I'm not sure, but if I understood correctly I think Christian just wanted to share his new fancy decoder with us :)
maybe best to submit it through a pull request on github so it wouldn't get lost here?! @Christian: correct me if I misunderstood your post ;-) Am Dienstag, 19. Januar 2016 22:55:40 UTC+1 schrieb Santiago Bassett: > > Hi Christian, > > what is exactly the question. Everything looks pretty good to me. Is it > not working? > > Not sure about this regex: > > <regex offset="after_parent">^ \w+.\w+.\d+ (\d+) (\d+.\d+.\d+.\d+) (\w+) > (\d+) IP (\d+.\d+.\d+.\d+)</regex> > > Have you tried ossec-logtest? > > Best > > On Tue, Jan 19, 2016 at 8:30 AM, Christian Castro <[email protected] > <javascript:>> wrote: > >> Hello everyone,my first post here and sharing this ideia! >> >> >> >> I looking this tool maltrail -->https://github.com/stamparm/maltrail >> >> And i think will integrate with OSSEC! >> >> >> LOGs of maltrail: >> tail -n 10 /var/log/maltrail/2016-01-19.log >> "2016-01-19 17:10:36.993361" my.host.666 84.74.125.85 44909 0.0.0.0 >> 51103 TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+ >> binarydefense.com)" >> "2016-01-19 17:10:37.029597" my.host.666 84.74.125.85 44909 0.0.0.0 >> 51103 TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+ >> binarydefense.com)" >> "2016-01-19 17:11:58.084216" my.host.666 84.74.125.85 34646 0.0.0.0 >> 51103 TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+ >> binarydefense.com)" >> "2016-01-19 17:11:58.051196" my.host.666 84.74.125.85 34646 0.0.0.0 >> 51103 TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+ >> binarydefense.com)" >> >> >> >> ossec.conf >> >> <localfile> >> <location>/var/log/maltrail/%Y-%m-%d.log</location> >> <log_format>syslog</log_format> >> </localfile> >> >> decoders.xml >> >> <decoder name="maltrail"> >> <prematch>^"\d+-\d+-\d+ \d+:\d+:\d+.\d+"</prematch> >> </decoder> >> >> <decoder name="maltrail-alert"> >> <parent>maltrail</parent> >> <regex offset="after_parent">^ my.host.666 (\d+) (\d+.\d+.\d+.\d+) >> (\w+) (\d+) IP (\d+.\d+.\d+.\d+)</regex> >> <order>srcport, dstip, dstport,protocol, srcip</order> >> </decoder> >> >> local_rules.xml >> >> <group name="syslog,maltrail,"> >> <rule id="110000" level="0"> >> <decoded_as>maltrail</decoded_as> >> <description>MAILTRAIL KILLALL MDF app group.</description> >> </rule> >> >> <rule id="110001" level="7"> >> <if_sid>110000</if_sid> >> <srcip>0.0.0.0</srcip> >> <match>attack</match> >> <description>Possible attack from fucking ips!?</description> >> </rule> >> </group> >> >> >> >> Ideas or suggestions? >> >> Thks for reading! >> >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
