Regex-Rule Question

40 views
Skip to first unread message

Paul

unread,
Oct 5, 2015, 10:39:35 AM10/5/15
to ossec-list

I cannot seem to see where I am going wrong. When I test my regex with:

/var/ossec/bin/ossec-regex 'DUQUESNE\sFTP\.+Error\p'

 

against the syslog event of:

                Oct  5 10:21:47 DUQUESNE FTP: 220 website.com X2 FTP Server 7.6.3(70179994) FIPS <SessionID=28760006, Listener=10.2.3.5:21, Client=10.2.3.41:42016><Command=start, Error=220>

 

I am given results. However, when I have the rule of:

<rule id="100032" level="0">

  <if_sid>1002</if_sid>

  <regex>DUQUESNE\sFTP\.+Error\p</regex>

</rule>

and then run it against logtest, it does not work. Log test sees it hit Rule 1002 and then tries the child rules and completes as rule 1002.

 

Any help as to what I am doing wrong would be appricieated.

Thanks!

dan (ddp)

unread,
Oct 6, 2015, 8:05:31 AM10/6/15
to ossec...@googlegroups.com
On Mon, Oct 5, 2015 at 10:38 AM, Paul <mur...@heliopause.us> wrote:
> I cannot seem to see where I am going wrong. When I test my regex with:
>
> /var/ossec/bin/ossec-regex 'DUQUESNE\sFTP\.+Error\p'
>
>
>
> against the syslog event of:
>
> Oct 5 10:21:47 DUQUESNE FTP: 220 website.com X2 FTP Server
> 7.6.3(70179994) FIPS <SessionID=28760006, Listener=10.2.3.5:21,
> Client=10.2.3.41:42016><Command=start, Error=220>
>
>
>
> I am given results. However, when I have the rule of:
>
> <rule id="100032" level="0">
>
> <if_sid>1002</if_sid>
>
> <regex>DUQUESNE\sFTP\.+Error\p</regex>
>

You're looking at the wrong part of the rule. This will never match
the example you posted.
Here's how ossec-logtest sees the log message:
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
full event: 'Oct 5 10:21:47 DUQUESNE FTP: 220 website.com X2
FTP Server 7.6.3(70179994) FIPS <SessionID=28760006,
Listener=10.2.3.5:21, Client=10.2.3.41:42016><Command=start,
Error=220>'
hostname: 'DUQUESNE'
program_name: 'FTP'
log: '220 website.com X2 FTP Server 7.6.3(70179994) FIPS
<SessionID=28760006, Listener=10.2.3.5:21,
Client=10.2.3.41:42016><Command=start, Error=220>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.


Everything in a <regex> or <match> should be on that "log:" line.

> </rule>
>
> and then run it against logtest, it does not work. Log test sees it hit Rule
> 1002 and then tries the child rules and completes as rule 1002.
>
>
>
> Any help as to what I am doing wrong would be appricieated.
>
> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Paul

unread,
Oct 7, 2015, 1:28:11 PM10/7/15
to ossec-list

argh.......I should have known better than that

Thank you very much for the help!!

 

I set the hostname and the program name. Now I was wondering, is there a way of grouping in ossec's regex?

I would like to do something like this:

                <regex>Error\p(150|200|220|226|230|331)</regex>

Where within the parenthesizes would be the ‘or‘ statement. Or am I left with doing it like this:

                <match>Error=150|Error=200|Error=220|Error=226|Error=230|Error=331</match>

dan (ddp)

unread,
Oct 7, 2015, 1:31:45 PM10/7/15
to ossec...@googlegroups.com


On Oct 7, 2015 1:28 PM, "Paul" <mur...@heliopause.us> wrote:
>
> argh.......I should have known better than that
>
> Thank you very much for the help!!
>
>  
>
> I set the hostname and the program name. Now I was wondering, is there a way of grouping in ossec's regex?
>
> I would like to do something like this:
>
>                 <regex>Error\p(150|200|220|226|230|331)</regex>
>
> Where within the parenthesizes would be the ‘or‘ statement. Or am I left with doing it like this:
>
>                 <match>Error=150|Error=200|Error=220|Error=226|Error=230|Error=331</match>
>

Unfortunately you'll have to do it the long way (second option).

Paul

unread,
Oct 7, 2015, 1:40:13 PM10/7/15
to ossec-list
Understood. Again, thank you for your help
Reply all
Reply to author
Forward
0 new messages