Excellent! This works very well. Thanks!
Am Montag, 8. August 2016 14:45:39 UTC+2 schrieb dan (ddpbsd): > > On Mon, Aug 8, 2016 at 4:38 AM, Dominik <[email protected] <javascript:>> > wrote: > > In order to get notifications about installed software, I created the > > following configuration: > > > > etc/ossec.conf on the client: > > <localfile> > > <log_format>command</log_format> > > <command>debfoster -sn | tail -n +2 | tr ' ' '\n' | sort -u | sed > > 's/^/mysoftwarelist: /'</command> > > <alias>software_list</alias> > > <frequency>600</frequency> > > </localfile> > > > > > > > > etc/local_decoder.xml: > > <decoder name="mysoftwarelist"> > > <prematch>mysoftwarelist</prematch> > > </decoder> > > > > I don't think this will work. > > Running the log through ossec-logtest gives me the following: > ossec-testrule: Type one log per line. > > ossec: output: 'software_list': mysoftwarelist: acpi > > > **Phase 1: Completed pre-decoding. > full event: 'ossec: output: 'software_list': mysoftwarelist: acpi' > hostname: 'ix' > program_name: '(null)' > log: 'ossec: output: 'software_list': mysoftwarelist: acpi' > > **Phase 2: Completed decoding. > decoder: 'ossec' > > **Phase 3: Completed filtering (rules). > Rule id: '530' > Level: '0' > Description: 'OSSEC process monitoring rules.' > > Adding your decoder gives me this: > > ossec-testrule: Type one log per line. > > ossec: output: 'software_list': mysoftwarelist: acpi > > > **Phase 1: Completed pre-decoding. > full event: 'ossec: output: 'software_list': mysoftwarelist: acpi' > hostname: 'ix' > program_name: '(null)' > log: 'ossec: output: 'software_list': mysoftwarelist: acpi' > > **Phase 2: Completed decoding. > decoder: 'ossec' > > **Phase 3: Completed filtering (rules). > Rule id: '530' > Level: '0' > Description: 'OSSEC process monitoring rules.' > > > Instead of trying to make a new decoder, using the already defined one > should probably work just fine. > > > > > > > etc/local_rules.xml: > > > > <rule id="155555" level="5"> > > <decoded_as>mysoftwarelist</decoded_as> > > <description>List of installed software </description> > > </rule> > > > > <rule id="155556" level="5"> > <if_sid>530</if_sid> > <match>mysoftwarelist</match> > <description>List of installed software</description> > </rule> > > ossec-testrule: Type one log per line. > > ossec: output: 'software_list': mysoftwarelist: acpi > > > **Phase 1: Completed pre-decoding. > full event: 'ossec: output: 'software_list': mysoftwarelist: acpi' > hostname: 'ix' > program_name: '(null)' > log: 'ossec: output: 'software_list': mysoftwarelist: acpi' > > **Phase 2: Completed decoding. > decoder: 'ossec' > > **Phase 3: Completed filtering (rules). > Rule id: '155556' > Level: '5' > Description: 'List of installed software' > **Alert to be generated. > > > > > > I get corresponding notifications in the archives.log: > > 2016 Aug 08 09:56:24 (AClient) xx.xx.71.109->software_list ossec: > output: > > 'software_list': mysoftwarelist: > > 2016 Aug 08 09:56:24 (AClient) xx.xx.71.109->software_list ossec: > output: > > 'software_list': mysoftwarelist: acpi > > 2016 Aug 08 09:56:24 (AClient) xx.xx.71.109->software_list ossec: > output: > > 'software_list': mysoftwarelist: acpi-support-base > > 2016 Aug 08 09:56:24 (AClient) xx.xx.71.109->software_list ossec: > output: > > 'software_list': mysoftwarelist: anacron > > 2016 Aug 08 09:56:24 (AClient) xx.xx.71.109->software_list ossec: > output: > > 'software_list': mysoftwarelist: auditd > > 2016 Aug 08 09:56:24 (AClient) xx.xx.71.109->software_list ossec: > output: > > 'software_list': mysoftwarelist: clamav > > 2016 Aug 08 09:56:24 (AClient) xx.xx.71.109->software_list ossec: > output: > > 'software_list': mysoftwarelist: conntrack > > 2016 Aug 08 09:56:24 (AClient) xx.xx.71.109->software_list ossec: > output: > > 'software_list': mysoftwarelist: cryptsetup > > > > The rules seem to work as expected: > > sudo /var/ossec/bin/ossec-logtest > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/active-response_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/aix-ipsec_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/apache_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/arpwatch_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/asterisk_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/auditd_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/checkpoint_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/cimserver_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/cisco-ios_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/cisco-vpn_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/clamav_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/courier_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/dovecot_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/dragon-nids_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/dropbear_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/ftpd_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/grandstream_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/horde_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/imapd_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/kernel-iptables_apparmor_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/mailscanner_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/mysql_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/named_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/netscreen_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/nginx_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/ntpd_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/openbsd_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/openldap_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/ossec_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/pam_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/pix_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/portsentry_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/postfix_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/postgresql_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/proftpd_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/pure-ftpd_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/racoon_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/roundcube_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/rshd_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/samba_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/sendmail_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/snort_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/solares-bsm-audit_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/solaris-ipfilter_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/sonicwall_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/squid_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/ssh_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/su_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/sudo_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/suhosin_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/symantec_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/telnet_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/trend-osce_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/unbound_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/unix_chkpwd_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/vm-pop3_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/vmware_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/vpopmail_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/vsftpd_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/web-accesslog_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/windows_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/wordpress_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/ossec_decoders/zeus_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/wazuh_decoders/amazon_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/wazuh_decoders/netscaler_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/wazuh_decoders/ossec_ruleset_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/wazuh_decoders/puppet_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/wazuh_decoders/redis_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/wazuh_decoders/serv-u_decoders.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Reading decoder file > > etc/local_decoder.xml. > > 2016/08/08 10:10:18 ossec-testrule: INFO: Started (pid: 14627). > > ossec-testrule: Type one log per line. > > > > mysoftwarelist: anacron > > > > > > **Phase 1: Completed pre-decoding. > > full event: ' mysoftwarelist: anacron' > > hostname: 'Birnbaum' > > program_name: '(null)' > > log: ' mysoftwarelist: anacron' > > > > **Phase 2: Completed decoding. > > decoder: 'mysoftwarelist' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '155555' > > Level: '5' > > Description: 'List of installed software ' > > **Alert to be generated. > > > > However, when I search logs/alerts/alerts.log for a corresponding entry, > I > > can not find anything related to the softwarelist. Other alerts from the > > same client appear as expected. > > > > Any idea why this could happen? > > Greetings > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
