[ossec-list] Customized Decoder
61 views
Skip to first unread message
Eric B. Biondi
Apr 27, 2010, 11:03:58 AM4/27/10
to ossec...@googlegroups.com
Hi
I've created two decoders and one is working correctly, but the second
isn't.
I can't see where my error is. Can anyone help?
Both work off the same parent, so the parent should be fine. Perhaps the
slashes are throwing me off?
<!--
2010-04-27 10:28:01,914 WARN
[btpool0-1590://localhost/service/soap/AuthRequest]
[name=er...@mydomain.com;oip=1.2.3.4;ua=zclient/6.0.5_GA_2213.UBUNTU8_64;]
security - cmd=Auth; account=er...@mydomain.com; protocol=soap;
error=authentication failed for er...@mydomain.com, account lockout;
-->
<decoder name="zimbra-audit2">
<parent>zimbra</parent>
<regex offset="after_parent">[\S+]
[name=\S+;oip=(\d+.\d+.\d+.\d+);\S+;]</regex>
<order>srcip</order>
</decoder>
--
Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
I've created two decoders and one is working correctly, but the second
isn't.
I can't see where my error is. Can anyone help?
Both work off the same parent, so the parent should be fine. Perhaps the
slashes are throwing me off?
<!--
2010-04-27 10:28:01,914 WARN
[btpool0-1590://localhost/service/soap/AuthRequest]
[name=er...@mydomain.com;oip=1.2.3.4;ua=zclient/6.0.5_GA_2213.UBUNTU8_64;]
security - cmd=Auth; account=er...@mydomain.com; protocol=soap;
error=authentication failed for er...@mydomain.com, account lockout;
-->
<decoder name="zimbra-audit2">
<parent>zimbra</parent>
<regex offset="after_parent">[\S+]
[name=\S+;oip=(\d+.\d+.\d+.\d+);\S+;]</regex>
<order>srcip</order>
</decoder>
--
Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
dan (ddp)
Apr 29, 2010, 9:35:44 AM4/29/10
to ossec...@googlegroups.com
I can't test this at the moment, so be gentle. ;)
Is oip= always an IP? If so, you could cut out a lot of the complexity
by doing something like:
<regex>oip=(\d+.\d+.\d+.\d+);</regex>
If that works, you can then build up anything else you want around
it. Get the important stuff working, and make the regex more specific
afterwards.
Also, the order of the decoders is important. I've gotten things to
work before by moving them around a bit.
Is oip= always an IP? If so, you could cut out a lot of the complexity
by doing something like:
<regex>oip=(\d+.\d+.\d+.\d+);</regex>
If that works, you can then build up anything else you want around
it. Get the important stuff working, and make the regex more specific
afterwards.
Also, the order of the decoders is important. I've gotten things to
work before by moving them around a bit.
Dave S
Apr 29, 2010, 11:34:05 AM4/29/10
to ossec-list
Hi Eric,
First off, your entire regex is enclosed in square brackets which is
incorrect.
I'd try simplifying the regular expression to something like
<regex offset="after_parent">oip=(\d+.\d+.\d+.\d+);</regex>
Try that,
Dave
First off, your entire regex is enclosed in square brackets which is
incorrect.
I'd try simplifying the regular expression to something like
<regex offset="after_parent">oip=(\d+.\d+.\d+.\d+);</regex>
Try that,
Dave
Eric Biondi
Apr 29, 2010, 4:36:51 PM4/29/10
to ossec...@googlegroups.com
Thank you very much Dave and Dan!
I guess I was trying too hard. LOL Everything is working great with ossec.
Thanks so much to everyone involved with this project. I LOVE this
program!!!
*************
*************
I guess I was trying too hard. LOL Everything is working great with ossec.
Thanks so much to everyone involved with this project. I LOVE this
program!!!
*************
![--[ UxBoD ]--'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjVlntmL0SnIUu-iyfuqCx-GVmnOO2T35aeudEtDk776lTATKQ=s40-c)
--[ UxBoD ]--
May 2, 2010, 11:10:49 AM5/2/10
to ossec...@googlegroups.com
----- Original Message -----
> Hi
>
> I've created two decoders and one is working correctly, but the second
> isn't.
>
> I can't see where my error is. Can anyone help?
>
> Both work off the same parent, so the parent should be fine. Perhaps
> the slashes are throwing me off?
>
>
> <!--
> 2010-04-27 10:28:01,914 WARN
> [btpool0-1590://localhost/service/soap/AuthRequest]
> [name=er...@mydomain.com;oip=1.2.3.4;ua=zclient/6.0.5_GA_2213.UBUNTU8_64;]
> security - cmd=Auth; account=er...@mydomain.com; protocol=soap;
> error=authentication failed for er...@mydomain.com, account lockout;
> -->
>
> <decoder name="zimbra-audit2">
> <parent>zimbra</parent> <regex offset="after_parent">[\S+]
> [name=\S+;oip=(\d+.\d+.\d+.\d+);\S+;]</regex> <order>srcip</order>
> </decoder>
>
Eric,
> Hi
>
> I've created two decoders and one is working correctly, but the second
> isn't.
>
> I can't see where my error is. Can anyone help?
>
> Both work off the same parent, so the parent should be fine. Perhaps
> the slashes are throwing me off?
>
>
> <!--
> 2010-04-27 10:28:01,914 WARN
> [btpool0-1590://localhost/service/soap/AuthRequest]
> [name=er...@mydomain.com;oip=1.2.3.4;ua=zclient/6.0.5_GA_2213.UBUNTU8_64;]
> security - cmd=Auth; account=er...@mydomain.com; protocol=soap;
> error=authentication failed for er...@mydomain.com, account lockout;
> -->
>
> <decoder name="zimbra-audit2">
> <parent>zimbra</parent> <regex offset="after_parent">[\S+]
> [name=\S+;oip=(\d+.\d+.\d+.\d+);\S+;]</regex> <order>srcip</order>
> </decoder>
>
what are you specifically trying to trap from Zimbra ? I may be able to share some of my rules if you would like.
--
Thanks, Phil (uxbod - Zimbra moderator)
Reply all
Reply to author
Forward
0 new messages