IIS problems

[George Paun]

Hy guys,

I have some issue with decoder for IIS and custom rules.

I need some decoders for IIS because i need to put in rules description the URL and i need to do some  IIS rules with a status other than 200. and i think i need some decoders too but i can't manage to create the decoders.

I think i do something wrong , but i don't know what.

This are the decoders i put for IIS :

<decoder name="IIS_custom">
         <prematch>\.*,\.*,\.*,\.*,\.*,\.*</prematch>
</decoder>


<decoder name="IIS_custom">
         <parent>IIS_custom</parent>
         <regex>(\.*),\.*, (\.*), (\.*),(\.*),(\.*), (\.*),</regex>
         <order>srcip, date, hour, w3svc, servername, dstip</order>
</decoder>


<decoder name="web-accesslog-iis-modified">
  <parent>windows-date-format</parent>
  <type>web-log</type>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent">^\S+ GET |^\S+ POST</prematch>
  <regex offset="after_parent">^\S+ (\w+) (\S+ \S+) (\S+) \S+ (\S+) (\S+) \.*(\d\d\d) \.+\s(\d+\p\d+\p\d+\p\d+)\p(\.+)</regex>
  <order>action, url, srcport, srcip, user_agent, id, ipaddress1, ip-address2</order>
</decoder>

Thx for help,

George

[Lucas Esteban Pedrosa]

Hello, George

Your decoders look good in general, but the presence of existing decoders is probably creating a conflict. This may cause you to see errors when trying to restart the manager with the changes or it may result simply in your logs not going through your custom decoders and still being taken by the built-in ones.

If you have disabled the built-in decoders, then this could work, but I'd like to see a sample of the weblogs that you're trying to capture to verify. If you can share them here, I can work in my lab to help you fix your decoders.

Please let me know whether you have disabled some decoders, which ones and what configuration you have used to that end. You can share the ossec.conf file. If you have created any rules to work with your decoders, please share them too.

Kind regards,
Lucas