On Oct 7, 2015 1:28 PM, "Paul" <[email protected]> wrote: > > argh.......I should have known better than that > > Thank you very much for the help!! > > > > I set the hostname and the program name. Now I was wondering, is there a way of grouping in ossec's regex? > > I would like to do something like this: > > <regex>Error\p(150|200|220|226|230|331)</regex> > > Where within the parenthesizes would be the ‘or‘ statement. Or am I left with doing it like this: > > <match>Error=150|Error=200|Error=220|Error=226|Error=230|Error=331</match> >
Unfortunately you'll have to do it the long way (second option). > > > > > On Tuesday, October 6, 2015 at 8:05:31 AM UTC-4, dan (ddpbsd) wrote: >> >> On Mon, Oct 5, 2015 at 10:38 AM, Paul <[email protected]> wrote: >> > I cannot seem to see where I am going wrong. When I test my regex with: >> > >> > /var/ossec/bin/ossec-regex 'DUQUESNE\sFTP\.+Error\p' >> > >> > >> > >> > against the syslog event of: >> > >> > Oct 5 10:21:47 DUQUESNE FTP: 220 website.com X2 FTP Server >> > 7.6.3(70179994) FIPS <SessionID=28760006, Listener=10.2.3.5:21, >> > Client=10.2.3.41:42016><Command=start, Error=220> >> > >> > >> > >> > I am given results. However, when I have the rule of: >> > >> > <rule id="100032" level="0"> >> > >> > <if_sid>1002</if_sid> >> > >> > <regex>DUQUESNE\sFTP\.+Error\p</regex> >> > >> >> You're looking at the wrong part of the rule. This will never match >> the example you posted. >> Here's how ossec-logtest sees the log message: >> ossec-testrule: Type one log per line. >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Oct 5 10:21:47 DUQUESNE FTP: 220 website.com X2 >> FTP Server 7.6.3(70179994) FIPS <SessionID=28760006, >> Listener=10.2.3.5:21, Client=10.2.3.41:42016><Command=start, >> Error=220>' >> hostname: 'DUQUESNE' >> program_name: 'FTP' >> log: '220 website.com X2 FTP Server 7.6.3(70179994) FIPS >> <SessionID=28760006, Listener=10.2.3.5:21, >> Client=10.2.3.41:42016><Command=start, Error=220>' >> >> **Phase 2: Completed decoding. >> No decoder matched. >> >> **Phase 3: Completed filtering (rules). >> Rule id: '1002' >> Level: '2' >> Description: 'Unknown problem somewhere in the system.' >> **Alert to be generated. >> >> >> Everything in a <regex> or <match> should be on that "log:" line. >> >> > </rule> >> > >> > and then run it against logtest, it does not work. Log test sees it hit Rule >> > 1002 and then tries the child rules and completes as rule 1002. >> > >> > >> > >> > Any help as to what I am doing wrong would be appricieated. >> > >> > Thanks! >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
