[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] "parent" option in decoders
From: "Ricardo Stocco" <ricardostocco () gmail ! com>
Date: 2008-10-31 19:35:15
Message-ID: acc7f75a0810311235w188b12c3j32f25a15a64fc451 () mail ! gmail ! com
[Download RAW message or body]
Hi,
I'm working with subdecoders and I have some doubts and questions.
I do not understand very well how ossec works when using the option "parent"
This is the "su decoder" in decoder.xml that ossec provides. Is this
configuration right? I think that there is a problem here....
**************************************************************************
<decoder name="su">
<program_name>^su$</program_name>
</decoder>
<decoder name="su-detail">
<parent>su</parent>
<regex>^'su (\S+)' \S+ for (\S+) on \S+$</regex>
<order>dstuser, srcuser</order>
<fts>name, srcuser, location</fts>
</decoder>
<decoder name="su-detail2">
<parent>su</parent>
<regex>^BAD SU (\S+) to (\S+) on|</regex>
<regex>^failed: \S+ changing from (\S+) to (\S+)|</regex>
<regex>^\S \S+ (\S+)\p(\S+)$|^(\S+) to (\S+) on </regex>
<order>srcuser, dstuser</order>
<fts>name, srcuser, location</fts>
</decoder>
<decoder name="su">
<prematch>^SU \S+ \S+ </prematch>
<regex offset="after_prematch">^\S \S+ (\S+)-(\S+)$</regex>
<order>srcuser, dstuser</order>
<fts>name, srcuser, location</fts>
</decoder>
**************************************************************************
apparently, decoder "su-detail2" never works...
This seems to work fine with the prematch option.... for example:
<decoder name="su-detail">
<parent>su</parent>
*<prematch>^'su</prematch>
* *<regex> (\S+)' \S+ for (\S+) on \S+$</regex>*
<order>dstuser, srcuser</order>
<fts>name, srcuser, location</fts>
</decoder>
It is right? How this really works? Where I can find more information about
decoders?
I hope you will understand me. I do not speak English very well...
thanks!
Ricardo
[Attachment #3 (text/html)]
<p>Hi,</p>
<p>I'm working with subdecoders and I have some doubts and questions. <br>I do \
not understand very well how ossec works when using the option \
"parent"<br>This is the "su decoder" in decoder.xml that ossec \
provides. Is this configuration right? I think that there is a problem here....</p>
<p>**************************************************************************<br><decoder \
name="su"><br> \
<program_name>^su$</program_name><br></decoder></p> <p><decoder \
name="su-detail"><br> <parent>su</parent><br> \
<regex>^'su (\S+)' \S+ for (\S+) on \S+$</regex><br> \
<order>dstuser, srcuser</order><br> <fts>name, srcuser, \
location</fts><br> </decoder></p>
<p><decoder name="su-detail2"><br> \
<parent>su</parent><br> <regex>^BAD SU (\S+) to (\S+) \
on|</regex><br> <regex>^failed: \S+ changing from (\S+) to \
(\S+)|</regex><br> <regex>^\S \S+ (\S+)\p(\S+)$|^(\S+) to (\S+) on \
</regex><br> <order>srcuser, dstuser</order><br> \
<fts>name, srcuser, location</fts><br></decoder></p> <p><decoder \
name="su"><br> <prematch>^SU \S+ \S+ \
</prematch><br> <regex offset="after_prematch">^\S \S+ \
(\S+)-(\S+)$</regex><br> <order>srcuser, dstuser</order><br> \
<fts>name, srcuser, \
location</fts><br></decoder><br>**************************************************************************</p>
<p><br>apparently, decoder "su-detail2" never works...</p>
<p>This seems to work fine with the prematch option.... for example:</p>
<p><decoder name="su-detail"><br> \
<parent>su</parent><br> \
<strong><prematch>^'su</prematch><br></strong> \
<strong><regex> (\S+)' \S+ for (\S+) on \S+$</regex></strong><br> \
<order>dstuser, srcuser</order><br> <fts>name, \
srcuser, location</fts><br></decoder></p> <p> <br>It is right? How \
this really works? Where I can find more information about decoders?</p> <p><br>I \
hope you will understand me. I do not speak English very well... </p> \
<div>thanks!</div> <div> </div>
<div>Ricardo</div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic