My phase 3 is the same..
**Phase 1: Completed pre-decoding.
full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443
- 10.18.100.24
Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0
200 0 0 15'
hostname: 'alamo'
program_name: '(null)'
log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 -
10.18.100.24
Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0
200 0 0 15'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
url: '/wfc/portal -'
srcip: '10.18.100.24'
id: '200'
**Phase 3: Completed filtering (rules).
Rule id: '31108'
Level: '0'
Description: 'Ignored URLs (simple queries).'
On Thursday, May 26, 2016 at 4:05:55 PM UTC-5, Brent Morris wrote:
>
> Hi Jacob,
>
> What version of OSSEC are you on?
>
> It doesn't look like you've configured your IIS servers logging to meet
> the OSSEC 2.8 decoder expectations. But even having said that, I'd
> submitted some "IIS default" decodes to the github repository some time
> back.
>
> So when I test your log against my OSSEC, I get a different result.
>
> **Phase 1: Completed pre-decoding.
> full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal -
> 443 - 10.18.100.24
> Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0
> 200 0 0 15'
> hostname: 'lott-ossec'
> program_name: '(null)'
> log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 -
> 10.18.100.24
> Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0
> 200 0 0 15'
>
> **Phase 2: Completed decoding.
> decoder: 'windows-date-format'
> dstip: '172.18.2.247'
> action: 'POST'
> url: '/wfc/portal'
> dstport: '443'
> srcip: '10.18.100.24'
> id: '200'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '31108'
> Level: '0'
> Description: 'Ignored URLs (simple queries).'
>
> But it looks like you have a decoder that is working. And having said
> that, I can't see what "**Phase 3" of your logtest shows for the output of
> the rule id. I only see Phase 1 and Phase 2... so there's no way for us to
> know what rule it is matching to compare against your local_rules.xml
> entries.
>
>
> On Thursday, May 26, 2016 at 1:35:30 PM UTC-7, Jacob Mcgrath wrote:
>>
>> I am still struggling with the general syntax of regex...
>>
>> On Thursday, May 26, 2016 at 3:33:30 PM UTC-5, Jacob Mcgrath wrote:
>>>
>>>
>>>
>>> Looking to take these logs from two seperate server applications and
>>> perform alerts and possibly responses to them.
>>>
>>> server 1:
>>>
>>> 2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24
>>> Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0
>>> 200 0 0 15
>>> 2016-05-26 15:38:15 172.18.2.247 GET /wff - 443 - 10.18.100.24
>>> Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/50.0.2661.102+Safari/537.36
>>>
>>> 404 0 2 203
>>>
>>> Server 2:
>>>
>>> 2016-05-26 00:16:02 W3SVC1071858006 192.168.1.30 POST
>>> /servlet/Router/Transaction/Erp - 80 - 10.13.100.4
>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3)
>>>
>>> 200 0 0
>>> 2016-05-26 00:16:03 W3SVC1071858006 192.168.1.30 GET
>>> /lawson/portal/drill/drsearch.css - 80 - 10.12.100.10
>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3)
>>>
>>> 404 0 2
>>>
>>>
>>> Right now I am just attempting to work with logs from Server1: to alert
>>> on 200 & 4040 errors for for web scans and alike but a beginning.
>>>
>>>
>>> Entry in local_decoder.xml:
>>>
>>> <decoder name="kronos-web">
>>> <parent>windows-date-format</parent>
>>> <use_own_name>true</use_own_name>
>>> <prematch offset="after_parent">^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+
>>> POST </prematch>
>>> <regex offset="after_prematch">(\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.*
>>> (\d\d\d) \S+ \S+ \S+</regex>
>>> <order>url,srcip,id</order>
>>> </decoder>
>>>
>>>
>>>
>>> Entry in local_rules.xml
>>>
>>>
>>> <group name="kronos-web,syslog,">
>>> <rule id="100007" level="0">
>>> <decoded_as>kronos-web</decoded_as>
>>> <description>Grouping for Kronos web rules.</description>
>>> </rule>
>>>
>>> <rule id="100008" level="5">
>>> <if_sid>100007</if_sid>
>>> <id>404</id>
>>> <description>IIS 7 Web Server 404 Error.</description>
>>> <group>connection attempt,</group>
>>> </rule>
>>>
>>> <rule id="100009" level="5">
>>> <if_sid>100007</if_sid>
>>> <id>200</id>
>>> <description>IIS 7 Web Server 200 Error.</description>
>>> <group>connection attempt,</group>
>>> </rule>
>>>
>>> <rule id="100010" level="10" frequency="10" timeframe="60">
>>> <if_matched_sid>100008,100009</if_matched_sid>
>>> <description>Possible Kronos Web Scan/Attack Detected.</description>
>>> <group>attacks,</group>
>>> </rule>
>>> </group>
>>>
>>>
>>>
>>>
>>> When I run the logtest is get this output that I am getting the
>>> url,srcip and id.. but is not getting to the rules I have created above...
>>>
>>>
>>> **Phase 1: Completed pre-decoding.
>>> full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal -
>>> 443 - 10.18.100.24
>>> Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0
>>> 200 0 0 15'
>>> hostname: 'alamo'
>>> program_name: '(null)'
>>> log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 -
>>> 10.18.100.24
>>> Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0
>>> 200 0 0 15'
>>>
>>> **Phase 2: Completed decoding.
>>> decoder: 'windows-date-format'
>>> url: '/wfc/portal -'
>>> srcip: '10.18.100.24'
>>> id: '200'
>>>
>>>
>>>
>>> Am I missing something like a base idea behind this or a syntax thing I
>>> really do not know...
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
