Problem with regex matching.
18 views
Skip to first unread message
peter.bra...@gmail.com
Feb 14, 2019, 7:49:18 AM2/14/19
to ossec-dev
Hello Group,
i am using Ossec Version 3.1.0 and have some strange problems with regex.
I am trying to write a rule alerting some top-level domains (e.g. a site like susi-without.top).
I am using this example log:
192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
If I try ossec-regex:
# /var/ossec/bin/ossec-regex ".top:\d"
192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
+OSRegex_Execute: 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
+OS_Regex : 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
+OSRegex_Execute: 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
+OS_Regex : 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
i can see OSRegex_Execute and OS_Regex. So i think it is matching (https://www.ossec.net/docs/programs/ossec-regex.html).
The rule i created:
<group name="squid,web-access,">
<rule id="200011" level="7">
<if_sid>31100</if_sid>
<url>.top:\d</url>
<description>Maybe critical URL access attempt</description>
</rule>
</group>
<rule id="200011" level="7">
<if_sid>31100</if_sid>
<url>.top:\d</url>
<description>Maybe critical URL access attempt</description>
</rule>
</group>
But if i try this rule with ossec-logtest:
# /var/ossec/bin/ossec-logtest -v
2019/02/15 12:22:42 ossec-testrule: INFO: Reading local decoder file.
2019/02/15 12:22:42 ossec-testrule: INFO: Started (pid: 672).
ossec-testrule: Type one log per line.
2019/02/15 12:22:42 ossec-testrule: INFO: Reading local decoder file.
2019/02/15 12:22:42 ossec-testrule: INFO: Started (pid: 672).
ossec-testrule: Type one log per line.
192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
**Phase 1: Completed pre-decoding.
full event: '192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE'
hostname: 'kswootrs02'
program_name: '(null)'
log: '192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '192.168.0.1'
srcuser: '-'
action: 'CONNECT'
url: 'susi-without.top:443'
id: '407'
**Rule debugging:
Trying rule: 4 - Generic template for all web rules.
*Rule 4 matched.
*Trying child rules.
Trying rule: 31100 - Access log messages grouped.
*Rule 31100 matched.
*Trying child rules.
Trying rule: 31108 - Ignored URLs (simple queries).
Trying rule: 31511 - Blacklisted user agent (wget).
Trying rule: 31115 - URL too long. Higher than allowed on most browsers. Possible attack.
Trying rule: 200011 - Maybe critical URL access attempt
Trying rule: 31103 - SQL injection attempt.
Trying rule: 31104 - Common web attack.
**Phase 1: Completed pre-decoding.
full event: '192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE'
hostname: 'kswootrs02'
program_name: '(null)'
log: '192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '192.168.0.1'
srcuser: '-'
action: 'CONNECT'
url: 'susi-without.top:443'
id: '407'
**Rule debugging:
Trying rule: 4 - Generic template for all web rules.
*Rule 4 matched.
*Trying child rules.
Trying rule: 31100 - Access log messages grouped.
*Rule 31100 matched.
*Trying child rules.
Trying rule: 31108 - Ignored URLs (simple queries).
Trying rule: 31511 - Blacklisted user agent (wget).
Trying rule: 31115 - URL too long. Higher than allowed on most browsers. Possible attack.
Trying rule: 200011 - Maybe critical URL access attempt
Trying rule: 31103 - SQL injection attempt.
Trying rule: 31104 - Common web attack.
...
So it seems to be not matching with the rule. But i can't see the difference.
After changing the regex to ".top" or ".top:" only:
# /var/ossec/bin/ossec-regex ".top"
192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
+OSRegex_Execute: 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
+OS_Regex : 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
+OSMatch_Compile: 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
+OS_Match2 : 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
+OSRegex_Execute: 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
+OS_Regex : 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
+OSMatch_Compile: 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
+OS_Match2 : 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
Changing the Rule to
<group name="squid,web-access,">
<rule id="200011" level="7">
<if_sid>31100</if_sid>
<url>.top</url> <!-- or .top: -->
<description>Maybe critical URL access attempt</description>
</rule>
</group>
<rule id="200011" level="7">
<if_sid>31100</if_sid>
<url>.top</url> <!-- or .top: -->
<description>Maybe critical URL access attempt</description>
</rule>
</group>
...makes it matching:
...
Trying rule: 31115 - URL too long. Higher than allowed on most browsers. Possible attack.
Trying rule: 200011 - Maybe critical URL access attempt
*Rule 200011 matched.
**Phase 3: Completed filtering (rules).
Rule id: '200011'
Level: '7'
Description: 'Maybe critical URL access attempt'
**Alert to be generated
Trying rule: 200011 - Maybe critical URL access attempt
*Rule 200011 matched.
**Phase 3: Completed filtering (rules).
Rule id: '200011'
Level: '7'
Description: 'Maybe critical URL access attempt'
**Alert to be generated
While trying around with ossec-regex i have seen this:
# bin/ossec-regex "\w"
d
fff
+OSRegex_Execute: fff
+OS_Regex : fff
ff
+OSRegex_Execute: ff
+OS_Regex : ff
f
d
fff
+OSRegex_Execute: fff
+OS_Regex : fff
ff
+OSRegex_Execute: ff
+OS_Regex : ff
f
But in my opinion a single \w should match even a single character / digit or something else.
Is this a local thing on my testdevice? Is there an oosec option to set for another style of regex-matching? Or is there an debian thing like that?
Best regards and thanks in advance!
Peter
dan (ddp)
Feb 19, 2019, 6:55:14 AM2/19/19
to ossec-dev
On Thu, Feb 14, 2019 at 7:49 AM <peter.bra...@gmail.com> wrote:
>
> Hello Group,
>
> i am using Ossec Version 3.1.0 and have some strange problems with regex.
>
> I am trying to write a rule alerting some top-level domains (e.g. a site like susi-without.top).
>
> I am using this example log:
> 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
>
> If I try ossec-regex:
>
> # /var/ossec/bin/ossec-regex ".top:\d"
> 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
> +OSRegex_Execute: 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
> +OS_Regex : 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
>
> i can see OSRegex_Execute and OS_Regex. So i think it is matching (https://www.ossec.net/docs/programs/ossec-regex.html).
>
> The rule i created:
>
> <group name="squid,web-access,">
> <rule id="200011" level="7">
> <if_sid>31100</if_sid>
> <url>.top:\d</url>
Does the <url> field support regex? I didn't think they did (but I
>
> Hello Group,
>
> i am using Ossec Version 3.1.0 and have some strange problems with regex.
>
> I am trying to write a rule alerting some top-level domains (e.g. a site like susi-without.top).
>
> I am using this example log:
> 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
>
> If I try ossec-regex:
>
> # /var/ossec/bin/ossec-regex ".top:\d"
> 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
> +OSRegex_Execute: 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
> +OS_Regex : 192.168.0.1 - - [13/Feb/2019:03:12:56 +0100] "CONNECT susi-without.top:443 HTTP/1.1" 407 3725 TCP_DENIED:HIER_NONE
>
> i can see OSRegex_Execute and OS_Regex. So i think it is matching (https://www.ossec.net/docs/programs/ossec-regex.html).
>
> The rule i created:
>
> <group name="squid,web-access,">
> <rule id="200011" level="7">
> <if_sid>31100</if_sid>
> <url>.top:\d</url>
haven't looked).
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-dev+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Peter Krawallo
Feb 19, 2019, 8:05:51 AM2/19/19
to osse...@googlegroups.com
Not sure, but this document says yes: https://www.ossec.net/docs/syntax/head_rules.html#element-url
You received this message because you are subscribed to a topic in the Google Groups "ossec-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-dev/9oetGNdXk8E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-dev+...@googlegroups.com.
dan (ddp)
Feb 19, 2019, 8:23:46 AM2/19/19
to ossec-dev
On Tue, Feb 19, 2019 at 8:05 AM Peter Krawallo <pkra...@gmail.com> wrote:
>
> Not sure, but this document says yes: https://www.ossec.net/docs/syntax/head_rules.html#element-url
>
No, that says it uses the 'sregex' syntax, which is a limited subset
>
> Not sure, but this document says yes: https://www.ossec.net/docs/syntax/head_rules.html#element-url
>
of the full regex.
OSSEC's regex support has been wonky since the beginning. The added
PCRE2 support should help with that.
Peter Brandmeister
Feb 19, 2019, 9:01:48 AM2/19/19
to osse...@googlegroups.com
Ok, then I have to check the differences between them, because i was thinking regex should work here, because of the documentation, too.
I think regex is not necessary for this, but it was a strange behavior for me, so i had to ask.
Thank's for your help! :-)
Reply all
Reply to author
Forward
0 new messages