Re: [ossec-list] Custom decoder failing to load

2020-03-16 Thread dan (ddp)
On Fri, Mar 13, 2020 at 2:28 PM Olivier Ragain wrote: > > Hi, > I've created a custom decoder: > > ^sshd > > > > sshd-custom > ^Bad protocol version > ^\S+ from (\S+) port (\S+)$ > srcip,srcport > > > When I restart the engine to load it, I end up with

Re: [ossec-list] Custom Decoder

2019-10-14 Thread Diego S
Thanks Juan! its working now. I did wrong forum enter! Regards, El lun., 14 oct. 2019 a las 11:48, Juan Carlos Tello (< juancarlos.te...@wazuh.com>) escribió: > Hi Diego, > The issue seems to be the regular expression. > > It seems the correct syntax would be: > > Brocade-format >

Re: [ossec-list] Custom Decoder

2019-10-14 Thread Juan Carlos Tello
Hi Diego, The issue seems to be the regular expression. It seems the correct syntax would be: Brocade-format ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\), [\S+], \S+, \S+, (\.+)/\S+/(\.+), user,second Note that / , [ and ] characters are not escaped, and that the criteria for extracting

Re: [ossec-list] Custom Decoder

2019-10-14 Thread Diego S
Sorry, my bad Dan, thanks anyways, i have a start point now. Regards! El lun., 14 oct. 2019 a las 10:56, dan (ddp) () escribió: > On Mon, Oct 14, 2019 at 9:54 AM Diego S wrote: > > > > Hi! > > > > i tried with a updated version and im still getting the same error :S > > > > That's Wazuh. I

Re: [ossec-list] Custom Decoder

2019-10-14 Thread dan (ddp)
On Mon, Oct 14, 2019 at 9:54 AM Diego S wrote: > > Hi! > > i tried with a updated version and im still getting the same error :S > That's Wazuh. I don't know enough about their project to help. > > > El sáb., 12 oct. 2019 a las 9:12, dan (ddp) () escribió: >> >> >> >> On Fri, Oct 11, 2019 at

Re: [ossec-list] Custom Decoder

2019-10-12 Thread dan (ddp)
On Fri, Oct 11, 2019 at 2:03 PM Diego S wrote: > Im using 2.0 version. > 2.0 is ancient. Not much I can do to help with that. > Im not able to find the syntax error. > > Thanks! > > El vie., 11 oct. 2019 a las 14:51, dan (ddp) () > escribió: > >> On Fri, Oct 11, 2019 at 1:41 PM Diego S

Re: [ossec-list] Custom Decoder

2019-10-11 Thread Diego S
Im using 2.0 version. Im not able to find the syntax error. Thanks! El vie., 11 oct. 2019 a las 14:51, dan (ddp) () escribió: > On Fri, Oct 11, 2019 at 1:41 PM Diego S wrote: > > > > Thnaks you very much for your response. > > Let me know if am i wrong. The decoder will be like this: > > > >

Re: [ossec-list] Custom Decoder

2019-10-11 Thread dan (ddp)
On Fri, Oct 11, 2019 at 1:41 PM Diego S wrote: > > Thnaks you very much for your response. > Let me know if am i wrong. The decoder will be like this: > > > ^\d+\s\w\w\w\w\w, > > > > Brocade-format > ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\), > \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+), >

Re: [ossec-list] Custom Decoder

2019-10-11 Thread Diego S
Thnaks you very much for your response. Let me know if am i wrong. The decoder will be like this: ^\d+\s\w\w\w\w\w, Brocade-format ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\), \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+), user,second squid ^\d+ \S+ ^\d+ (\S+) (\w+)/(\d+) \d+ \w+

Re: [ossec-list] Custom Decoder

2019-10-11 Thread dan (ddp)
I'm sure it can be cleaned up a lot On Fri, Oct 11, 2019 at 12:06 PM dan (ddp) wrote: > > On Fri, Oct 11, 2019 at 11:49 AM Diego S wrote: > > > > Hi everyone! > > > > I wondering if we already have on ossec a custom decoder acording to this > > kind of log to get the red values. > > > > 1022

Re: [ossec-list] Custom Decoder

2019-10-11 Thread dan (ddp)
On Fri, Oct 11, 2019 at 11:49 AM Diego S wrote: > > Hi everyone! > > I wondering if we already have on ossec a custom decoder acording to this > kind of log to get the red values. > > 1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, >

Re: [ossec-list] custom decoder & rules for nas device

2018-07-27 Thread mjwoods69 via ossec-list
Hi Dan Thanks for the info, been working on this for the last few days and unfortunately I tried this approach and could not get it to work. In the end installed syslog-ng & picked up the info locally from a file/imported into ossec just like any other log file . This worked like a dream and

Re: [ossec-list] custom decoder & rules for nas device

2018-07-27 Thread dan (ddp)
On Wed, Jul 25, 2018 at 2:42 PM, mjwoods69 via ossec-list wrote: > Hi > > Trying to get alerting implemented on my nas. Unfortunately my work to date > has failed, in summary I have: > > 1. Identified the log message in /var/ossec/logs/archives/archives.log, this > is sent from nas to ossec via

Re: [ossec-list] Custom decoder not recognized

2017-11-13 Thread rwag . fer
Hello Dan! I was wrong, when the log has 2 digits in the day field, there's only one space, the way you said it, sorry. But I still have a problem, as the date is as metadata, how do I decode it as timestamp? See in the entry below from the kibana, that the date field is not recognized as

Re: [ossec-list] Custom decoder not recognized

2017-11-11 Thread dan (ddp)
On Thu, Nov 9, 2017 at 5:12 PM, wrote: > So, there are 2 spaces between the "MMM" and the day, but it's the pfSense > log, it's like this. And the problem is in have 1 digit, when it has 2 > digits the problem does not occur. > > >> 2 spaces confuses the pre-decoder > > And

Re: [ossec-list] Custom decoder not recognized

2017-11-09 Thread dan (ddp)
On Wed, Nov 8, 2017 at 11:52 AM, wrote: > Hey guys! > I made a decoder for pfSense, but it is not being recognized by ossec. > > Follow the decoder with a log sample: > > > > pfsense > > > > ^\w+ \d+ \d+:\d+:\d+ pfSense |\w+ \d+ \d+:\d+:\d+ pfSense > > > > >

Re: [ossec-list] Custom decoder & rules not working

2017-03-24 Thread Martin
Indeed it was evaluated first because the level of the rule 2501 (5) is higher than my rule. Thank you for your answer ! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it,

Re: [ossec-list] Custom decoder & rule not working

2017-03-24 Thread Martin
Oh ok thank you, you made it clear for me ! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options,

Re: [ossec-list] Custom decoder & rule not working

2017-03-23 Thread Victor Fernandez
Hi Martin, the problem is that this log also matches with rule 2501 (from Syslog) that has level 5. Since your rule 100201 has level 1 OSSEC discards it in favor of rule 2501. So increasing the level to 6 it should work: app.ERROR Multiple login attempts bepark.eu/fr/connexion 100201

Re: [ossec-list] Custom decoder & rules not working

2017-03-23 Thread dan (ddp)
On Thu, Mar 23, 2017 at 12:41 PM, Martin wrote: > Hello, > > I've those kind of log comming from a custom app >> >> >> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 >> [] [] > > > I'm trying to block an ip with to much authentication failure. > >

Re: [ossec-list] Custom decoder issue

2015-04-06 Thread dan (ddp)
On Apr 4, 2015 9:04 PM, amine.eloui...@um5s.net.ma wrote: i have also tested the following decoder : decoder name=fakeinc_custom prematch^Fakeinc: /prematch without \.+ regex offset=after_prematch^service for: (\w+)@(\S+) \w+/regex ordersrcuser,srcip/order

Re: [ossec-list] Custom decoder issue

2015-04-04 Thread amine . elouissi
i have also tested the following decoder : *decoder *name=fakeinc_custom *prematch*^Fakeinc: /*prematch* without \.+ *regex *offset=after_prematch^service for: (\w+)@(\S+) \w+/*regex* *order*srcuser,srcip/*order* /*decoder* and here is the result:

Re: [ossec-list] Custom decoder issue

2015-04-04 Thread dan (ddp)
A totally untested response from a mobile device is below. On Apr 4, 2015 5:43 PM, amine.eloui...@um5s.net.ma wrote: Hello I am testing and working on this beautiful tool, but i have a little decoding problem. Here it is : My decoder is: decoder name=fakeinc_custom

Re: [ossec-list] Custom decoder only decodes first decoder, not second.

2014-03-21 Thread dan (ddp)
On Fri, Mar 21, 2014 at 2:35 PM, R Brandt blind.gray.squir...@gmail.com wrote: I'm having a problem with my custom decoder. I have defined only 2 decoders under 1 parent. However, only the first decoder works. If I switch the order of the decoders, the decoder that didn't work before now

Re: [ossec-list] Custom decoder only decodes first decoder, not second.

2014-03-21 Thread R Brandt
Possibly but I have a whole list of events I'll need to decode and create rules for so finding out what I or OSSEC is not doing right is needed anyway. Thanks On Friday, March 21, 2014 12:53:17 PM UTC-6, dan (ddpbsd) wrote: On Fri, Mar 21, 2014 at 2:35 PM, R Brandt

RE: [ossec-list] Custom Decoder and Rules

2013-10-17 Thread Pranav Lal
Hi, I am having a problem with this too. I have tried setting up a custom decoder and am stuck at phase 3. I can get the first decoder to trigger but am unable to parse data out of the alert into its corresponding fields. Pranav -- --- You received this message because you are subscribed to

Re: [ossec-list] Custom Decoder and Rules

2013-10-17 Thread dan (ddp)
On Oct 17, 2013 4:11 PM, tww0101 tww010...@gmail.com wrote: I'm new to OSSEC and just got my test environment set up as documented in the v2.7.0 manual. However, I'm encountering a problem when trying to get custom built decoder and rules working according to the manual. It appears to me that

Re: [ossec-list] Custom decoder to pull source IP for rule 18152

2012-03-16 Thread dan (ddp)
On Fri, Mar 16, 2012 at 7:22 AM, Frank Devlin fdevlin2...@yahoo.com wrote: I have been receiving alerts from a Windows 2008 server for rule 18152 (multiple logon failures) and I was wondering why the server was not using active response to blackhole the source IP. I found a few responses on

Re: [ossec-list] Custom decoder to pull source IP for rule 18152

2012-03-16 Thread dan (ddp)
decoder name=windows typewindows/type parentwindows/parent regexSecurity: (\S+)\((\d+)\): (\S+): (\.+): \.+: (\S+): /regex orderstatus, id, extra_data, user, system_name/order ftsname, location, user, system_name/fts /decoder decoder name=windows typewindows/type

Re: [ossec-list] custom decoder

2010-08-18 Thread Jason 'XenoPhage' Frisvold
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Aug 12, 2010, at 11:38 AM, dan (ddp) wrote: ossec/etc/local_decoder.xml I can't remember how I learned that (probably this list). I will be looking to add it to the documentation though. Doh! I never thought about this.. that's really useful,

Re: [ossec-list] custom decoder

2010-08-13 Thread dan (ddp)
ossec/etc/local_decoder.xml I can't remember how I learned that (probably this list). I will be looking to add it to the documentation though. On Thu, Aug 12, 2010 at 9:36 AM, reg regoma...@gmail.com wrote: Hello All, I have looked around, but I can't seem to find the answer online or in the

Re: [ossec-list] Custom decoder

2010-04-01 Thread Daniel Cid
Hi Serge, You definitely can. In the rule, try the following: rule id=100102 level=0 if_sid1002/if_sid hostname/var/log/messages/hostname descriptionignoring from /var/log/messages/hostname /rule In this example, it will ignore any alert from rule 1002 that came from /var/log/messages.