On Mon, Aug 18, 2014 at 9:14 AM, Alejandro Teijeiro Mora <[email protected]> wrote: > Hello everyone, > > > > I was creating some OSSEC custom rules and decoders for a new project at > work, but I found that when I use (extra_data, status,action,url,id,protocol > and location) inside <order> I can't see the fields in > /var/ossec/logs/alers/alerts.log. But when I use the same decoder whit > (srcip,dstip,user,dstuser,srcuser,dstport,srcport,user) it's works > perfectly. > > > > I'll give you an example: > > > > This is the log that I'm working at, I want to extract the path as > extra_data : > > Aug 10 11:30:02 srv008 clamscan: LibClamAV Error: cli_loaddb(): No supported > database files found in /var/lib/clamav > > > > This is my decoder: > > <decoder name="clamscan"> > > <program_name>clamscan</program_name> > > </decoder> > > > > <decoder name="clamscan_custom_decoder_no_support"> > > <parent>clamscan</parent> > > <prematch>No supported database files found in</prematch> > > <regex offset="after_prematch">(\S+)</regex> > > <order>extra_data</order> > > </decoder> > > > > This is my rule : > > <group name="clamscan"> > > <rule id="100300" level="0" noalert="1"> > > <decoded_as>clamscan</decoded_as> > > <description>Grouping ClamAV rules.</description> > > </rule> > > > > <rule id="100304" level="8"> > > <if_sid>100300</if_sid> > > <match>No supported database files found in</match> > > <description>Unsupported DB files found</description> > > </rule> > > > > So, this is what I obtain when I execute the script > /var/ossec/bin/ossec-logtest > > **Phase 1: Completed pre-decoding. > > full event: 'Aug 10 11:30:02 srv008 clamscan: LibClamAV Error: > cli_loaddb(): No supported database files found in /var/lib/clamav' > > hostname: 'srv008' > > program_name: 'clamscan' > > log: 'LibClamAV Error: cli_loaddb(): No supported database files > found in /var/lib/clamav' > > > > **Phase 2: Completed decoding. > > decoder: 'clamscan' > > extra_data: '/var/lib/clamav' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '100304' > > Level: '8' > > Description: 'Unsupported DB files found' > > **Alert to be generated. > > > > This is the log in /var/ossec/log/alerts/alerts.log > > ** Alert 1408365517.2903: mail - clamscan > > 2014 Aug 10 08:38:37 srv008->/var/log/messages > > Rule: 100304 (level 8) -> 'Unsupported DB files found' > > Aug 10 11:30:02 srv008 clamscan: LibClamAV Error: cli_loaddb(): No supported > database files found in /var/lib/clamav > > > > As you can see there is not EXTRA DATA = /var/lib/clamav anywhere but if I > use the exactly same decoder and rule but changing <order>extra_data by > (srcip,dstip,user,dstuser,srcuser,dstport,srcport,user) it works very well. > > > > This is the new output : > > ** Alert 1408365731.3332: mail - clamscan > > 2014 Aug 10 08:42:11 srv008->/var/log/messages > > Rule: 100304 (level 8) -> 'Unsupported DB files found' > > Src IP: /var/lib/clamav > > Aug 10 11:30:02 srv008 clamscan: LibClamAV Error: cli_loaddb(): No supported > database files found in /var/lib/clamav > > > > In this case I used <order>srcip</order>. > > > > Thank you very much for your help! >
I'm guessing there just isn't any code for that. If you add it, submit a pull request on the github (https://github.com/ossec/ossec-hids) > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
