On Mon, Aug 8, 2016 at 4:38 AM, Dominik <[email protected]> wrote:
> In order to get notifications about installed software, I created the
> following configuration:
>
> etc/ossec.conf on the client:
> <localfile>
> <log_format>command</log_format>
> <command>debfoster -sn | tail -n +2 | tr ' ' '\n' | sort -u | sed
> 's/^/mysoftwarelist: /'</command>
> <alias>software_list</alias>
> <frequency>600</frequency>
> </localfile>
>
>
>
> etc/local_decoder.xml:
> <decoder name="mysoftwarelist">
> <prematch>mysoftwarelist</prematch>
> </decoder>
>
I don't think this will work.
Running the log through ossec-logtest gives me the following:
ossec-testrule: Type one log per line.
ossec: output: 'software_list': mysoftwarelist: acpi
**Phase 1: Completed pre-decoding.
full event: 'ossec: output: 'software_list': mysoftwarelist: acpi'
hostname: 'ix'
program_name: '(null)'
log: 'ossec: output: 'software_list': mysoftwarelist: acpi'
**Phase 2: Completed decoding.
decoder: 'ossec'
**Phase 3: Completed filtering (rules).
Rule id: '530'
Level: '0'
Description: 'OSSEC process monitoring rules.'
Adding your decoder gives me this:
ossec-testrule: Type one log per line.
ossec: output: 'software_list': mysoftwarelist: acpi
**Phase 1: Completed pre-decoding.
full event: 'ossec: output: 'software_list': mysoftwarelist: acpi'
hostname: 'ix'
program_name: '(null)'
log: 'ossec: output: 'software_list': mysoftwarelist: acpi'
**Phase 2: Completed decoding.
decoder: 'ossec'
**Phase 3: Completed filtering (rules).
Rule id: '530'
Level: '0'
Description: 'OSSEC process monitoring rules.'
Instead of trying to make a new decoder, using the already defined one
should probably work just fine.
>
>
> etc/local_rules.xml:
>
> <rule id="155555" level="5">
> <decoded_as>mysoftwarelist</decoded_as>
> <description>List of installed software </description>
> </rule>
>
<rule id="155556" level="5">
<if_sid>530</if_sid>
<match>mysoftwarelist</match>
<description>List of installed software</description>
</rule>
ossec-testrule: Type one log per line.
ossec: output: 'software_list': mysoftwarelist: acpi
**Phase 1: Completed pre-decoding.
full event: 'ossec: output: 'software_list': mysoftwarelist: acpi'
hostname: 'ix'
program_name: '(null)'
log: 'ossec: output: 'software_list': mysoftwarelist: acpi'
**Phase 2: Completed decoding.
decoder: 'ossec'
**Phase 3: Completed filtering (rules).
Rule id: '155556'
Level: '5'
Description: 'List of installed software'
**Alert to be generated.
>
> I get corresponding notifications in the archives.log:
> 2016 Aug 08 09:56:24 (AClient) xx.xx.71.109->software_list ossec: output:
> 'software_list': mysoftwarelist:
> 2016 Aug 08 09:56:24 (AClient) xx.xx.71.109->software_list ossec: output:
> 'software_list': mysoftwarelist: acpi
> 2016 Aug 08 09:56:24 (AClient) xx.xx.71.109->software_list ossec: output:
> 'software_list': mysoftwarelist: acpi-support-base
> 2016 Aug 08 09:56:24 (AClient) xx.xx.71.109->software_list ossec: output:
> 'software_list': mysoftwarelist: anacron
> 2016 Aug 08 09:56:24 (AClient) xx.xx.71.109->software_list ossec: output:
> 'software_list': mysoftwarelist: auditd
> 2016 Aug 08 09:56:24 (AClient) xx.xx.71.109->software_list ossec: output:
> 'software_list': mysoftwarelist: clamav
> 2016 Aug 08 09:56:24 (AClient) xx.xx.71.109->software_list ossec: output:
> 'software_list': mysoftwarelist: conntrack
> 2016 Aug 08 09:56:24 (AClient) xx.xx.71.109->software_list ossec: output:
> 'software_list': mysoftwarelist: cryptsetup
>
> The rules seem to work as expected:
> sudo /var/ossec/bin/ossec-logtest
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/active-response_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/aix-ipsec_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/apache_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/arpwatch_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/asterisk_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/auditd_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/checkpoint_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/cimserver_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/cisco-ios_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/cisco-vpn_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/clamav_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/courier_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/dovecot_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/dragon-nids_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/dropbear_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/ftpd_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/grandstream_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/horde_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/imapd_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/kernel-iptables_apparmor_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/mailscanner_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/mysql_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/named_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/netscreen_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/nginx_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/ntpd_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/openbsd_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/openldap_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/ossec_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/pam_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/pix_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/portsentry_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/postfix_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/postgresql_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/proftpd_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/pure-ftpd_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/racoon_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/roundcube_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/rshd_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/samba_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/sendmail_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/snort_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/solares-bsm-audit_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/solaris-ipfilter_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/sonicwall_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/squid_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/ssh_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/su_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/sudo_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/suhosin_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/symantec_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/telnet_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/trend-osce_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/unbound_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/unix_chkpwd_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/vm-pop3_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/vmware_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/vpopmail_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/vsftpd_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/web-accesslog_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/windows_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/wordpress_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/ossec_decoders/zeus_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/wazuh_decoders/amazon_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/wazuh_decoders/netscaler_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/wazuh_decoders/ossec_ruleset_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/wazuh_decoders/puppet_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/wazuh_decoders/redis_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/wazuh_decoders/serv-u_decoders.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file
> etc/local_decoder.xml.
> 2016/08/08 10:10:18 ossec-testrule: INFO: Started (pid: 14627).
> ossec-testrule: Type one log per line.
>
> mysoftwarelist: anacron
>
>
> **Phase 1: Completed pre-decoding.
> full event: ' mysoftwarelist: anacron'
> hostname: 'Birnbaum'
> program_name: '(null)'
> log: ' mysoftwarelist: anacron'
>
> **Phase 2: Completed decoding.
> decoder: 'mysoftwarelist'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '155555'
> Level: '5'
> Description: 'List of installed software '
> **Alert to be generated.
>
> However, when I search logs/alerts/alerts.log for a corresponding entry, I
> can not find anything related to the softwarelist. Other alerts from the
> same client appear as expected.
>
> Any idea why this could happen?
> Greetings
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
