On Dec 28, 2015 3:17 PM, "Francisco" <[email protected]> wrote: > > Hello, > > I'm having trouble getting Regex to work in the <hostname> field in my custom OSSEC rule. According to the OSSEC documentation here I should be able to use a regex in the hostname qualifier. >
Despite qhat the documentation might say, I don't think regex works in the hostname field. Can you give me a link tonwhere it says it works so I can test/and correct the documentation if necessary? > When I add any regex value to the hostname attribute it seems to be ignored and never match my rule. I've tried this on 2.8.1 and 2.8.3. > > Here is the rule I'm trying to write: >> >> >> <rule id="100050" level="0"> >> <if_sid>1002</if_sid> >> <program_name>sudo</program_name> >> <hostname>db\w+.blah.net</hostname> >> <match>pam_unix(sudo:auth): conversation failed</match> >> <description>Ignore DB sudo issues for now</description> >> </rule> > > > I've verified that the regex works as expected using ossec-regex: > >> [root@blah ~]# /var/ossec/bin/ossec-regex 'db\w+.blah.net' >> dbstuff0010.blah.net >> +OSRegex_Execute: dbstuff0010.blah.net >> +OS_Regex : dbstuff0010.blah.net > > > However, when I run OSSEC-logtest the rule isn't applied: > >> [root@blah ~]# /var/ossec/bin/ossec-logtest >> 2015/12/28 19:50:56 ossec-testrule: INFO: Reading local decoder file. >> 2015/12/28 19:50:56 ossec-testrule: INFO: Started (pid: 114042). >> ossec-testrule: Type one log per line. >> >> 2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo: pam_unix(sudo:auth): conversation failed >> >> >> **Phase 1: Completed pre-decoding. >> full event: '2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo: pam_unix(sudo:auth): conversation failed ' >> hostname: 'dbstuff0010.blah.net' >> program_name: 'sudo' >> log: 'pam_unix(sudo:auth): conversation failed ' >> >> **Phase 2: Completed decoding. >> decoder: 'pam' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '1002' >> Level: '2' >> Description: 'Unknown problem somewhere in the system.' >> **Alert to be generated. > > > Removing the <hostname> qualifier from the rule allows the rule to match: > >> [root@blah ~]# /var/ossec/bin/ossec-logtest >> 2015/12/28 19:53:09 ossec-testrule: INFO: Reading local decoder file. >> 2015/12/28 19:53:09 ossec-testrule: INFO: Started (pid: 115629). >> ossec-testrule: Type one log per line. >> >> 2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo: pam_unix(sudo:auth): conversation failed >> >> >> **Phase 1: Completed pre-decoding. >> full event: '2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo: pam_unix(sudo:auth): conversation failed ' >> hostname: 'dbstuff0010.blah.net' >> program_name: 'sudo' >> log: 'pam_unix(sudo:auth): conversation failed ' >> >> **Phase 2: Completed decoding. >> decoder: 'pam' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100050' >> Level: '0' >> Description: 'Ignore DB sudo issues for now' > > > I've tried the following regexes for the <hostname> qualifier and nothing worked in the rule: > > db\w+.blah.net > db(\w+).blah.net > db(\S+).blah.net > db(\.*).blah.net > db\S+.blah.net > db\.+ > dbstuff0010.blah.ne\w (for testing..) > \.* (as a test to attempt to match anything) > > Any ideas around here? Has anyone had luck getting regex to work in the hostname qualifier? > > Would appreciate any ideas or help people can offer! > > - Francisco > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
