On Dec 29, 2015 6:38 PM, "Francisco" <[email protected]> wrote:
>
> Hey Dan!
>
> Thanks. I had posted the following link before:
>
>
http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html#element-hostname
>
> Here is the info I see:
>
> hostname
> Any hostname (decoded as the syslog hostname) or log file.
> Allowed: any OS_Match/sregex Syntax
>
> Would love to know if this is incorrect.
>
> I've been able to use the "|" separator before though.
>

Sregex is a limited subset of the regular regex.

> - Fran
>
> On Monday, December 28, 2015 at 3:00:35 PM UTC-7, dan (ddpbsd) wrote:
>>
>>
>> On Dec 28, 2015 3:17 PM, "Francisco" <[email protected]> wrote:
>> >
>> > Hello,
>> >
>> > I'm having trouble getting Regex to work in the <hostname> field in my
custom OSSEC rule. According to the OSSEC documentation here I should be
able to use a regex in the hostname qualifier.
>> >
>>
>> Despite qhat the documentation might say, I don't think regex works in
the hostname field. Can you give me a link tonwhere it says it works so I
can test/and correct the documentation if necessary?
>>
>> > When I add any regex value to the hostname attribute it seems to be
ignored and never match my rule. I've tried this on 2.8.1 and 2.8.3.
>> >
>> > Here is the rule I'm trying to write:
>> >>
>> >>
>> >>   <rule id="100050" level="0">
>> >>     <if_sid>1002</if_sid>
>> >>     <program_name>sudo</program_name>
>> >>     <hostname>db\w+.blah.net</hostname>
>> >>     <match>pam_unix(sudo:auth): conversation failed</match>
>> >>     <description>Ignore DB sudo issues for now</description>
>> >>   </rule>
>> >
>> >
>> > I've verified that the regex works as expected using ossec-regex:
>> >
>> >> [root@blah ~]# /var/ossec/bin/ossec-regex 'db\w+.blah.net'
>> >> dbstuff0010.blah.net
>> >> +OSRegex_Execute: dbstuff0010.blah.net
>> >> +OS_Regex       : dbstuff0010.blah.net
>> >
>> >
>> >  However, when I run OSSEC-logtest the rule isn't applied:
>> >
>> >> [root@blah ~]# /var/ossec/bin/ossec-logtest
>> >> 2015/12/28 19:50:56 ossec-testrule: INFO: Reading local decoder file.
>> >> 2015/12/28 19:50:56 ossec-testrule: INFO: Started (pid: 114042).
>> >> ossec-testrule: Type one log per line.
>> >>
>> >> 2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo:
pam_unix(sudo:auth): conversation failed
>> >>
>> >>
>> >> **Phase 1: Completed pre-decoding.
>> >>        full event: '2015-12-25T06:04:13+00:00 dbstuff0010.blah.net
sudo: pam_unix(sudo:auth): conversation failed '
>> >>        hostname: 'dbstuff0010.blah.net'
>> >>        program_name: 'sudo'
>> >>        log: 'pam_unix(sudo:auth): conversation failed '
>> >>
>> >> **Phase 2: Completed decoding.
>> >>        decoder: 'pam'
>> >>
>> >> **Phase 3: Completed filtering (rules).
>> >>        Rule id: '1002'
>> >>        Level: '2'
>> >>        Description: 'Unknown problem somewhere in the system.'
>> >> **Alert to be generated.
>> >
>> >
>> > Removing the <hostname> qualifier from the rule allows the rule to
match:
>> >
>> >> [root@blah ~]# /var/ossec/bin/ossec-logtest
>> >> 2015/12/28 19:53:09 ossec-testrule: INFO: Reading local decoder file.
>> >> 2015/12/28 19:53:09 ossec-testrule: INFO: Started (pid: 115629).
>> >> ossec-testrule: Type one log per line.
>> >>
>> >> 2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo:
pam_unix(sudo:auth): conversation failed
>> >>
>> >>
>> >> **Phase 1: Completed pre-decoding.
>> >>        full event: '2015-12-25T06:04:13+00:00 dbstuff0010.blah.net
sudo: pam_unix(sudo:auth): conversation failed '
>> >>        hostname: 'dbstuff0010.blah.net'
>> >>        program_name: 'sudo'
>> >>        log: 'pam_unix(sudo:auth): conversation failed '
>> >>
>> >> **Phase 2: Completed decoding.
>> >>        decoder: 'pam'
>> >>
>> >> **Phase 3: Completed filtering (rules).
>> >>        Rule id: '100050'
>> >>        Level: '0'
>> >>        Description: 'Ignore DB sudo issues for now'
>> >
>> >
>> > I've tried the following regexes for the <hostname> qualifier and
nothing worked in the rule:
>> >
>> > db\w+.blah.net
>> > db(\w+).blah.net
>> > db(\S+).blah.net
>> > db(\.*).blah.net
>> > db\S+.blah.net
>> > db\.+
>> > dbstuff0010.blah.ne\w (for testing..)
>> > \.* (as a test to attempt to match anything)
>> >
>> > Any ideas around here? Has anyone had luck getting regex to work in
the hostname qualifier?
>> >
>> > Would appreciate any ideas or help people can offer!
>> >
>> > - Francisco
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
>>
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to