Hi Dave,
I found the problem. The last decoder
in kernel-iptables_apparmor_decoders.xml doesn't have a prematch tag. I
fixed it here
<https://github.com/wazuh/ossec-rules/commit/48db55be1917596f9de69a0d7e5efabe8d1dadd0>,
just add that line. Usually, every decoder should have a prematch because
when OSSEC matches a decoder just with regex it doesn't continue looking
for the next decoder.
Now, you can place your decoder in local_decoders and it will work. I
recommend you use prematch in your decoder too.
<decoder name="local_iptables">
<parent>iptables</parent>
<prematch>^[\s*\d+.\d+] ipt:</prematch>
<regex offset="after_prematch">(\S+): in=\.+ src=(\S+) dst=(\S+)
</regex>
<order>action,srcip,srcdst</order>
</decoder>
**Phase 1: Completed pre-decoding.
full event: 'May 21 07:06:25 agora kernel: [ 303.966106] IPT: GEOIP
VIETNAM DROP: IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00
SRC=116.110.88.148 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110
ID=11844 DF PROTO=TCP SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0'
hostname: 'agora'
program_name: 'kernel'
log: '[ 303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT=
MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148
DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP
SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0'
**Phase 2: Completed decoding.
decoder: 'iptables'
action: 'DROP'
srcip: '116.110.88.148'
srcdst: '192.168.0.3'
Regards,
Jesus Linares.
On Saturday, May 21, 2016 at 7:58:35 PM UTC+2, Dave Vehrs wrote:
>
> Hi all,
>
> I'm sure I'm overlooking something simple but I've run into a small issue
> with the standard iptables decoders in
> ossec_decoders/kernel-iptables_apparmor_decoders.xml
>
> The problem I have is that the patterns described in the various decoders
> in this file do not match the pattern that I use for Iptables logs. Simple
> issue, right?
>
> Examples of my logs:
> May 21 05:56:10 agora kernel: [25811.034035] IPT: GEOIP VIETNAM DROP:
> IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00
> SRC=14.160.56.206 DST=192.168.0.3 LEN=52 TOS=0x08 PREC=0x20 TTL=117
> ID=21885 DF PROTO=TCP SPT=56689 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0
> May 21 06:00:25 agora kernel: [26065.545901] IPT: GEOIP VIETNAM DROP:
> IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00
> SRC=42.114.164.226 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=116
> ID=21576 DF PROTO=TCP SPT=59826 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0
> May 21 06:12:36 agora kernel: [26796.745515] IPT: GEOIP LATVIA DROP:
> IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=195.3.144.85
> DST=192.168.0.3 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=3941 DF PROTO=TCP
> SPT=62658 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
> May 21 07:02:09 agora kernel: [ 47.395341] IPT: Stealth Scan Reject:
> IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:b8:ae:ed:78:1b:20:08:00 SRC=192.168.0.55
> DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=14452 DF PROTO=TCP
> SPT=54776 DPT=25 SEQ=1191919764 ACK=0 WINDOW=0 RES=0x00 RST URGP=0
>
> The problem with the patterns in kernel-iptables_apparmor_decoders.xml is
> they commonly seem to use a single word for the Iptables log prefix or
> start with "Shorewall". Neither of which work for me.
>
> Now, I have been able to write a decoder that works with these logs. It
> is:
>
> <decoder name="local_iptables">
> <parent>iptables</parent>
> <regex offset="after_parent">^[\s*\d+.\d+] ipt: \.+ (\S+): in=\.+
> src=(\S+) dst=(\S+) </regex>
> <order>action,srcip,dstip</order>
> </decoder>
>
> However, this only works if I place it in
> ossec_decoders/kernel-iptables_apparmor_decoders.xml. If I move it to
> local_decoder.xml, it appears to be never seen.
>
> Included in that file, the output of ossec-logtest is:
>
>> May 21 07:06:25 agora kernel: [ 303.966106] IPT: GEOIP VIETNAM DROP:
>> IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00
>> SRC=116.110.88.148 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110
>> ID=11844 DF PROTO=TCP SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0
>>
>> **Phase 1: Completed pre-decoding.
>> full event: 'May 21 07:06:25 agora kernel: [ 303.966106] IPT:
>> GEOIP VIETNAM DROP: IN=eth0 OUT=
>> MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148
>> DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP
>> SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 '
>> hostname: 'agora'
>> program_name: 'kernel'
>> log: '[ 303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT=
>> MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148
>> DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP
>> SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 '
>> **Phase 2: Completed decoding.
>> decoder: 'iptables'
>> action: 'DROP'
>> srcip: '116.110.88.148'
>> dstip: '192.168.0.3'
>
>
> However when that decoder is included in local_decoder.xml, the output of
> ossec-logtest is:
>
>> May 21 07:06:25 agora kernel: [ 303.966106] IPT: GEOIP VIETNAM DROP:
>> IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00
>> SRC=116.110.88.148 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110
>> ID=11844 DF PROTO=TCP SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0
>>
>> **Phase 1: Completed pre-decoding.
>> full event: 'May 21 07:06:25 agora kernel: [ 303.966106] IPT:
>> GEOIP VIETNAM DROP: IN=eth0 OUT=
>> MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148
>> DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP
>> SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 '
>> hostname: 'agora'
>> program_name: 'kernel'
>> log: '[ 303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT=
>> MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148
>> DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP
>> SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 '
>> **Phase 2: Completed decoding.
>> decoder: 'iptables'
>
>
> So the question I have is how I can enable parent from within
> local_decoders.xml? I appear to have the basic syntax right but there is
> something different when it changes which file it's in.
>
> And I do believe it should be enabled for both cases, because in my
> ossec.conf, I have three lines:
> <decoder_dir>etc/ossec_decoders</decoder_dir>
> <decoder_dir>etc/wazuh_decoders</decoder_dir>
> <decoder>etc/local_decoder.xml</decoder>
>
> Any ideas? Or did I just skip part of the RTFM?
>
> Thanks,
>
> Dave
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
