Hi Brian,
The decoder that you see in logtest is always the parent:
**Phase 2: Completed decoding.
decoder: 'apache-errorlog' <- This is the parent decoder.
We have 6 decoders for apache:
- Parents:
- <decoder name="apache-errorlog">
- <decoder name="apache-errorlog">
- <decoder name="apache-errorlog">
- Childs:
- <decoder name="apache24-errorlog-ip">
- <decoder name="apache24-modsec-errorlog-ip">
- <decoder name="apache-errorlog-ip">
The log matches with the third 3rd parent and doesn't match with any child.
Explanation:
Log:
[Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client 46.4.84.147]
ModSecurity: Text...
3rd parent decoder matches (blue part):
[Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client 46.4.84.147]
ModSecurity: Text...
*Red part is "after_parent" used in child decoders.
3rd child decoder can't match due to "<prematch offset="*after_parent*">
*^[client*</prematch>". The log (after_parent) starts with *[pid*, and this
decoder expects* [client*. So, it could match with the first or the second
child decoder. The prematch in both cases is the same, so I think it
matches with the first child decoder and then fails because the regex
expression expects a port "*:\d+*" (if you add the port it will match with
the second child decoder).
I think the *prematch must always be different*.The solution could be
change the prematch and change the order: first mod security (because is
the most restrictive).
It would be:
<decoder name="apache-errorlog">
<program_name>^httpd</program_name>
</decoder>
<decoder name="apache-errorlog">
<prematch>^[warn] |^[notice] |^[error] </prematch>
</decoder>
<decoder name="apache-errorlog">
<prematch>^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:warn] |^[\w+ \w+ \d+
\d+:\d+:\d+.\d+ \d+] [\S+:notice] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+]
[\S*:error] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:info] </prematch>
</decoder>
<decoder name="apache24-modsec-errorlog-ip">
<parent>apache-errorlog</parent>
<prematch offset="after_parent">[client \S+] ModSecurity</prematch>
<regex>[client (\S+)] ModSecurity</regex>
<order>srcip,srcport</order>
</decoder>
<decoder name="apache24-errorlog-ip">
<parent>apache-errorlog</parent>
<prematch offset="after_parent">[client</prematch>
<regex offset="after_prematch">^ (\S+):\d+] (\S+): </regex>
<order>srcip,id</order>
</decoder>
<decoder name="apache-errorlog-ip">
<parent>apache-errorlog</parent>
<prematch offset="after_parent">^[client</prematch>
<regex offset="after_prematch">^ (\S+)] </regex>
<order>srcip</order>
</decoder>
Test:
**Phase 1: Completed pre-decoding.
full event: '[Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client
46.4.84.147] ModSecurity: Access denied with code 403 (phase 2). String
match "JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]'
hostname: 'LinMV'
program_name: '(null)'
log: '[Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client
46.4.84.147] ModSecurity: Access denied with code 403 (phase 2). String
match "JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]'
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: '46.4.84.147'
**Phase 3: Completed filtering (rules).
Rule id: '30411'
Level: '7'
Description: 'ModSecurity rejected a query'
**Alert to be generated.
Regards.
Jesus Linares
On Wednesday, February 17, 2016 at 6:26:09 PM UTC+1, webwzrd wrote:
>
> Santiago,
>
> After testing variations of your log edits, I'm finding that keeping the
> pid in place and just adding the port produces:
>
> **Phase 2: Completed decoding.
> decoder: 'apache-errorlog'
> srcip: '46.4.84.147'
> id: 'ModSecurity'
>
>
> How can I get the decoder to not require the port or get the port to
> append to the IP?
>
> Brian
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
