On Wed, Apr 20, 2016 at 5:15 PM, Tobias Margiani <[email protected]> wrote: > Hi, > > Trying to configure OSSEC for our mail server I noticed that our postfix log > format is different from what ossec expects with the default rules. > > The postfix-reject decoder reads the source ip and and an error id, but in our > logs there is also a port present (instead of "[x.x.x.x]: id" we have > "[ip]:port: id"). Here is an (shortened) example log entry: > > Apr 18 09:31:42 server postfix/postscreen[13433]: NOQUEUE: reject: RCPT from > [x.x.x.x]:9011: 550 5.7.1 Service unavailable; client [ip] blocked using ... > > I now tried to overwrite the "postfix-reject" decoder locally (I hesitated to > modify it directly because I thought updates would overwrite the decoder > file). > The problem is, that decoders can't have the same name and there is no > "overwrite" option as there is for rules. > Adding another decoder and overwriting rule 3300 (Grouping of the postfix > reject rules.) also showed no effect, probably because the old decoder matches > before any decoder in "local-decoders.xml" has a chance to match the log > entry. > > Is it correct that I should try not to change the shipped decoders/rule but > create my own ones? > And is there a way to overwrite a decoder (or have I completely missed some > different way to solve this problem)? >
Not really, unfortunately. An overwrite option would be great, but decoders don't have them. Modify decoder.xml with this: <decoder name="postfix-reject"> <use_own_name>true</use_own_name> <parent>postfix</parent> <prematch>^NOQUEUE: reject: \w\w\w\w from |^NOQUEUE: reject: \S+ from </prematch> <regex offset="after_prematch">[(\S+)]: (\d+) |[(\S+)]:\d+: (\d+) </regex> <order>srcip,id</order> </decoder> If that works for you, I'll submit a PR on the github (https://github.com/ossec/ossec-hids) including the changes. A more complete log sample would be great too. The one you provided looks like it's cut off, and I hesitate to include truncated logs in the rule testing framework. > I hope this is the correct list to ask this question and thank you for any > ideas. > It's perfect. :-) > Regards, > Tobias Margiani > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
