Also, I will fix the issue in the next Wazuh release, so you will not need to use a custom decoder. Likely I will change the name to something more readable as *ossec_decoders/kernel_decoders.xml*.
Thanks. On Monday, May 23, 2016 at 10:22:33 AM UTC+2, Jesus Linares wrote: > > Hi Dave, > > I found the problem. The last decoder > in kernel-iptables_apparmor_decoders.xml doesn't have a prematch tag. I > fixed it here > <https://github.com/wazuh/ossec-rules/commit/48db55be1917596f9de69a0d7e5efabe8d1dadd0>, > > just add that line. Usually, every decoder should have a prematch because > when OSSEC matches a decoder just with regex it doesn't continue looking > for the next decoder. > > Now, you can place your decoder in local_decoders and it will work. I > recommend you use prematch in your decoder too. > > <decoder name="local_iptables"> > <parent>iptables</parent> > <prematch>^[\s*\d+.\d+] ipt:</prematch> > <regex offset="after_prematch">(\S+): in=\.+ src=(\S+) dst=(\S+) > </regex> > <order>action,srcip,srcdst</order> > </decoder> > > **Phase 1: Completed pre-decoding. > full event: 'May 21 07:06:25 agora kernel: [ 303.966106] IPT: > GEOIP VIETNAM DROP: IN=eth0 OUT= > MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 > DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP > SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0' > hostname: 'agora' > program_name: 'kernel' > log: '[ 303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT= > MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 > DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP > SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0' > > > **Phase 2: Completed decoding. > decoder: 'iptables' > action: 'DROP' > srcip: '116.110.88.148' > srcdst: '192.168.0.3' > > > > Regards, > Jesus Linares. > > > On Saturday, May 21, 2016 at 7:58:35 PM UTC+2, Dave Vehrs wrote: >> >> Hi all, >> >> I'm sure I'm overlooking something simple but I've run into a small issue >> with the standard iptables decoders in >> ossec_decoders/kernel-iptables_apparmor_decoders.xml >> >> The problem I have is that the patterns described in the various decoders >> in this file do not match the pattern that I use for Iptables logs. Simple >> issue, right? >> >> Examples of my logs: >> May 21 05:56:10 agora kernel: [25811.034035] IPT: GEOIP VIETNAM DROP: >> IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 >> SRC=14.160.56.206 DST=192.168.0.3 LEN=52 TOS=0x08 PREC=0x20 TTL=117 >> ID=21885 DF PROTO=TCP SPT=56689 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 >> May 21 06:00:25 agora kernel: [26065.545901] IPT: GEOIP VIETNAM DROP: >> IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 >> SRC=42.114.164.226 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=116 >> ID=21576 DF PROTO=TCP SPT=59826 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 >> May 21 06:12:36 agora kernel: [26796.745515] IPT: GEOIP LATVIA DROP: >> IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=195.3.144.85 >> DST=192.168.0.3 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=3941 DF PROTO=TCP >> SPT=62658 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0 >> May 21 07:02:09 agora kernel: [ 47.395341] IPT: Stealth Scan Reject: >> IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:b8:ae:ed:78:1b:20:08:00 SRC=192.168.0.55 >> DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=14452 DF PROTO=TCP >> SPT=54776 DPT=25 SEQ=1191919764 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 >> >> The problem with the patterns in kernel-iptables_apparmor_decoders.xml is >> they commonly seem to use a single word for the Iptables log prefix or >> start with "Shorewall". Neither of which work for me. >> >> Now, I have been able to write a decoder that works with these logs. It >> is: >> >> <decoder name="local_iptables"> >> <parent>iptables</parent> >> <regex offset="after_parent">^[\s*\d+.\d+] ipt: \.+ (\S+): in=\.+ >> src=(\S+) dst=(\S+) </regex> >> <order>action,srcip,dstip</order> >> </decoder> >> >> However, this only works if I place it in >> ossec_decoders/kernel-iptables_apparmor_decoders.xml. If I move it to >> local_decoder.xml, it appears to be never seen. >> >> Included in that file, the output of ossec-logtest is: >> >>> May 21 07:06:25 agora kernel: [ 303.966106] IPT: GEOIP VIETNAM DROP: >>> IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 >>> SRC=116.110.88.148 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 >>> ID=11844 DF PROTO=TCP SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'May 21 07:06:25 agora kernel: [ 303.966106] IPT: >>> GEOIP VIETNAM DROP: IN=eth0 OUT= >>> MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 >>> DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP >>> SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 ' >>> hostname: 'agora' >>> program_name: 'kernel' >>> log: '[ 303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT= >>> MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 >>> DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP >>> SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 ' >>> **Phase 2: Completed decoding. >>> decoder: 'iptables' >>> action: 'DROP' >>> srcip: '116.110.88.148' >>> dstip: '192.168.0.3' >> >> >> However when that decoder is included in local_decoder.xml, the output of >> ossec-logtest is: >> >>> May 21 07:06:25 agora kernel: [ 303.966106] IPT: GEOIP VIETNAM DROP: >>> IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 >>> SRC=116.110.88.148 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 >>> ID=11844 DF PROTO=TCP SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'May 21 07:06:25 agora kernel: [ 303.966106] IPT: >>> GEOIP VIETNAM DROP: IN=eth0 OUT= >>> MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 >>> DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP >>> SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 ' >>> hostname: 'agora' >>> program_name: 'kernel' >>> log: '[ 303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT= >>> MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 >>> DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP >>> SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 ' >>> **Phase 2: Completed decoding. >>> decoder: 'iptables' >> >> >> So the question I have is how I can enable parent from within >> local_decoders.xml? I appear to have the basic syntax right but there is >> something different when it changes which file it's in. >> >> And I do believe it should be enabled for both cases, because in my >> ossec.conf, I have three lines: >> <decoder_dir>etc/ossec_decoders</decoder_dir> >> <decoder_dir>etc/wazuh_decoders</decoder_dir> >> <decoder>etc/local_decoder.xml</decoder> >> >> Any ideas? Or did I just skip part of the RTFM? >> >> Thanks, >> >> Dave >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
