correct, I think that it is. On Wed, Jan 27, 2016 at 11:06 PM, Fredrik <[email protected]> wrote:
> Hi Santiago! > > > Thanks for your input. As you pointed out the \D+ is out of place and I > couldn't figure out why that would match whereas the latter regex, that I > believed to be more complete, wouldn't. With input from Dan and yourself, I > realize that OSSEC is offering a helping hand in stripping the transport > header. If I got this right, I should match against what logtest outputs > after log: and not the full string? > > Best regards, > Fredrik > > On Thursday, January 28, 2016 at 12:12:53 AM UTC+1, Santiago Bassett wrote: >> >> Agree with Dan, also double check the regexes, as it looks like there are >> some inconsistencies at the end. I don't think that \D+ is in the right >> place. >> >> Best >> >> On Wed, Jan 27, 2016 at 7:08 AM, dan (ddp) <[email protected]> wrote: >> >>> >>> On Jan 27, 2016 10:06 AM, "Fredrik" <[email protected]> wrote: >>> > >>> > HI All, >>> > >>> > >>> > Been working on a regex to match highlighted part of the (event) >>> string below: >>> > >>> > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow <eth1 mail >>> src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: ******; >>> app_desc: ******; app_id: 10063753; app_category: ******; matched_category: >>> ******; app_properties: ******; app_risk: ******; app_rule_id: ******; >>> app_rule_name: ******; web_client_type: Chrome; web_server_type: >>> Microsoft-IIS; app_sig_id: 10063753:5; resource: >>> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: >>> Application Control; service: http; s_port: 58579; product_family: Network; >>> > >>> > ... but I just can't get it to match the string I'm hoping to catch. I >>> have tried different additions to the regex below, please note that it is >>> not complete as I have not got past this point without failure - yet ;) I >>> would like to match Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 >>> > >>> > <prematch>^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \D+</prematch> >>> > >>> > I'm sure I'm missing something obvious, any hints would be greatly >>> appreciated. One example of a string that won't work is (I have included >>> ossec_logtest output for for reference: >>> > >>> > <prematch>^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \d+:\d+:\d+ >>> st4600fw01n/d*</prematch> >>> > >>> > admin@lab-host99:/var/ossec/bin# ./ossec-logtest >>> > 2016/01/27 14:13:53 ossec-testrule: INFO: Reading local decoder file. >>> > 2016/01/27 14:13:53 ossec-testrule: INFO: Started (pid: 22710). >>> > ossec-testrule: Type one log per line. >>> > >>> > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow <eth1 mail >>> src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: ******; >>> app_desc: ******; app_id: 10063753; app_category: ******; matched_category: >>> ******; app_properties: ******; app_risk: ******; app_rule_id: ******; >>> app_rule_name: ******; web_client_type: Chrome; web_server_type: >>> Microsoft-IIS; app_sig_id: 10063753:5; resource: >>> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: >>> Application Control; service: http; s_port: 58579; product_family: Network; >>> > >>> > >>> > **Phase 1: Completed pre-decoding. >>> > full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 >>> st4600fw01n1 allow <eth1 mail src: 192.168.1.15; dst: 89.208.212.2; proto: >>> tcp; appi_name: ******; app_desc: ******; app_id: 10063753; app_category: >>> ******; matched_category: ******; app_properties: ******; app_risk: ******; >>> app_rule_id: ******; app_rule_name: ******; web_client_type: Chrome; >>> web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: >>> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: >>> Application Control; service: http; s_port: 58579; product_family: Network;' >>> > hostname: '127.0.0.1' >>> > program_name: '(null)' >>> > log: 'Jan 27 9:32:28 st4600fw01n1 allow <eth1 mail src: >>> 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: ******; app_desc: >>> ******; app_id: 10063753; app_category: ******; matched_category: ******; >>> app_properties: ******; app_risk: ******; app_rule_id: ******; >>> app_rule_name: ******; web_client_type: Chrome; web_server_type: >>> Microsoft-IIS; app_sig_id: 10063753:5; resource: >>> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: >>> Application Control; service: http; s_port: 58579; product_family: Network;' >>> > >>> >>> Notice that in the "log:" entry part of what you highlighted has been >>> removed. It's a transport header, and ossec generally tries to remove those >>> from processing. >>> >>> > **Phase 2: Completed decoding. >>> > No decoder matched. >>> > >>> > >>> > Best, >>> > Fredrik >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
