Hello,
I'm having trouble getting Regex to work in the <hostname> field in my
custom OSSEC rule. According to the OSSEC documentation here
<http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html#frequency>I
should be able to use a regex in the hostname qualifier.
When I add any regex value to the hostname attribute it seems to be ignored
and never match my rule. I've tried this on 2.8.1 and 2.8.3.
Here is the rule I'm trying to write:
<rule id="100050" level="0">
<if_sid>1002</if_sid>
<program_name>sudo</program_name>
<hostname>db\w+.blah.net</hostname>
<match>pam_unix(sudo:auth): conversation failed</match>
<description>Ignore DB sudo issues for now</description>
</rule>
I've verified that the regex works as expected using ossec-regex:
[root@blah ~]# /var/ossec/bin/ossec-regex 'db\w+.blah.net'
dbstuff0010.blah.net
+OSRegex_Execute: dbstuff0010.blah.net
+OS_Regex : dbstuff0010.blah.net
However, when I run OSSEC-logtest the rule isn't applied:
[root@blah ~]# /var/ossec/bin/ossec-logtest
2015/12/28 19:50:56 ossec-testrule: INFO: Reading local decoder file.
2015/12/28 19:50:56 ossec-testrule: INFO: Started (pid: 114042).
ossec-testrule: Type one log per line.
2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo: pam_unix(sudo:auth):
conversation failed
**Phase 1: Completed pre-decoding.
full event: '2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo:
pam_unix(sudo:auth): conversation failed '
hostname: 'dbstuff0010.blah.net'
program_name: 'sudo'
log: 'pam_unix(sudo:auth): conversation failed '
**Phase 2: Completed decoding.
decoder: 'pam'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
*Removing the <hostname> qualifier from the rule allows the rule to match:*
[root@blah ~]# /var/ossec/bin/ossec-logtest
2015/12/28 19:53:09 ossec-testrule: INFO: Reading local decoder file.
2015/12/28 19:53:09 ossec-testrule: INFO: Started (pid: 115629).
ossec-testrule: Type one log per line.
2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo: pam_unix(sudo:auth):
conversation failed
**Phase 1: Completed pre-decoding.
full event: '2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo:
pam_unix(sudo:auth): conversation failed '
hostname: 'dbstuff0010.blah.net'
program_name: 'sudo'
log: 'pam_unix(sudo:auth): conversation failed '
**Phase 2: Completed decoding.
decoder: 'pam'
**Phase 3: Completed filtering (rules).
Rule id: '100050'
Level: '0'
Description: 'Ignore DB sudo issues for now'
I've tried the following regexes for the <hostname> qualifier and nothing
worked in the rule:
- db\w+.blah.net
- db(\w+).blah.net
- db(\S+).blah.net
- db(\.*).blah.net
- db\S+.blah.net
- db\.+
- dbstuff0010.blah.ne\w (for testing..)
- \.* (as a test to attempt to match anything)
Any ideas around here? Has anyone had luck getting regex to work in the
hostname qualifier?
Would appreciate any ideas or help people can offer!
- Francisco
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
