Hi Ian, Here you have the syntax of the OSSEC regexs: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
Another difference I've discovered is that Perl's regex is greedy -- > it'll match all it can. It looks like this regex will only match the > least number of characters it can I think OSSEC regexs are greedy too, at least sometimes. Our regex is weird. Totally agree. Regards. On Friday, July 7, 2017 at 2:49:39 AM UTC+2, dan (ddpbsd) wrote: > > On Wed, Jul 5, 2017 at 10:41 PM, Ian Brown <[email protected] > <javascript:>> wrote: > > Dan, > > > > All my regex experience comes from Perl. It's clear this regex does > things > > a bit differently than how I expected. In Perl \.+ means only match 1 > or > > more periods. > > > > Another difference I've discovered is that Perl's regex is greedy -- > it'll > > match all it can. It looks like this regex will only match the least > number > > of characters it can. If I understand the difference correctly, \.+ in > this > > regex would be .+? in Perl. > > > > In Perl, [0-9A-Fx]+ means match one or more from the following set: 0 > > through 9, A through F and x. I guess that's done differently here. :) > > > > Thanks for helping me understand this better. > > > > Our regex is weird. > > > > > On 7/5/2017 6:45 PM, dan (ddp) wrote: > >> > >> On Mon, Jul 3, 2017 at 11:28 AM, Ian Brown <[email protected] > <javascript:>> wrote: > >>> > >>> I believe I've figured it out -- I think the decoder isn't matching > the > >>> full > >>> log string and is thus stripping the ip address information. Also > after > >>> looking at the regex in the decoder, I've discovered that it doesn't > even > >>> match against the first three example strings provided: > >>> > >>> Here's an example from the comments (After prematch): > >>> Security: AUDIT_FAILURE(0x000002A9): Security: SYSTEM: NT AUTHORITY: > The > >>> logon to account: xyz by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from > >>> workstation: la failed. The error code was: 3221225572 > >>> > >>> yet, the regex is: > >>> ^\.+: (\w+)\((\d+)\): (\.+): > >>> > >>> The second (\d+) will only match against numbers, so (0x000002A9) will > >>> never > >>> match. It should be ([0-9A-Fx]+) > >> > >> I don't think this does what you want it to. But dealing with the hex > >> might be an issue we'll have to look into. > >> > >>> Also, why is it escaping the period at the beginning and at the end? > >>> shouldn't the regex be: > >>> ^.+: (\w+)\((\d+)\): (.+): > >>> > >> Not if you want to match any character, that should only match '.'. > >> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > Groups > >>> "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to [email protected] <javascript:>. > >>> For more options, visit https://groups.google.com/d/optout. > > > > > > > > -- > > > > --- You received this message because you are subscribed to the Google > > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
