Hi Christian, what is exactly the question. Everything looks pretty good to me. Is it not working?
Not sure about this regex: <regex offset="after_parent">^ \w+.\w+.\d+ (\d+) (\d+.\d+.\d+.\d+) (\w+) (\d+) IP (\d+.\d+.\d+.\d+)</regex> Have you tried ossec-logtest? Best On Tue, Jan 19, 2016 at 8:30 AM, Christian Castro < [email protected]> wrote: > Hello everyone,my first post here and sharing this ideia! > > > > I looking this tool maltrail -->https://github.com/stamparm/maltrail > > And i think will integrate with OSSEC! > > > LOGs of maltrail: > tail -n 10 /var/log/maltrail/2016-01-19.log > "2016-01-19 17:10:36.993361" my.host.666 84.74.125.85 44909 0.0.0.0 51103 > TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+ > binarydefense.com)" > "2016-01-19 17:10:37.029597" my.host.666 84.74.125.85 44909 0.0.0.0 51103 > TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+ > binarydefense.com)" > "2016-01-19 17:11:58.084216" my.host.666 84.74.125.85 34646 0.0.0.0 51103 > TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+ > binarydefense.com)" > "2016-01-19 17:11:58.051196" my.host.666 84.74.125.85 34646 0.0.0.0 51103 > TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+ > binarydefense.com)" > > > > ossec.conf > > <localfile> > <location>/var/log/maltrail/%Y-%m-%d.log</location> > <log_format>syslog</log_format> > </localfile> > > decoders.xml > > <decoder name="maltrail"> > <prematch>^"\d+-\d+-\d+ \d+:\d+:\d+.\d+"</prematch> > </decoder> > > <decoder name="maltrail-alert"> > <parent>maltrail</parent> > <regex offset="after_parent">^ my.host.666 (\d+) (\d+.\d+.\d+.\d+) (\w+) > (\d+) IP (\d+.\d+.\d+.\d+)</regex> > <order>srcport, dstip, dstport,protocol, srcip</order> > </decoder> > > local_rules.xml > > <group name="syslog,maltrail,"> > <rule id="110000" level="0"> > <decoded_as>maltrail</decoded_as> > <description>MAILTRAIL KILLALL MDF app group.</description> > </rule> > > <rule id="110001" level="7"> > <if_sid>110000</if_sid> > <srcip>0.0.0.0</srcip> > <match>attack</match> > <description>Possible attack from fucking ips!?</description> > </rule> > </group> > > > > Ideas or suggestions? > > Thks for reading! > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
