Re: [ossec-list] Regex-Rule Question

Tue, 06 Oct 2015 05:05:48 -0700 

On Mon, Oct 5, 2015 at 10:38 AM, Paul <[email protected]> wrote:
> I cannot seem to see where I am going wrong. When I test my regex with:
>
> /var/ossec/bin/ossec-regex 'DUQUESNE\sFTP\.+Error\p'
>
>
>
> against the syslog event of:
>
>                 Oct  5 10:21:47 DUQUESNE FTP: 220 website.com X2 FTP Server
> 7.6.3(70179994) FIPS <SessionID=28760006, Listener=10.2.3.5:21,
> Client=10.2.3.41:42016><Command=start, Error=220>
>
>
>
> I am given results. However, when I have the rule of:
>
> <rule id="100032" level="0">
>
>   <if_sid>1002</if_sid>
>
>   <regex>DUQUESNE\sFTP\.+Error\p</regex>
>

You're looking at the wrong part of the rule. This will never match
the example you posted.
Here's how ossec-logtest sees the log message:
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
       full event: 'Oct  5 10:21:47 DUQUESNE FTP: 220 website.com X2
FTP Server 7.6.3(70179994) FIPS <SessionID=28760006,
Listener=10.2.3.5:21, Client=10.2.3.41:42016><Command=start,
Error=220>'
       hostname: 'DUQUESNE'
       program_name: 'FTP'
       log: '220 website.com X2 FTP Server 7.6.3(70179994) FIPS
<SessionID=28760006, Listener=10.2.3.5:21,
Client=10.2.3.41:42016><Command=start, Error=220>'

**Phase 2: Completed decoding.
       No decoder matched.

**Phase 3: Completed filtering (rules).
       Rule id: '1002'
       Level: '2'
       Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.


Everything in a <regex> or <match> should be on that "log:" line.

> </rule>
>
> and then run it against logtest, it does not work. Log test sees it hit Rule
> 1002 and then tries the child rules and completes as rule 1002.
>
>
>
> Any help as to what I am doing wrong would be appricieated.
>
> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to