Hello everyone,
I was creating some OSSEC custom rules and decoders for a new project at
work, but I found that when I use (extra_data,
status,action,url,id,protocol and location) inside <order> I can’t see the
fields in /var/ossec/logs/alers/alerts.log. But when I use the same decoder
whit (srcip,dstip,user,dstuser,srcuser,dstport,srcport,user) it works
perfectly.
I’ll give you an example:
This is the log that I’m working at, I want to extract the path as
extra_data :
Aug 10 11:30:02 srv008 clamscan: LibClamAV Error: cli_loaddb(): No
supported database files found in /var/lib/clamav
This is my decoder:
<decoder name="clamscan">
<program_name>clamscan</program_name>
</decoder>
<decoder name="clamscan_custom_decoder_no_support">
<parent>clamscan</parent>
<prematch>No supported database files found in</prematch>
<regex offset="after_prematch">(\S+)</regex>
<order>extra_data</order>
</decoder>
This is my rule :
<group name="clamscan">
<rule id="100300" level="0" noalert="1">
<decoded_as>clamscan</decoded_as>
<description>Grouping ClamAV rules.</description>
</rule>
<rule id="100304" level="8">
<if_sid>100300</if_sid>
<match>No supported database files found in</match>
<description>Unsupported DB files found</description>
</rule>
</group>
So, this is what I obtain when I execute the script
/var/ossec/bin/ossec-logtest
**Phase 1: Completed pre-decoding.
full event: 'Aug 10 11:30:02 srv008 clamscan: LibClamAV Error:
cli_loaddb(): No supported database files found in /var/lib/clamav'
hostname: ‘srv008’
program_name: 'clamscan'
log: 'LibClamAV Error: cli_loaddb(): No supported database files
found in /var/lib/clamav'
**Phase 2: Completed decoding.
decoder: 'clamscan'
extra_data: '/var/lib/clamav'
**Phase 3: Completed filtering (rules).
Rule id: '100304'
Level: '8'
Description: 'Unsupported DB files found'
**Alert to be generated.
This is the log in /var/ossec/log/alerts/alerts.log
** Alert 1408365517.2903: mail - clamscan
2014 Aug 10 08:38:37 srv008->/var/log/messages
Rule: 100304 (level 8) -> 'Unsupported DB files found'
Aug 10 11:30:02 srv008 clamscan: LibClamAV Error: cli_loaddb(): No
supported database files found in /var/lib/clamav
As you can see there is not EXTRA DATA = /var/lib/clamav anywhere but if I
use the exactly same decoder and rule but changing <order>extra_data by
(srcip,dstip,user,dstuser,srcuser,dstport,srcport,user) it works very well.
This is the new output :
** Alert 1408365731.3332: mail - clamscan
2014 Aug 10 08:42:11 srv008->/var/log/messages
Rule: 100304 (level 8) -> 'Unsupported DB files found'
Src IP: /var/lib/clamav
Aug 10 11:30:02 srv008 clamscan: LibClamAV Error: cli_loaddb(): No
supported database files found in /var/lib/clamav
In this case I used <order>srcip</order>.
Thank you very much for your help!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
