I have seen several examples of decoders folks have written for IIS >> >> >> 7. >> >> >> I have tried out a couple of different ones yet each time the >> >> >> ossec-logtest >> >> >> stops at the windows-date-format decoder. >> >> >> >> >> >> Additionally one of the examples of an IIS 7 decoder is in a OSSEC >> >> >> bug >> >> >> "web-log category doesn't work" >> >> >> (https://github.com/ossec/ossec-hids/issues/164). >> >> >> >> >> >> So I am left wondering if anyone is successfully decoding IIS logs >> >> >> on >> >> >> Windows 2008-2012 servers? >> >> >> >> >> >> I am currently running OSSEC v2.7.1 , I see 2.8 is out but I didn't >> >> >> see >> >> >> anything in the release notes about updates to IIS logs? >> >> >> >> >> >> I would like to write some custom rules on post actions to specific >> >> >> urls but >> >> >> the windows-date-format decoder doesn't extract the correct fields >> >> >> that >> >> >> I >> >> >> need. >> >> > >> >> > What fields do you need that are missing? >> >> > >> >> >> >> (This gives me the POST: >> >> >> >> <decoder name="web-accesslog-iis6"> >> >> <parent>windows-date-format</parent> >> >> <type>web-log</type> >> >> <use_own_name>true</use_own_name> >> >> <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ </prematch> >> >> <regex offset="after_prematch">^(\S+) (\S+ \S+) \d+ \S+ >> >> (\d+.\d+.\d+.\d+) </regex> >> >> <regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex> >> >> <order>action, url, srcip, id</order> >> >> </decoder> >> >> >> >> Just replace the current web-accesslog-iis6 entry. BUT TEST IT before >> >> putting it into production.) >> >> >> >> >> Here is an example line and what I am seeing when I run a logtest on >> >> >> it: >> >> >> >> >> >> 2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D 10.207.230.34 >> >> >> POST >> >> >> /register - 443 - 120.138.126.238 HTTP/1.1 >> >> >> >> >> >> >> >> >> Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 >> >> >> _ga=GA1.2.1301279074.1406725635;+_dc=1 >> >> >> https://www.cognitoforms.com/register >> >> >> www.cognitoforms.com 302 0 0 949 2509 3667 >> >> >> >> >> >> >> >> >> **Phase 1: Completed pre-decoding. >> >> >> full event: '2014-07-30 13:27:06 W3SVC1273337584 >> >> >> RD00155D43396D >> >> >> 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 >> >> >> >> >> >> >> >> >> Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 >> >> >> _ga=GA1.2.1301279074.1406725635;+_dc=1 >> >> >> https://www.cognitoforms.com/register >> >> >> www.cognitoforms.com 302 0 0 949 2509 3667' >> >> >> hostname: 'monitor' >> >> >> program_name: '(null)' >> >> >> log: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D >> >> >> 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 >> >> >> >> >> >> >> >> >> Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 >> >> >> _ga=GA1.2.1301279074.1406725635;+_dc=1 >> >> >> https://www.cognitoforms.com/register >> >> >> www.cognitoforms.com 302 0 0 949 2509 3667' >> >> >> >> >> >> **Phase 2: Completed decoding. >> >> >> decoder: 'windows-date-format' >> >> >> url: '/register -' >> >> >> srcip: '120.138.126.238' >> >> >> id: '302' >> >> >> >> >> >> **Phase 3: Completed filtering (rules). >> >> >> Rule id: '120000' >> >> >> Level: '5' >> >> >> Description: 'Registration Attempt' >> >> >> **Alert to be generated. >> >> >> >> >> >> >> >> >> I am trying to track registration activity to a web service and >> >> >> trigger >> >> >> a >> >> >> custom AR script if multiple registration attempts occur from the >> >> >> same >> >> >> source ip. >> >> >> >> >> >> If anyone would like to share their IIS decoders I would be most >> >> >> appreciative, I don't know why OSSEC doesn't have a user contributed >> >> >> exchange of decoders much like the nagios community used to have >> >> >> with >> >> >> custom >> >> >> plugins. >> >> >> >> >> >> Any thanks for any advice on decoding IIS. >> >> >> >> >> >> James Whittington >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> >> >> >> --- >> >> >> You received this message because you are subscribed to the Google >> >> >> Groups >> >> >> "ossec-list" group. >> >> >> To unsubscribe from this group and stop receiving emails from it, >> >> >> send >> >> >> an >> >> >> email to [email protected]. >> >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
