Custom decoder failing to load
14 views
Skip to first unread message
Olivier Ragain
Mar 13, 2020, 2:28:32 PM3/13/20
to ossec-list
Hi,
I've created a custom decoder:
<decoder name="sshd-custom">
<program_name>^sshd</program_name>
</decoder>
<decoder name="sshd-bad-protocol-version">
<parent>sshd-custom</parent>
<prematch>^Bad protocol version</prematch>
<regex offset="after_prematch">^\S+ from (\S+) port (\S+)$</regex>
<order>srcip,srcport</order>
</decoder>When I restart the engine to load it, I end up with the following error:
2020/03/13 18:21:54 ossec-testrule: INFO: Reading decoder file decoders/ssh_decoder.xml.
2020/03/13 18:21:54 ossec-analysisd(2106): ERROR: Error adding decoder plugin.
2020/03/13 18:21:54 ossec-testrule: INFO: Reading the lists file: 'lists/approved_scanners_list'
2020/03/13 18:21:54 ossec-analysisd: Invalid decoder name: 'pam'.
2020/03/13 18:21:54 ossec-testrule(1220): ERROR: Error loading the rules: 'pam_rules.xml'.Where is the error in my decoder?
Thanks
dan (ddp)
Mar 16, 2020, 6:53:53 AM3/16/20
to ossec...@googlegroups.com
Which version of OSSEC are you using?
> Thanks
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/9e0d792c-1b50-43fb-86e9-71d229dd17bd%40googlegroups.com.
Olivier Ragain
Mar 16, 2020, 8:14:19 AM3/16/20
to ossec-list
Hi,
So, I've created the local_decoder.xml file in the etc folder and put my decoder code in it and it is working. I am using version 3.6.0
Thanks
Olivier Ragain
Mar 16, 2020, 8:16:34 AM3/16/20
to ossec-list
Hi,
So now the question is, why does it not work when i use: <decoder_dir>decoders</decoder_dir> configuration in the ossec.conf file ? I see that it is loading the file from the logs, but it fails to log the decoder information itself and then ossec wont start.
Can anyone explain how to use the decoder_dir configuration element ?
I want to put all custom rules / decoders / lists in their own folder so that when updates happen, I dont get wiped or impacted for some update reasons.
Thanks
dan (ddp)
Mar 16, 2020, 8:46:58 AM3/16/20
to ossec...@googlegroups.com
I haven't used decoder_dir in a while, but it always worked in the past for me.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
dan (ddp)
Mar 16, 2020, 8:50:57 AM3/16/20
to ossec...@googlegroups.com
On Mon, Mar 16, 2020 at 8:43 AM dan (ddp) <ddp...@gmail.com> wrote:
>
> On Mon, Mar 16, 2020 at 8:16 AM Olivier Ragain
> <ora...@instreamcanada.com> wrote:
> >
> > Hi,
> > So now the question is, why does it not work when i use: <decoder_dir>decoders</decoder_dir> configuration in the ossec.conf file ? I see that it is loading the file from the logs, but it fails to log the decoder information itself and then ossec wont start.
> > Can anyone explain how to use the decoder_dir configuration element ?
> > I want to put all custom rules / decoders / lists in their own folder so that when updates happen, I dont get wiped or impacted for some update reasons.
> > Thanks
> >
>
> Can you provide the configuration you tried?
> I haven't used decoder_dir in a while, but it always worked in the past for me.
>
Using this allowed `ossec-logtest -t` to work for me:
>
> On Mon, Mar 16, 2020 at 8:16 AM Olivier Ragain
> <ora...@instreamcanada.com> wrote:
> >
> > Hi,
> > So now the question is, why does it not work when i use: <decoder_dir>decoders</decoder_dir> configuration in the ossec.conf file ? I see that it is loading the file from the logs, but it fails to log the decoder information itself and then ossec wont start.
> > Can anyone explain how to use the decoder_dir configuration element ?
> > I want to put all custom rules / decoders / lists in their own folder so that when updates happen, I dont get wiped or impacted for some update reasons.
> > Thanks
> >
>
> Can you provide the configuration you tried?
> I haven't used decoder_dir in a while, but it always worked in the past for me.
>
<rules>
<decoder>etc/decoder.xml</decoder>
<decoder>etc/local_decoder.xml</decoder>
<decoder_dir>etc/decoders.d</decoder_dir>
Olivier Ragain
Mar 23, 2020, 8:35:50 AM3/23/20
to ossec-list
Hi
Sorry for the delay in answering.
The error I get:
2020/03/23 12:28:25 ossec-testrule: INFO: Reading decoder file etc/custom/local_decoder.xml.
2020/03/23 12:28:25 ossec-analysisd(2106): ERROR: Error adding decoder plugin.
2020/03/23 12:28:25 ossec-analysisd(2106): ERROR: Error adding decoder plugin.
The configuration:
<rules>
<decoder_dir>etc/custom</decoder_dir>
...
<decoder_dir>etc/custom</decoder_dir>
...
Thanks
dan (ddp)
Mar 27, 2020, 1:31:49 PM3/27/20
to ossec...@googlegroups.com
need to add it to the config.
>
> Thanks
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/c942ab6b-6d80-4e24-8b37-6a31d8d196cf%40googlegroups.com.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages