Hey Dan! Thanks. I had posted the following link before:
http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html#element-hostname Here is the info I see: hostname <http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html#element-hostname> - Any hostname (decoded as the syslog hostname) or log file. - *Allowed:* any OS_Match/sregex Syntax <http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html#os-match> Would love to know if this is incorrect. I've been able to use the "|" separator before though. - Fran On Monday, December 28, 2015 at 3:00:35 PM UTC-7, dan (ddpbsd) wrote: > > > On Dec 28, 2015 3:17 PM, "Francisco" <[email protected] <javascript:>> > wrote: > > > > Hello, > > > > I'm having trouble getting Regex to work in the <hostname> field in my > custom OSSEC rule. According to the OSSEC documentation here I should be > able to use a regex in the hostname qualifier. > > > > Despite qhat the documentation might say, I don't think regex works in the > hostname field. Can you give me a link tonwhere it says it works so I can > test/and correct the documentation if necessary? > > > When I add any regex value to the hostname attribute it seems to be > ignored and never match my rule. I've tried this on 2.8.1 and 2.8.3. > > > > Here is the rule I'm trying to write: > >> > >> > >> <rule id="100050" level="0"> > >> <if_sid>1002</if_sid> > >> <program_name>sudo</program_name> > >> <hostname>db\w+.blah.net</hostname> > >> <match>pam_unix(sudo:auth): conversation failed</match> > >> <description>Ignore DB sudo issues for now</description> > >> </rule> > > > > > > I've verified that the regex works as expected using ossec-regex: > > > >> [root@blah ~]# /var/ossec/bin/ossec-regex 'db\w+.blah.net' > >> dbstuff0010.blah.net > >> +OSRegex_Execute: dbstuff0010.blah.net > >> +OS_Regex : dbstuff0010.blah.net > > > > > > However, when I run OSSEC-logtest the rule isn't applied: > > > >> [root@blah ~]# /var/ossec/bin/ossec-logtest > >> 2015/12/28 19:50:56 ossec-testrule: INFO: Reading local decoder file. > >> 2015/12/28 19:50:56 ossec-testrule: INFO: Started (pid: 114042). > >> ossec-testrule: Type one log per line. > >> > >> 2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo: > pam_unix(sudo:auth): conversation failed > >> > >> > >> **Phase 1: Completed pre-decoding. > >> full event: '2015-12-25T06:04:13+00:00 dbstuff0010.blah.net > sudo: pam_unix(sudo:auth): conversation failed ' > >> hostname: 'dbstuff0010.blah.net' > >> program_name: 'sudo' > >> log: 'pam_unix(sudo:auth): conversation failed ' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'pam' > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '1002' > >> Level: '2' > >> Description: 'Unknown problem somewhere in the system.' > >> **Alert to be generated. > > > > > > Removing the <hostname> qualifier from the rule allows the rule to match: > > > >> [root@blah ~]# /var/ossec/bin/ossec-logtest > >> 2015/12/28 19:53:09 ossec-testrule: INFO: Reading local decoder file. > >> 2015/12/28 19:53:09 ossec-testrule: INFO: Started (pid: 115629). > >> ossec-testrule: Type one log per line. > >> > >> 2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo: > pam_unix(sudo:auth): conversation failed > >> > >> > >> **Phase 1: Completed pre-decoding. > >> full event: '2015-12-25T06:04:13+00:00 dbstuff0010.blah.net > sudo: pam_unix(sudo:auth): conversation failed ' > >> hostname: 'dbstuff0010.blah.net' > >> program_name: 'sudo' > >> log: 'pam_unix(sudo:auth): conversation failed ' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'pam' > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '100050' > >> Level: '0' > >> Description: 'Ignore DB sudo issues for now' > > > > > > I've tried the following regexes for the <hostname> qualifier and > nothing worked in the rule: > > > > db\w+.blah.net > > db(\w+).blah.net > > db(\S+).blah.net > > db(\.*).blah.net > > db\S+.blah.net > > db\.+ > > dbstuff0010.blah.ne\w (for testing..) > > \.* (as a test to attempt to match anything) > > > > Any ideas around here? Has anyone had luck getting regex to work in the > hostname qualifier? > > > > Would appreciate any ideas or help people can offer! > > > > - Francisco > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
