Hi Dan,

Thank you for the quick reply, I've run the decoder as you've written it 
and everything's working beautifully now.

Ah yes, the "\." implementation is certainly something I'll have to keep in 
mind when writing future decoders!

Have a nice day.

On Tuesday, October 18, 2016 at 1:13:35 PM UTC+2, dan (ddpbsd) wrote:
>
> On Tue, Oct 18, 2016 at 5:28 AM,  <geom...@gmail.com <javascript:>> 
> wrote: 
> > Hello, 
> > 
> > I'm having some trouble writing my own custom decoder for something that 
> > appears to be very simple (doesn't it always :p). 
> > 
> > The log line in question is: 
> > Oct 17 11:54:10 MY-SERV-01 ovpn-user-server[11780]: 10.40.160.21:62467 
> [NAME 
> > Surname] Peer Connection Initiated with [AF_INET]10.40.160.21:62467 
> (via 
> > [AF_INET]10.40.160.254%eth0.180) 
> > 
> > I've followed the tutorial online and have currently written the 
> following 
> > decoders as a test: 
> > 
> > <decoder name="openvpn"> 
> >    <program_name>ovpn-user-server</program_name> 
> > </decoder> 
> > 
> > <decoder name="openvpn-ip-user"> 
> >    <parent>openvpn</parent> 
> >    <prematch offset="after_parent">^\S+:\d+</prematch> 
> >    <regex>^(\S+):(\d+)\s(.+)\sPeer Connection</regex> 
> >    <order>srcip,srcport,srcuser</order> 
> > </decoder> 
> > 
> > I've tried all kind of combinations of "after_parent", "after_prematch", 
> > just tried matching on \.* etc, none of this seems to work. 
> > 
> > All I get with logtest is: 
> > Oct 17 11:54:10 MY-SERV-01 ovpn-user-server[11780]: 10.40.160.21:62467 
> [NAME 
> > Surname] Peer Connection Initiated with [AF_INET]10.40.160.21:62467 
> (via 
> > [AF_INET]10.40.160.254%eth0.180) 
> > 
> > 
> > **Phase 1: Completed pre-decoding. 
> >        full event: 'Oct 17 11:54:10 MY-SERV-01 ovpn-user-server[11780]: 
> > 10.40.160.21:62467 [NAME Surname] Peer Connection Initiated with 
> > [AF_INET]10.40.160.21:62467 (via [AF_INET]10.40.160.254%eth0.180)' 
> >        hostname: 'MY-SERV-01' 
> >        program_name: 'ovpn-user-server' 
> >        log: '10.40.160.21:62467 [NAME Surname] Peer Connection 
> Initiated 
> > with [AF_INET]10.40.160.21:62467 (via [AF_INET]10.40.160.254%eth0.180)' 
> > 
> > **Phase 2: Completed decoding. 
> >        decoder: 'openvpn' 
> > 
> > And finally 
> >     Trying rule: 81803 - OpenVPN: Connection Certificate Failed 
> >     Trying rule: 81801 - OpenVPN: User logged in 
> >        *Rule 81801 matched. 
> >        *Trying child rules. 
> >     Trying rule: 81802 - OpenVPN: Concurrent connections 
> > 
> > **Phase 3: Completed filtering (rules). 
> >        Rule id: '81801' 
> >        Level: '3' 
> >        Description: 'OpenVPN: User logged in' 
> > **Alert to be generated. 
> > 
> > So I can see that my alert is properly generated, but only decoded as 
> being 
> > openvpn and doesn't include any of the extra fields. 
> > 
> > I'm kinda lost at this moment and feel like I'm missing something 
> stupid. 
> > Thank you for your assistance. 
> > 
>
>
> Don't feel stupid. I've been writing decoders for years and rarely get 
> it right away. 
>
> First thing's first, your first decoder works fine. So we can ignore 
> that one for now. 
> Next, I usually find it easiest to build a regex slowly, piece by piece. 
> So starting with this: 
> <decoder name="openvpn-ip-user"> 
>    <parent>openvpn</parent> 
>    <prematch offset="after_parent">^\S+:\d+</prematch> 
>    <regex>^(\S+):\d+</regex> 
>    <order>srcip</order> 
> </decoder> 
>
> Gives me this (trimmed for readability): 
> **Phase 2: Completed decoding. 
>        decoder: 'openvpn' 
>        srcip: '10.40.160.21' 
>
> Adding the srcport in is easy: 
> <decoder name="openvpn-ip-user"> 
>    <parent>openvpn</parent> 
>    <prematch offset="after_parent">^\S+:\d+</prematch> 
>    <regex>^(\S+):(\d+)</regex> 
>    <order>srcip,srcport</order> 
> </decoder> 
>
> **Phase 2: Completed decoding. 
>        decoder: 'openvpn' 
>        srcip: '10.40.160.21' 
>        srcport: '62467' 
>
>
> And lastly adding the srcuser: 
> <decoder name="openvpn-ip-user"> 
>    <parent>openvpn</parent> 
>    <prematch offset="after_parent">^\S+:\d+</prematch> 
>    <regex>^(\S+):(\d+) (\.*) Peer</regex> 
>    <order>srcip,srcport,srcuser</order> 
> </decoder> 
>
> **Phase 2: Completed decoding. 
>        decoder: 'openvpn' 
>        srcip: '10.40.160.21' 
>        srcport: '62467' 
>        srcuser: '[NAME Surname]' 
>
> I think the problem stemmed from OSSEC's "." implementation. OSSEC 
> unfortunately uses "\." instead, which leads to some confusion. 
> In fact, adding a single "\" makes your decoder work: 
> <decoder name="openvpn-ip-user"> 
>    <parent>openvpn</parent> 
>    <prematch offset="after_parent">^\S+:\d+</prematch> 
>    <regex>^(\S+):(\d+)\s(\.+)\sPeer Connection</regex> <!-- \.+ 
> instead of .+ --> 
>    <order>srcip,srcport,srcuser</order> 
> </decoder> 
>
> > Kind regards 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com <javascript:>. 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to