On Wed, Nov 8, 2017 at 11:52 AM, <[email protected]> wrote:
> Hey guys!
> I made a decoder for pfSense, but it is not being recognized by ossec.
>
> Follow the decoder with a log sample:
>
> <!-- Nov 7 12:37:34 pfSense filterlog:
> 5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17500,166
> -->
> <decoder name="pfsense">
> <program_name>pfsense</program_name>
> </decoder>
>
> <decoder name="pfsense">
> <prematch>^\w+ \d+ \d+:\d+:\d+ pfSense |\w+ \d+ \d+:\d+:\d+ pfSense
> </prematch>
> </decoder>
>
> <decoder name="pfsense_filter">
> <parent>pfsense</parent>
> <regex offset="after_parent">^filterlog:
> \d+,,,\d+,\S+,\w+,\w+,\w+,\d+,\S+,,\d+,\d+,\d+,none,\d+,udp,\d+,(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),\d+,\d+,\d+$</regex>
> <order>srcip, dstip</order>
> </decoder>
>
> I put it in the folder of the decoders and tested with the ossec-logtest,
> follow the output:
>
>
>
>
>
> I'd like to know what's wrong.
>
Here is the output of the log sample before adding a decoder:
**Phase 1: Completed pre-decoding.
full event: 'Nov 7 12:37:34 pfSense filterlog:
5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17500,166'
hostname: 'pfSense'
program_name: 'filterlog'
log:
'5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17500,166'
**Phase 2: Completed decoding.
No decoder matched.
Pay close attention to the "log:" line. Everything before that in the
log message won't be parsed by decoders. It's metadata, and it's taken
care of in pre-decoding. You can see the hostname and program there in
Phase 1.
Let's try your first decoder:
<decoder name="pfsense">
<program_name>^filterlog</program_name>
</decoder>
Adding this simple decoder to `/var/ossec/etc/local_decoder.xml` gives
us the following output:
**Phase 1: Completed pre-decoding.
full event: 'Nov 7 12:37:34 pfSense filterlog:
5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17500,166'
hostname: 'pfSense'
program_name: 'filterlog'
log:
'5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17500,166'
**Phase 2: Completed decoding.
decoder: 'pfsense'
So now Phase 2 matches the pfsense decoder, but we want more. We can
take one of your other decoders, remove some bits the decoder doesn't
see, and get some useful information. Here's what I ended up with:
<decoder name="pfsense_filter">
<parent>pfsense</parent>
<regex
offset="after_parent">^\d+,,,\d+,\S+,\w+,\w+,\w+,\d+,\S+,,\d+,\d+,\d+,none,\d+,udp,\d+,(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),\d+,\d+,\d+$</regex>
<order>srcip, dstip</order>
</decoder>
In your decoder the <regex> started with '^filterlog', but as we see
from the 'log:' entry in the logtest output, the decoders do not see
that information. It's covered in the first decoder which is looking
for the program_name which is handled by the pre-decoder (easy,
right?).
Here's the output I get after adding this decoder to local_decoder.xml:
**Phase 1: Completed pre-decoding.
full event: 'Nov 7 12:37:34 pfSense filterlog:
5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17500,166'
hostname: 'pfSense'
program_name: 'filterlog'
log:
'5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17500,166'
**Phase 2: Completed decoding.
decoder: 'pfsense'
srcip: '10.9.0.119'
dstip: '10.9.0.255'
We now have src and dst IPs.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
