On Tue, Oct 18, 2016 at 5:28 AM,  <geomac...@gmail.com> wrote:
> Hello,
>
> I'm having some trouble writing my own custom decoder for something that
> appears to be very simple (doesn't it always :p).
>
> The log line in question is:
> Oct 17 11:54:10 MY-SERV-01 ovpn-user-server[11780]: 10.40.160.21:62467 [NAME
> Surname] Peer Connection Initiated with [AF_INET]10.40.160.21:62467 (via
> [AF_INET]10.40.160.254%eth0.180)
>
> I've followed the tutorial online and have currently written the following
> decoders as a test:
>
> <decoder name="openvpn">
>    <program_name>ovpn-user-server</program_name>
> </decoder>
>
> <decoder name="openvpn-ip-user">
>    <parent>openvpn</parent>
>    <prematch offset="after_parent">^\S+:\d+</prematch>
>    <regex>^(\S+):(\d+)\s(.+)\sPeer Connection</regex>
>    <order>srcip,srcport,srcuser</order>
> </decoder>
>
> I've tried all kind of combinations of "after_parent", "after_prematch",
> just tried matching on \.* etc, none of this seems to work.
>
> All I get with logtest is:
> Oct 17 11:54:10 MY-SERV-01 ovpn-user-server[11780]: 10.40.160.21:62467 [NAME
> Surname] Peer Connection Initiated with [AF_INET]10.40.160.21:62467 (via
> [AF_INET]10.40.160.254%eth0.180)
>
>
> **Phase 1: Completed pre-decoding.
>        full event: 'Oct 17 11:54:10 MY-SERV-01 ovpn-user-server[11780]:
> 10.40.160.21:62467 [NAME Surname] Peer Connection Initiated with
> [AF_INET]10.40.160.21:62467 (via [AF_INET]10.40.160.254%eth0.180)'
>        hostname: 'MY-SERV-01'
>        program_name: 'ovpn-user-server'
>        log: '10.40.160.21:62467 [NAME Surname] Peer Connection Initiated
> with [AF_INET]10.40.160.21:62467 (via [AF_INET]10.40.160.254%eth0.180)'
>
> **Phase 2: Completed decoding.
>        decoder: 'openvpn'
>
> And finally
>     Trying rule: 81803 - OpenVPN: Connection Certificate Failed
>     Trying rule: 81801 - OpenVPN: User logged in
>        *Rule 81801 matched.
>        *Trying child rules.
>     Trying rule: 81802 - OpenVPN: Concurrent connections
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '81801'
>        Level: '3'
>        Description: 'OpenVPN: User logged in'
> **Alert to be generated.
>
> So I can see that my alert is properly generated, but only decoded as being
> openvpn and doesn't include any of the extra fields.
>
> I'm kinda lost at this moment and feel like I'm missing something stupid.
> Thank you for your assistance.
>


Don't feel stupid. I've been writing decoders for years and rarely get
it right away.

First thing's first, your first decoder works fine. So we can ignore
that one for now.
Next, I usually find it easiest to build a regex slowly, piece by piece.
So starting with this:
<decoder name="openvpn-ip-user">
   <parent>openvpn</parent>
   <prematch offset="after_parent">^\S+:\d+</prematch>
   <regex>^(\S+):\d+</regex>
   <order>srcip</order>
</decoder>

Gives me this (trimmed for readability):
**Phase 2: Completed decoding.
       decoder: 'openvpn'
       srcip: '10.40.160.21'

Adding the srcport in is easy:
<decoder name="openvpn-ip-user">
   <parent>openvpn</parent>
   <prematch offset="after_parent">^\S+:\d+</prematch>
   <regex>^(\S+):(\d+)</regex>
   <order>srcip,srcport</order>
</decoder>

**Phase 2: Completed decoding.
       decoder: 'openvpn'
       srcip: '10.40.160.21'
       srcport: '62467'


And lastly adding the srcuser:
<decoder name="openvpn-ip-user">
   <parent>openvpn</parent>
   <prematch offset="after_parent">^\S+:\d+</prematch>
   <regex>^(\S+):(\d+) (\.*) Peer</regex>
   <order>srcip,srcport,srcuser</order>
</decoder>

**Phase 2: Completed decoding.
       decoder: 'openvpn'
       srcip: '10.40.160.21'
       srcport: '62467'
       srcuser: '[NAME Surname]'

I think the problem stemmed from OSSEC's "." implementation. OSSEC
unfortunately uses "\." instead, which leads to some confusion.
In fact, adding a single "\" makes your decoder work:
<decoder name="openvpn-ip-user">
   <parent>openvpn</parent>
   <prematch offset="after_parent">^\S+:\d+</prematch>
   <regex>^(\S+):(\d+)\s(\.+)\sPeer Connection</regex> <!-- \.+
instead of .+ -->
   <order>srcip,srcport,srcuser</order>
</decoder>

> Kind regards
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to