Here is a decoder with action filled out:
<decoder name="ufw-log">
<parent>iptables</parent>
<prematch>^\.+ SRC=</prematch>
<regex>^\.+ [UFW (\S+)] \.+ SRC=(\S+) DST=(\S+) \.+ </regex>
<regex>\.+ PROTO=(\w+) </regex>
<regex>\.+ DPT=(\w+) </regex>
<order>action,srcip,dstip,protocol,dstport</order>
</decoder>
And the rules when running ossec-logtest:
# cat /tmp/xxx | /var/ossec/bin/ossec-logtest -q
2017/05/03 17:30:43 ossec-testrule: INFO: Reading the lists file:
'rules/lists/ossec.block'
2017/05/03 17:30:43 ossec-analysisd: Invalid use of frequency/context
options. Missing if_matched on rule '100101'.
2017/05/03 17:30:43 ossec-testrule(1220): ERROR: Error loading the
rules: 'rules/rules.d//99-local_rules.xml'.
I'm not sure what you've changed in 4100, so I'm removing it from my tests.
It also doesn't look like the log message is matching 4100, so I'll
modify the decoder again:
<decoder name="ufw-log">
<parent>iptables</parent>
<prematch>^\.+ SRC=</prematch>
<regex>^\.+ [UFW (\S+)] \.+ SRC=(\S+) DST=(\S+) \.+ </regex>
<regex>\.+ PROTO=(\w+) </regex>
<regex>\.+ DPT=(\w+) </regex>
<order>action,srcip,dstip,protocol,dstport</order>
<type>firewall</type>
</decoder>
Now it matches:
**Phase 1: Completed pre-decoding.
full event: 'May 1 05:04:07 buzzell kernel: [2133233.578654]
[UFW BLOCK] IN=enp5s0 OUT=
MAC=b8:97:5a:b1:0b:c6:04:18:d6:f0:7d:51:08:00 SRC=192.168.18.53
DST=192.168.17.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46997 DF
PROTO=TCP SPT=47144 DPT=8880 WINDOW=29200 RES=0x00 SYN URGP=0'
hostname: 'buzzell'
program_name: 'kernel'
log: '[2133233.578654] [UFW BLOCK] IN=enp5s0 OUT=
MAC=b8:97:5a:b1:0b:c6:04:18:d6:f0:7d:51:08:00 SRC=192.168.18.53
DST=192.168.17.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46997 DF
PROTO=TCP SPT=47144 DPT=8880 WINDOW=29200 RES=0x00 SYN URGP=0'
**Phase 2: Completed decoding.
decoder: 'iptables'
action: 'BLOCK'
srcip: '192.168.18.53'
dstip: '192.168.17.8'
proto: 'TCP'
dstport: '8880'
**Phase 3: Completed filtering (rules).
Rule id: '4100'
Level: '0'
Description: 'Firewall rules grouped.'
The sample logs I've used have BLOCK instead of DROP, so I'd modify
the rule like this:
<rule id="100101" level="10" frequency="3" timeframe="60">
<if_matched_sid>4100</if_matched_sid>
<action>BLOCK</action>
<options>alert_by_email</options>
<description>Firewall drop event.</description>
<group>firewall_drop,</group>
</rule>
Notice I also changed the if_sid to if_matched_sid, as indicated in the error.