On Dec 29, 2015 6:38 PM, "Francisco" <[email protected]> wrote: > > Hey Dan! > > Thanks. I had posted the following link before: > > http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html#element-hostname > > Here is the info I see: > > hostname > Any hostname (decoded as the syslog hostname) or log file. > Allowed: any OS_Match/sregex Syntax > > Would love to know if this is incorrect. > > I've been able to use the "|" separator before though. >
Sregex is a limited subset of the regular regex. > - Fran > > On Monday, December 28, 2015 at 3:00:35 PM UTC-7, dan (ddpbsd) wrote: >> >> >> On Dec 28, 2015 3:17 PM, "Francisco" <[email protected]> wrote: >> > >> > Hello, >> > >> > I'm having trouble getting Regex to work in the <hostname> field in my custom OSSEC rule. According to the OSSEC documentation here I should be able to use a regex in the hostname qualifier. >> > >> >> Despite qhat the documentation might say, I don't think regex works in the hostname field. Can you give me a link tonwhere it says it works so I can test/and correct the documentation if necessary? >> >> > When I add any regex value to the hostname attribute it seems to be ignored and never match my rule. I've tried this on 2.8.1 and 2.8.3. >> > >> > Here is the rule I'm trying to write: >> >> >> >> >> >> <rule id="100050" level="0"> >> >> <if_sid>1002</if_sid> >> >> <program_name>sudo</program_name> >> >> <hostname>db\w+.blah.net</hostname> >> >> <match>pam_unix(sudo:auth): conversation failed</match> >> >> <description>Ignore DB sudo issues for now</description> >> >> </rule> >> > >> > >> > I've verified that the regex works as expected using ossec-regex: >> > >> >> [root@blah ~]# /var/ossec/bin/ossec-regex 'db\w+.blah.net' >> >> dbstuff0010.blah.net >> >> +OSRegex_Execute: dbstuff0010.blah.net >> >> +OS_Regex : dbstuff0010.blah.net >> > >> > >> > However, when I run OSSEC-logtest the rule isn't applied: >> > >> >> [root@blah ~]# /var/ossec/bin/ossec-logtest >> >> 2015/12/28 19:50:56 ossec-testrule: INFO: Reading local decoder file. >> >> 2015/12/28 19:50:56 ossec-testrule: INFO: Started (pid: 114042). >> >> ossec-testrule: Type one log per line. >> >> >> >> 2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo: pam_unix(sudo:auth): conversation failed >> >> >> >> >> >> **Phase 1: Completed pre-decoding. >> >> full event: '2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo: pam_unix(sudo:auth): conversation failed ' >> >> hostname: 'dbstuff0010.blah.net' >> >> program_name: 'sudo' >> >> log: 'pam_unix(sudo:auth): conversation failed ' >> >> >> >> **Phase 2: Completed decoding. >> >> decoder: 'pam' >> >> >> >> **Phase 3: Completed filtering (rules). >> >> Rule id: '1002' >> >> Level: '2' >> >> Description: 'Unknown problem somewhere in the system.' >> >> **Alert to be generated. >> > >> > >> > Removing the <hostname> qualifier from the rule allows the rule to match: >> > >> >> [root@blah ~]# /var/ossec/bin/ossec-logtest >> >> 2015/12/28 19:53:09 ossec-testrule: INFO: Reading local decoder file. >> >> 2015/12/28 19:53:09 ossec-testrule: INFO: Started (pid: 115629). >> >> ossec-testrule: Type one log per line. >> >> >> >> 2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo: pam_unix(sudo:auth): conversation failed >> >> >> >> >> >> **Phase 1: Completed pre-decoding. >> >> full event: '2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo: pam_unix(sudo:auth): conversation failed ' >> >> hostname: 'dbstuff0010.blah.net' >> >> program_name: 'sudo' >> >> log: 'pam_unix(sudo:auth): conversation failed ' >> >> >> >> **Phase 2: Completed decoding. >> >> decoder: 'pam' >> >> >> >> **Phase 3: Completed filtering (rules). >> >> Rule id: '100050' >> >> Level: '0' >> >> Description: 'Ignore DB sudo issues for now' >> > >> > >> > I've tried the following regexes for the <hostname> qualifier and nothing worked in the rule: >> > >> > db\w+.blah.net >> > db(\w+).blah.net >> > db(\S+).blah.net >> > db(\.*).blah.net >> > db\S+.blah.net >> > db\.+ >> > dbstuff0010.blah.ne\w (for testing..) >> > \.* (as a test to attempt to match anything) >> > >> > Any ideas around here? Has anyone had luck getting regex to work in the hostname qualifier? >> > >> > Would appreciate any ideas or help people can offer! >> > >> > - Francisco >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
