Understood. Again, thank you for your help On Wednesday, October 7, 2015 at 1:31:45 PM UTC-4, dan (ddpbsd) wrote: > > > On Oct 7, 2015 1:28 PM, "Paul" <[email protected] <javascript:>> wrote: > > > > argh.......I should have known better than that > > > > Thank you very much for the help!! > > > > > > > > I set the hostname and the program name. Now I was wondering, is there a > way of grouping in ossec's regex? > > > > I would like to do something like this: > > > > <regex>Error\p(150|200|220|226|230|331)</regex> > > > > Where within the parenthesizes would be the ‘or‘ statement. Or am I left > with doing it like this: > > > > > <match>Error=150|Error=200|Error=220|Error=226|Error=230|Error=331</match> > > > > Unfortunately you'll have to do it the long way (second option). > > > > > > > > > > > On Tuesday, October 6, 2015 at 8:05:31 AM UTC-4, dan (ddpbsd) wrote: > >> > >> On Mon, Oct 5, 2015 at 10:38 AM, Paul <[email protected]> wrote: > >> > I cannot seem to see where I am going wrong. When I test my regex > with: > >> > > >> > /var/ossec/bin/ossec-regex 'DUQUESNE\sFTP\.+Error\p' > >> > > >> > > >> > > >> > against the syslog event of: > >> > > >> > Oct 5 10:21:47 DUQUESNE FTP: 220 website.com X2 FTP > Server > >> > 7.6.3(70179994) FIPS <SessionID=28760006, Listener=10.2.3.5:21, > >> > Client=10.2.3.41:42016><Command=start, Error=220> > >> > > >> > > >> > > >> > I am given results. However, when I have the rule of: > >> > > >> > <rule id="100032" level="0"> > >> > > >> > <if_sid>1002</if_sid> > >> > > >> > <regex>DUQUESNE\sFTP\.+Error\p</regex> > >> > > >> > >> You're looking at the wrong part of the rule. This will never match > >> the example you posted. > >> Here's how ossec-logtest sees the log message: > >> ossec-testrule: Type one log per line. > >> > >> > >> > >> **Phase 1: Completed pre-decoding. > >> full event: 'Oct 5 10:21:47 DUQUESNE FTP: 220 website.com X2 > >> FTP Server 7.6.3(70179994) FIPS <SessionID=28760006, > >> Listener=10.2.3.5:21, Client=10.2.3.41:42016><Command=start, > >> Error=220>' > >> hostname: 'DUQUESNE' > >> program_name: 'FTP' > >> log: '220 website.com X2 FTP Server 7.6.3(70179994) FIPS > >> <SessionID=28760006, Listener=10.2.3.5:21, > >> Client=10.2.3.41:42016><Command=start, Error=220>' > >> > >> **Phase 2: Completed decoding. > >> No decoder matched. > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '1002' > >> Level: '2' > >> Description: 'Unknown problem somewhere in the system.' > >> **Alert to be generated. > >> > >> > >> Everything in a <regex> or <match> should be on that "log:" line. > >> > >> > </rule> > >> > > >> > and then run it against logtest, it does not work. Log test sees it > hit Rule > >> > 1002 and then tries the child rules and completes as rule 1002. > >> > > >> > > >> > > >> > Any help as to what I am doing wrong would be appricieated. > >> > > >> > Thanks! > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
