On Fri, Aug 4, 2017 at 2:57 AM, Fredrik Hilmersson
<[email protected]> wrote:
> Hello,
>
> I would like some help and pointers to create a decoder. So I ran the line
> from the access log (see below). What I would like to accomplish is to
> match: <match>python-requests/2.2.1</match> However as you can see at the
> moment the default decoder for rule 31101, does only store the srcip, url
> and id field. Some help to get me started would be much appreciated.
>
>
> log-test: 'srcpip - admin [03/Aug/2017:21:30:44 +0200] "GET / HTTP/1.1" 404
> 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.13.0-24-generic"'
>
>
> **Phase 2: Completed decoding.
>
> decoder: 'web-accesslog'
>
> srcip: ''
>
> url: '/'
>
> id: '404'
>
>
> **Phase 3: Completed filtering (rules).
>
> Rule id: '31101'
>
> Level: '5'
>
> Description: 'Web server 400 error code.'
>
> **Alert to be generated.
>
There's probably a cleaner way to do this, but I'm short on time.
The original logtest gives me:
**Phase 1: Completed pre-decoding.
full event: 'srcpip - admin [03/Aug/2017:21:30:44 +0200] "GET /
HTTP/1.1" 404 169 "-" "python-requests/2.2.1 CPython/2.7.6
Linux/3.13.0-24-generic'
hostname: 'ossec-syscheckdb'
program_name: '(null)'
log: 'srcpip - admin [03/Aug/2017:21:30:44 +0200] "GET /
HTTP/1.1" 404 169 "-" "python-requests/2.2.1 CPython/2.7.6
Linux/3.13.0-24-generic'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: 'srcpip'
url: '/'
id: '404'
**Phase 3: Completed filtering (rules).
Rule id: '31101'
Level: '5'
Description: 'Web server 400 error code.'
**Alert to be generated.
Adding the following decoder to local_decoder.xml:
<decoder name="web-accesslog">
<type>web-log</type>
<parent>web-accesslog</parent>
<regex>^(\S+) \S+ (\S+) [\S+ \S\d+] "(\w+) (\S+) HTTP\S+" (\d+) \d+
\S+ "(\S+) </regex>
<order>srcip, srcuser, action, url, id, extra_data</order>
</decoder>
Gives me:
**Phase 1: Completed pre-decoding.
full event: 'srcpip - admin [03/Aug/2017:21:30:44 +0200] "GET /
HTTP/1.1" 404 169 "-" "python-requests/2.2.1 CPython/2.7.6
Linux/3.13.0-24-generic'
hostname: 'ossec-syscheckdb'
program_name: '(null)'
log: 'srcpip - admin [03/Aug/2017:21:30:44 +0200] "GET /
HTTP/1.1" 404 169 "-" "python-requests/2.2.1 CPython/2.7.6
Linux/3.13.0-24-generic'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: 'srcpip'
srcuser: 'admin'
action: 'GET'
url: '/'
id: '404'
extra_data: 'python-requests/2.2.1'
**Phase 3: Completed filtering (rules).
Rule id: '31101'
Level: '5'
Description: 'Web server 400 error code.'
**Alert to be generated.
Now I can probably add that to the original web-accesslog decoder, or
write a decoder with the same name that builds on it.
For the first, I'd hesitate to do so because the changes would get
overwritten whenever I upgraded. For the second, I'd have to look it
up to remember exactly how to do it.
>
> Kind regards,
> Fredrik
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
