On Fri, Mar 13, 2020 at 2:28 PM Olivier Ragain
wrote:
>
> Hi,
> I've created a custom decoder:
>
> ^sshd
>
>
>
> sshd-custom
> ^Bad protocol version
> ^\S+ from (\S+) port (\S+)$
> srcip,srcport
>
>
> When I restart the engine to load it, I end up with
Thanks Juan! its working now.
I did wrong forum enter!
Regards,
El lun., 14 oct. 2019 a las 11:48, Juan Carlos Tello (<
juancarlos.te...@wazuh.com>) escribió:
> Hi Diego,
> The issue seems to be the regular expression.
>
> It seems the correct syntax would be:
>
> Brocade-format
>
Hi Diego,
The issue seems to be the regular expression.
It seems the correct syntax would be:
Brocade-format
^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\),
[\S+], \S+, \S+, (\.+)/\S+/(\.+),
user,second
Note that / , [ and ] characters are not escaped, and that the criteria for
extracting
Sorry, my bad Dan, thanks anyways, i have a start point now.
Regards!
El lun., 14 oct. 2019 a las 10:56, dan (ddp) () escribió:
> On Mon, Oct 14, 2019 at 9:54 AM Diego S wrote:
> >
> > Hi!
> >
> > i tried with a updated version and im still getting the same error :S
> >
>
> That's Wazuh. I
On Mon, Oct 14, 2019 at 9:54 AM Diego S wrote:
>
> Hi!
>
> i tried with a updated version and im still getting the same error :S
>
That's Wazuh. I don't know enough about their project to help.
>
>
> El sáb., 12 oct. 2019 a las 9:12, dan (ddp) () escribió:
>>
>>
>>
>> On Fri, Oct 11, 2019 at
On Fri, Oct 11, 2019 at 2:03 PM Diego S wrote:
> Im using 2.0 version.
>
2.0 is ancient. Not much I can do to help with that.
> Im not able to find the syntax error.
>
> Thanks!
>
> El vie., 11 oct. 2019 a las 14:51, dan (ddp) ()
> escribió:
>
>> On Fri, Oct 11, 2019 at 1:41 PM Diego S
Im using 2.0 version.
Im not able to find the syntax error.
Thanks!
El vie., 11 oct. 2019 a las 14:51, dan (ddp) () escribió:
> On Fri, Oct 11, 2019 at 1:41 PM Diego S wrote:
> >
> > Thnaks you very much for your response.
> > Let me know if am i wrong. The decoder will be like this:
> >
> >
On Fri, Oct 11, 2019 at 1:41 PM Diego S wrote:
>
> Thnaks you very much for your response.
> Let me know if am i wrong. The decoder will be like this:
>
>
> ^\d+\s\w\w\w\w\w,
>
>
>
> Brocade-format
> ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\),
> \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),
>
Thnaks you very much for your response.
Let me know if am i wrong. The decoder will be like this:
^\d+\s\w\w\w\w\w,
Brocade-format
^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\),
\[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),
user,second
squid
^\d+ \S+
^\d+ (\S+) (\w+)/(\d+) \d+ \w+
I'm sure it can be cleaned up a lot
On Fri, Oct 11, 2019 at 12:06 PM dan (ddp) wrote:
>
> On Fri, Oct 11, 2019 at 11:49 AM Diego S wrote:
> >
> > Hi everyone!
> >
> > I wondering if we already have on ossec a custom decoder acording to this
> > kind of log to get the red values.
> >
> > 1022
On Fri, Oct 11, 2019 at 11:49 AM Diego S wrote:
>
> Hi everyone!
>
> I wondering if we already have on ossec a custom decoder acording to this
> kind of log to get the red values.
>
> 1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY,
>
Hi Dan
Thanks for the info, been working on this for the last few days and
unfortunately I tried this approach and could not get it to work. In the
end installed syslog-ng & picked up the info locally from a file/imported
into ossec just like any other log file . This worked like a dream and
On Wed, Jul 25, 2018 at 2:42 PM, mjwoods69 via ossec-list
wrote:
> Hi
>
> Trying to get alerting implemented on my nas. Unfortunately my work to date
> has failed, in summary I have:
>
> 1. Identified the log message in /var/ossec/logs/archives/archives.log, this
> is sent from nas to ossec via
Hello Dan!
I was wrong, when the log has 2 digits in the day field, there's only one
space, the way you said it, sorry.
But I still have a problem, as the date is as metadata, how do I decode it
as timestamp?
See in the entry below from the kibana, that the date field is not
recognized as
On Thu, Nov 9, 2017 at 5:12 PM, wrote:
> So, there are 2 spaces between the "MMM" and the day, but it's the pfSense
> log, it's like this. And the problem is in have 1 digit, when it has 2
> digits the problem does not occur.
>
>
>> 2 spaces confuses the pre-decoder
>
> And
On Wed, Nov 8, 2017 at 11:52 AM, wrote:
> Hey guys!
> I made a decoder for pfSense, but it is not being recognized by ossec.
>
> Follow the decoder with a log sample:
>
>
>
> pfsense
>
>
>
> ^\w+ \d+ \d+:\d+:\d+ pfSense |\w+ \d+ \d+:\d+:\d+ pfSense
>
>
>
>
>
Indeed it was evaluated first because the level of the rule 2501 (5) is
higher than my rule.
Thank you for your answer !
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it,
Oh ok thank you, you made it clear for me !
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options,
Hi Martin,
the problem is that this log also matches with rule 2501 (from Syslog) that
has level 5. Since your rule 100201 has level 1 OSSEC discards it in favor
of rule 2501.
So increasing the level to 6 it should work:
app.ERROR Multiple login attempts bepark.eu/fr/connexion 100201
On Thu, Mar 23, 2017 at 12:41 PM, Martin wrote:
> Hello,
>
> I've those kind of log comming from a custom app
>>
>>
>> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
>> [] []
>
>
> I'm trying to block an ip with to much authentication failure.
>
>
On Apr 4, 2015 9:04 PM, amine.eloui...@um5s.net.ma wrote:
i have also tested the following decoder :
decoder name=fakeinc_custom
prematch^Fakeinc: /prematch without \.+
regex offset=after_prematch^service for: (\w+)@(\S+) \w+/regex
ordersrcuser,srcip/order
i have also tested the following decoder :
*decoder *name=fakeinc_custom
*prematch*^Fakeinc: /*prematch* without \.+
*regex *offset=after_prematch^service for: (\w+)@(\S+) \w+/*regex*
*order*srcuser,srcip/*order*
/*decoder*
and here is the result:
A totally untested response from a mobile device is below.
On Apr 4, 2015 5:43 PM, amine.eloui...@um5s.net.ma wrote:
Hello
I am testing and working on this beautiful tool, but i have a little
decoding problem. Here it is :
My decoder is:
decoder name=fakeinc_custom
On Fri, Mar 21, 2014 at 2:35 PM, R Brandt blind.gray.squir...@gmail.com wrote:
I'm having a problem with my custom decoder. I have defined only 2 decoders
under 1 parent. However, only the first decoder works.
If I switch the order of the decoders, the decoder that didn't work before
now
Possibly but I have a whole list of events I'll need to decode and create
rules for so finding out what I or OSSEC is not doing right is needed
anyway.
Thanks
On Friday, March 21, 2014 12:53:17 PM UTC-6, dan (ddpbsd) wrote:
On Fri, Mar 21, 2014 at 2:35 PM, R Brandt
Hi,
I am having a problem with this too. I have tried setting up a custom
decoder and am stuck at phase 3. I can get the first decoder to trigger but
am unable to parse data out of the alert into its corresponding fields.
Pranav
--
---
You received this message because you are subscribed to
On Oct 17, 2013 4:11 PM, tww0101 tww010...@gmail.com wrote:
I'm new to OSSEC and just got my test environment set up as documented in
the v2.7.0 manual. However, I'm encountering a problem when trying to get
custom built decoder and rules working according to the manual. It appears
to me that
On Fri, Mar 16, 2012 at 7:22 AM, Frank Devlin fdevlin2...@yahoo.com wrote:
I have been receiving alerts from a Windows 2008 server for rule 18152
(multiple logon failures) and I was wondering why the server was not using
active response to blackhole the source IP. I found a few responses on
decoder name=windows
typewindows/type
parentwindows/parent
regexSecurity: (\S+)\((\d+)\): (\S+): (\.+): \.+: (\S+): /regex
orderstatus, id, extra_data, user, system_name/order
ftsname, location, user, system_name/fts
/decoder
decoder name=windows
typewindows/type
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Aug 12, 2010, at 11:38 AM, dan (ddp) wrote:
ossec/etc/local_decoder.xml
I can't remember how I learned that (probably this list). I will be
looking to add it to the documentation though.
Doh! I never thought about this.. that's really useful,
ossec/etc/local_decoder.xml
I can't remember how I learned that (probably this list). I will be
looking to add it to the documentation though.
On Thu, Aug 12, 2010 at 9:36 AM, reg regoma...@gmail.com wrote:
Hello All,
I have looked around, but I can't seem to find the answer online or in
the
Hi Serge,
You definitely can. In the rule, try the following:
rule id=100102 level=0
if_sid1002/if_sid
hostname/var/log/messages/hostname
descriptionignoring from /var/log/messages/hostname
/rule
In this example, it will ignore any alert from rule 1002 that came
from /var/log/messages.
32 matches
Mail list logo