parent usage in local_decoder.xml

67 views
Skip to first unread message

Dave Vehrs

unread,
May 21, 2016, 1:58:35 PM5/21/16
to ossec-list
Hi all,

I'm sure I'm overlooking something simple but I've run into a small issue with the standard iptables decoders in ossec_decoders/kernel-iptables_apparmor_decoders.xml

The problem I have is that the patterns described in the various decoders in this file do not match the pattern that I use for Iptables logs.  Simple issue, right?

Examples of my logs:
May 21 05:56:10 agora kernel: [25811.034035] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=14.160.56.206 DST=192.168.0.3 LEN=52 TOS=0x08 PREC=0x20 TTL=117 ID=21885 DF PROTO=TCP SPT=56689 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 
May 21 06:00:25 agora kernel: [26065.545901] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=42.114.164.226 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=116 ID=21576 DF PROTO=TCP SPT=59826 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 
May 21 06:12:36 agora kernel: [26796.745515] IPT: GEOIP LATVIA DROP: IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=195.3.144.85 DST=192.168.0.3 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=3941 DF PROTO=TCP SPT=62658 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0 
May 21 07:02:09 agora kernel: [   47.395341] IPT: Stealth Scan Reject: IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:b8:ae:ed:78:1b:20:08:00 SRC=192.168.0.55 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=14452 DF PROTO=TCP SPT=54776 DPT=25 SEQ=1191919764 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 

The problem with the patterns in kernel-iptables_apparmor_decoders.xml is they commonly seem to use a single word for the Iptables log prefix or start with "Shorewall".  Neither of which work for me.

Now, I have been able to write a decoder that works with these logs.  It is:

<decoder name="local_iptables">
    <parent>iptables</parent>
    <regex offset="after_parent">^[\s*\d+.\d+] ipt: \.+ (\S+): in=\.+ src=(\S+) dst=(\S+) </regex>
    <order>action,srcip,dstip</order>
</decoder>

However, this only works if I place it in ossec_decoders/kernel-iptables_apparmor_decoders.xml.  If I move it to local_decoder.xml, it appears to be never seen.

Included in that file, the output of  ossec-logtest is:
May 21 07:06:25 agora kernel: [  303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 

**Phase 1: Completed pre-decoding.
       full event: 'May 21 07:06:25 agora kernel: [  303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 '
       hostname: 'agora'
       program_name: 'kernel'
       log: '[  303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 '
**Phase 2: Completed decoding.
       decoder: 'iptables'
       action: 'DROP'
       srcip: '116.110.88.148'
       dstip: '192.168.0.3'

However when that decoder is included in local_decoder.xml, the output of ossec-logtest is:
 May 21 07:06:25 agora kernel: [  303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 

**Phase 1: Completed pre-decoding.
       full event: 'May 21 07:06:25 agora kernel: [  303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 '
       hostname: 'agora'
       program_name: 'kernel'
       log: '[  303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 '
**Phase 2: Completed decoding.
       decoder: 'iptables'

So the question I have is how I can enable parent from within local_decoders.xml?  I appear to have the basic syntax right but there is something different when it changes which file it's in. 

And I do believe it should be enabled for both cases, because in my ossec.conf, I have three lines:
<decoder_dir>etc/ossec_decoders</decoder_dir>
<decoder_dir>etc/wazuh_decoders</decoder_dir>
<decoder>etc/local_decoder.xml</decoder>

Any ideas?  Or did I just skip part of the RTFM?

Thanks,

Dave

Jesus Linares

unread,
May 23, 2016, 4:22:33 AM5/23/16
to ossec-list
Hi Dave,

I found the problem. The last decoder in kernel-iptables_apparmor_decoders.xml doesn't have a prematch tag. I fixed it here, just add that line. Usually, every decoder should have a prematch because when OSSEC matches a decoder just with regex it doesn't continue looking for the next decoder.

Now, you can place your decoder in local_decoders and it will work. I recommend you use prematch in your decoder too.

<decoder name="local_iptables">
    <parent>iptables</parent>

    <prematch>^[\s*\d+.\d+] ipt:</prematch>
    <regex offset="after_prematch">(\S+): in=\.+ src=(\S+) dst=(\S+) </regex>
    <order>action,srcip,srcdst</order>
</decoder>

**Phase 1: Completed pre-decoding.
       full event: 'May 21 07:06:25 agora kernel: [  303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0'
       hostname: 'agora'
       program_name: 'kernel'
       log: '[  303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0'


**Phase 2: Completed decoding.
       decoder: 'iptables'
       action: 'DROP'
       srcip: '116.110.88.148'

       srcdst: '192.168.0.3'



Regards,
Jesus Linares.

Jesus Linares

unread,
May 23, 2016, 4:32:28 AM5/23/16
to ossec-list
Also, I will fix the issue in the next Wazuh release, so you will not need to use a custom decoder. Likely I will change the name to something more readable as ossec_decoders/kernel_decoders.xml.

Thanks.

Dave Vehrs

unread,
May 24, 2016, 8:04:21 PM5/24/16
to ossec-list


On Monday, May 23, 2016 at 2:22:33 AM UTC-6, Jesus Linares wrote:
Hi Dave,

I found the problem. The last decoder in kernel-iptables_apparmor_decoders.xml doesn't have a prematch tag. I fixed it here, just add that line. Usually, every decoder should have a prematch because when OSSEC matches a decoder just with regex it doesn't continue looking for the next decoder.

Now, you can place your decoder in local_decoders and it will work. I recommend you use prematch in your decoder too.

<decoder name="local_iptables">
    <parent>iptables</parent>
    <prematch>^[\s*\d+.\d+] ipt:</prematch>
    <regex offset="after_prematch">(\S+): in=\.+ src=(\S+) dst=(\S+) </regex>
    <order>action,srcip,srcdst</order>
</decoder>

**Phase 1: Completed pre-decoding.
       full event: 'May 21 07:06:25 agora kernel: [  303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0'
       hostname: 'agora'
       program_name: 'kernel'
       log: '[  303.966106] IPT: GEOIP VIETNAM DROP: IN=eth0 OUT= MAC=54:9f:35:20:cf:e4:c8:6c:87:6d:29:00:08:00 SRC=116.110.88.148 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11844 DF PROTO=TCP SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0'


**Phase 2: Completed decoding.
       decoder: 'iptables'
       action: 'DROP'
       srcip: '116.110.88.148'
       srcdst: '192.168.0.3'



Thank you but it still doesn't work.  First there is the issue of the 'srcdst' produces an error but even if I fix that to read 'dstip', it stops at the same point that it did without the prematch. 

Unfortunately I thought it might be an issue that was fixed in an update so I updated my git copy and installed it.  Now I get a whole different set of errors.

Starting with decoder.xml not being copied into the installation directory and followed by ossec-logtest resulting in reports like:
2016/05/24 17:47:42 ossec-analysisd(2102): ERROR: Duplicated decoder with prematch: 'pam-ruser'.

And if I fix that one (because one of the duplicates should really be named pam-rhost rather than pam-ruser) it goes on to complain about other duplicates.

So something changed in the update and it didn't update all the files.  

I'm looking into it and hopefully will soon get to a point I can test your idea.

Thanks again,

Dave



Dave Vehrs

unread,
May 24, 2016, 10:30:37 PM5/24/16
to ossec-list


On Tuesday, May 24, 2016 at 6:04:21 PM UTC-6, Dave Vehrs wrote:

Unfortunately I thought it might be an issue that was fixed in an update so I updated my git copy and installed it.  Now I get a whole different set of errors.

Starting with decoder.xml not being copied into the installation directory and followed by ossec-logtest resulting in reports like:
2016/05/24 17:47:42 ossec-analysisd(2102): ERROR: Duplicated decoder with prematch: 'pam-ruser'.

And if I fix that one (because one of the duplicates should really be named pam-rhost rather than pam-ruser) it goes on to complain about other duplicates.

So something changed in the update and it didn't update all the files.  

I'm looking into it and hopefully will soon get to a point I can test your idea.


OK, I've got the update to OSSEC 2.9 working and I figured out what you meant by the lacking prematch tag in the last decoder in kernel-iptables_apparmor_decoders.xml.  It was the decoder for USB!  Now I haven't quite figured out what prematch statement to add to it yet but if I comment out that decoder entirely then mine works from local_decoders.xml.

And I think I'm beginning to understand the basics of how these decoders should go together and how interdependent they are.   In the future when I run into a similar issue I will know to look beyond whatever little snippet I have written.

Thanks!

Dave 

Dave Vehrs

unread,
May 24, 2016, 10:35:19 PM5/24/16
to ossec-list
Oh and if I follow the links in your reply you have already shown me the prematch to add!

It's days like this that I almost feel like a blind man, the answer was there for me all!

It's now all working and I will take the lesson to slow down to read & consider what is said in the replies before I rush off in some attempted fix.

Thanks again!

Dave

Jesus Linares

unread,
May 25, 2016, 4:08:27 AM5/25/16
to ossec-list
Hi Dave,

that happens. Maybe I didn't explain it very well.

Just add a prematch to the USB decoder in kernel-iptables_apparmor_decoders.xml and use this decoder in your local_decoder file:

<decoder name="local_iptables">
 <parent>iptables</parent>
 <prematch>^[\s*\d+.\d+] ipt:</prematch>
 <regex offset="after_prematch">(\S+): in=\.+ src=(\S+) dst=(\S+) </regex>

 <order>action,srcip,dstip</order>
</decoder>

I'm glad to help!.

Regards.
Reply all
Reply to author
Forward
0 new messages