I'm not sure, but if I understood correctly I think Christian just wanted 
to share his new fancy decoder with us :)

maybe best to submit it through a pull request on github so it wouldn't get 
lost here?!

@Christian: correct me if I misunderstood your post ;-)

Am Dienstag, 19. Januar 2016 22:55:40 UTC+1 schrieb Santiago Bassett:
>
> Hi Christian,
>
> what is exactly the question. Everything looks pretty good to me. Is it 
> not working? 
>
> Not sure about this regex:
>
> <regex offset="after_parent">^ \w+.\w+.\d+ (\d+) (\d+.\d+.\d+.\d+) (\w+) 
> (\d+) IP (\d+.\d+.\d+.\d+)</regex>
>
> Have you tried ossec-logtest?
>
> Best
>
> On Tue, Jan 19, 2016 at 8:30 AM, Christian Castro <[email protected] 
> <javascript:>> wrote:
>
>> Hello everyone,my first post here and sharing this ideia!
>>
>>
>>
>> I looking this tool maltrail -->https://github.com/stamparm/maltrail
>>
>> And i think will integrate with OSSEC!
>>
>>
>> LOGs of maltrail:
>>  tail -n 10 /var/log/maltrail/2016-01-19.log 
>> "2016-01-19 17:10:36.993361" my.host.666 84.74.125.85 44909 0.0.0.0 
>> 51103 TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+
>> binarydefense.com)"
>> "2016-01-19 17:10:37.029597" my.host.666 84.74.125.85 44909 0.0.0.0 
>> 51103 TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+
>> binarydefense.com)"
>> "2016-01-19 17:11:58.084216" my.host.666 84.74.125.85 34646 0.0.0.0 
>> 51103 TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+
>> binarydefense.com)"
>> "2016-01-19 17:11:58.051196" my.host.666 84.74.125.85 34646 0.0.0.0 
>> 51103 TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+
>> binarydefense.com)"
>>
>>
>>
>> ossec.conf
>>
>>   <localfile>
>>     <location>/var/log/maltrail/%Y-%m-%d.log</location>
>>     <log_format>syslog</log_format>
>>   </localfile>
>>
>> decoders.xml
>>
>> <decoder name="maltrail">
>>   <prematch>^"\d+-\d+-\d+ \d+:\d+:\d+.\d+"</prematch>
>> </decoder>
>>
>> <decoder name="maltrail-alert">
>>   <parent>maltrail</parent>
>>   <regex offset="after_parent">^ my.host.666 (\d+) (\d+.\d+.\d+.\d+) 
>> (\w+) (\d+) IP (\d+.\d+.\d+.\d+)</regex>
>>   <order>srcport, dstip, dstport,protocol, srcip</order>
>> </decoder>
>>
>> local_rules.xml
>>
>> <group name="syslog,maltrail,">
>>   <rule id="110000" level="0">
>>     <decoded_as>maltrail</decoded_as>
>>     <description>MAILTRAIL KILLALL MDF app group.</description>
>>   </rule>
>>
>>   <rule id="110001" level="7">
>>     <if_sid>110000</if_sid>
>>     <srcip>0.0.0.0</srcip>
>>     <match>attack</match>
>>     <description>Possible attack from fucking ips!?</description>
>>   </rule>
>> </group>
>>
>>
>>
>> Ideas or suggestions?
>>
>> Thks for reading!
>>
>>
>>
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to