[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] Custom Decoder
From: Diego S <rabitsabe () gmail ! com>
Date: 2019-10-14 18:35:19
Message-ID: CAGQH4FJ863zrOAVVSPS4TqBZhzrnAdCX1C7N3_v3hrJH9WXT_g () mail ! gmail ! com
[Download RAW message or body]
Thanks Juan! its working now.
I did wrong forum enter!
Regards,
El lun., 14 oct. 2019 a las 11:48, Juan Carlos Tello (<
juancarlos.tello@wazuh.com>) escribió:
> Hi Diego,
> The issue seems to be the regular expression.
>
> It seems the correct syntax would be:
> <decoder name="Brocade-login">
> <parent>Brocade-format</parent>
> <regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d
> \(\S+\), [\S+], \S+, \S+, (\.+)/\S+/(\.+),</regex>
> <order>user,second</order>
> </decoder>
> Note that / , [ and ] characters are not escaped, and that the criteria
> for extracting fields has been optimized.
>
> Although the issue was with the regular expression, which uses the same
> interpreter than OSSEC, it is true that the behavior is not the same as
> with ossec, so I do recommend using the Wazuh mailing list for queries
> related to Wazuh.
>
> Best Regards,
> Juan Carlos Tello
>
> On Monday, October 14, 2019 at 4:11:15 PM UTC+2, Diego S wrote:
> >
> > Sorry, my bad Dan, thanks anyways, i have a start point now.
> >
> > Regards!
> >
> > El lun., 14 oct. 2019 a las 10:56, dan (ddp) (<ddp...@gmail.com>)
> > escribió:
> >
> > > On Mon, Oct 14, 2019 at 9:54 AM Diego S <rabi...@gmail.com> wrote:
> > > >
> > > > Hi!
> > > >
> > > > i tried with a updated version and im still getting the same error :S
> > > >
> > >
> > > That's Wazuh. I don't know enough about their project to help.
> > >
> > > >
> > > >
> > > > El sáb., 12 oct. 2019 a las 9:12, dan (ddp) (<ddp...@gmail.com>)
> > > escribió:
> > > > >
> > > > >
> > > > >
> > > > > On Fri, Oct 11, 2019 at 2:03 PM Diego S <rabi...@gmail.com> wrote:
> > > > > >
> > > > > > Im using 2.0 version.
> > > > >
> > > > >
> > > > > 2.0 is ancient. Not much I can do to help with that.
> > > > >
> > > > > >
> > > > > > Im not able to find the syntax error.
> > > > > >
> > > > > > Thanks!
> > > > > >
> > > > > > El vie., 11 oct. 2019 a las 14:51, dan (ddp) (<ddp...@gmail.com>)
> > > escribió:
> > > > > > >
> > > > > > > On Fri, Oct 11, 2019 at 1:41 PM Diego S <rabi...@gmail.com> wrote:
> > > > > > > >
> > > > > > > > Thnaks you very much for your response.
> > > > > > > > Let me know if am i wrong. The decoder will be like this:
> > > > > > > >
> > > > > > > > <decoder name="Brocade-format">
> > > > > > > > <prematch>^\d+\s\w\w\w\w\w, </prematch>
> > > > > > > > </decoder>
> > > > > > > >
> > > > > > > > <decoder name="Brocade-login">
> > > > > > > > <parent>Brocade-format</parent>
> > > > > > > > <regex offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d
> > > \(\S+\), \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),</regex>
> > > > > > > > <order>user,second</order>
> > > > > > > > </decoder>
> > > > > > > >
> > > > > > > > <decoder name="squid-accesslog">
> > > > > > > > <type>squid</type>
> > > > > > > > <prematch>^\d+ \S+ </prematch>
> > > > > > > > <regex>^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) </regex>
> > > > > > > > <order>srcip,action,id,url</order>
> > > > > > > > </decoder>
> > > > > > > >
> > > > > > > > But im getting a syntax error and i dont know why or where.
> > > > > > > >
> > > > > > > > 2019/10/11 12:05:07 ossec-analysisd(1450): ERROR: Syntax error on
> > > regex: '^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d\(\S+\), \[\S+\], \S+, \S+,
> > > (\S+)/\S+(/\w+/\S+)': 6.
> > > > > > > >
> > > > > > >
> > > > > > > I'm not sure what's wrong there. Which version of OSSEC are you
> > > using?
> > > > > > >
> > > > > > > > Thanks and regards!
> > > > > > > >
> > > > > > > > --
> > > > > > > >
> > > > > > > > ---
> > > > > > > > You received this message because you are subscribed to the
> > > Google Groups "ossec-list" group.
> > > > > > > > To unsubscribe from this group and stop receiving emails from it,
> > > send an email to ossec...@googlegroups.com.
> > > > > > > > To view this discussion on the web visit
> > > https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com
> > >
> > > .
> > > > > > >
> > > > > > > --
> > > > > > >
> > > > > > > ---
> > > > > > > You received this message because you are subscribed to the Google
> > > Groups "ossec-list" group.
> > > > > > > To unsubscribe from this group and stop receiving emails from it,
> > > send an email to ossec...@googlegroups.com.
> > > > > > >
> > > > > > > To view this discussion on the web visit
> > > https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com
> > >
> > > .
> > > > > >
> > > > > > --
> > > > > >
> > > > > > ---
> > > > > > You received this message because you are subscribed to the Google
> > > Groups "ossec-list" group.
> > > > > > To unsubscribe from this group and stop receiving emails from it,
> > > send an email to ossec...@googlegroups.com.
> > > > > > To view this discussion on the web visit
> > > https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com
> > >
> > > .
> > > > >
> > > > > --
> > > > >
> > > > > ---
> > > > > You received this message because you are subscribed to the Google
> > > Groups "ossec-list" group.
> > > > > To unsubscribe from this group and stop receiving emails from it,
> > > send an email to ossec...@googlegroups.com.
> > > > > To view this discussion on the web visit
> > > https://groups.google.com/d/msgid/ossec-list/CAMyQvMrEQhqC%3D5_ggxQkf8hLExg3iJVG77b9xxp4_YmTB-jt8A%40mail.gmail.com
> > >
> > > .
> > > >
> > > > --
> > > >
> > > > ---
> > > > You received this message because you are subscribed to the Google
> > > Groups "ossec-list" group.
> > > > To unsubscribe from this group and stop receiving emails from it, send
> > > an email to ossec...@googlegroups.com.
> > > > To view this discussion on the web visit
> > > https://groups.google.com/d/msgid/ossec-list/CAGQH4FLLsptFocLfeLdZ0vLnCKVN_RkWVA5EbJPs_X2SVQytwQ%40mail.gmail.com
> > >
> > > .
> > >
> > > --
> > >
> > > ---
> > > You received this message because you are subscribed to the Google
> > > Groups "ossec-list" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> > > an email to ossec...@googlegroups.com.
> > > To view this discussion on the web visit
> > > https://groups.google.com/d/msgid/ossec-list/CAMyQvMpafeA_0FcmJ5jc%2BtfpiE79FjdbGgApzTVVANCCQpCAYQ%40mail.gmail.com
> > >
> > > .
> > >
> > --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/b91bc177-aa8b-4f15-9b6c-41421ae373fe%40googlegroups.com
> <https://groups.google.com/d/msgid/ossec-list/b91bc177-aa8b-4f15-9b6c-41421ae373fe%40googlegroups.com?utm_medium=email&utm_source=footer>
>
> .
>
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. To view this discussion on \
the web visit https://groups.google.com/d/msgid/ossec-list/CAGQH4FJ863zrOAVVSPS4TqBZhzrnAdCX1C7N3_v3hrJH9WXT_g%40mail.gmail.com.
[Attachment #3 (text/html)]
<div dir="ltr">Thanks Juan! its working now.<div><br></div><div>I did wrong forum \
enter!</div><div><br></div><div>Regards,</div></div><br><div class="gmail_quote"><div \
dir="ltr" class="gmail_attr">El lun., 14 oct. 2019 a las 11:48, Juan Carlos Tello \
(<<a href="mailto:juancarlos.tello@wazuh.com">juancarlos.tello@wazuh.com</a>>) \
escribió:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi \
Diego,</div><div>The issue seems to be the regular expression. \
<br></div><div><br></div><div>It seems the correct syntax would be: <br></div><div \
style="background-color:rgb(250,250,250);border-color:rgb(187,187,187);border-style:solid;border-width:1px"><code><div><span \
style="color:rgb(0,0,136)"><decoder</span><span style="color:rgb(0,0,0)"> \
</span><span style="color:rgb(102,0,102)">name</span><span \
style="color:rgb(102,102,0)">=</span><span \
style="color:rgb(0,136,0)">"Brocade-login"</span><span \
style="color:rgb(0,0,136)">></span><span style="color:rgb(0,0,0)"><br> \
</span><span style="color:rgb(0,0,136)"><parent></span><span \
style="color:rgb(0,0,0)">Brocade-format</span><span \
style="color:rgb(0,0,136)"></parent></span><span style="color:rgb(0,0,0)"><br> \
</span><span style="color:rgb(0,0,136)"><regex</span><span \
style="color:rgb(0,0,0)"> </span><span \
style="color:rgb(102,0,102)">offset</span><span \
style="color:rgb(102,102,0)">=</span><span \
style="color:rgb(0,136,0)">"after_parent"</span><span \
style="color:rgb(0,0,136)">></span><span \
style="color:rgb(0,0,0)">^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\), [\S+], \S+, \S+, \
(\.+)/\S+/(\.+),</span><span style="color:rgb(0,0,136)"></regex></span><span \
style="color:rgb(0,0,0)"><br> </span><span \
style="color:rgb(0,0,136)"><order></span><span \
style="color:rgb(0,0,0)">user,second</span><span \
style="color:rgb(0,0,136)"></order></span><span \
style="color:rgb(0,0,0)"><br></span><span \
style="color:rgb(0,0,136)"></decoder></span><span \
style="color:rgb(0,0,0)"><br></span></div></code></div><div>Note that <span \
style="background-color:rgb(238,238,238)"><span \
style="color:rgb(255,0,0)">/</span></span> , <span \
style="background-color:rgb(238,238,238)"><span \
style="color:rgb(255,0,0)">[</span></span> and <span style="color:rgb(255,0,0)"><span \
style="background-color:rgb(238,238,238)">]</span></span> characters are not escaped, \
and that the criteria for extracting fields has been \
optimized.<br></div><div><br>Although the issue was with the regular expression, \
which uses the same interpreter than OSSEC, it is true that the behavior is not the \
same as with ossec, so I do recommend using the Wazuh mailing list for queries
related to Wazuh.</div><div><br></div><div>Best Regards,</div>Juan Carlos \
Tello<br><br>On Monday, October 14, 2019 at 4:11:15 PM UTC+2, Diego S \
wrote:<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px \
solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Sorry, my bad Dan, thanks \
anyways, i have a start point now.<div><br></div><div>Regards!</div></div><br><div \
class="gmail_quote"><div dir="ltr">El lun., 14 oct. 2019 a las 10:56, dan (ddp) \
(<<a rel="nofollow">ddp...@gmail.com</a>>) escribió:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">On Mon, Oct 14, 2019 at 9:54 AM Diego S <<a \
rel="nofollow">rabi...@gmail.com</a>> wrote:<br> ><br>
> Hi!<br>
><br>
> i tried with a updated version and im still getting the same error :S<br>
><br>
<br>
That's Wazuh. I don't know enough about their project to help.<br>
<br>
><br>
><br>
> El sáb., 12 oct. 2019 a las 9:12, dan (ddp) (<<a \
rel="nofollow">ddp...@gmail.com</a>>) escribió:<br> >><br>
>><br>
>><br>
>> On Fri, Oct 11, 2019 at 2:03 PM Diego S <<a \
rel="nofollow">rabi...@gmail.com</a>> wrote:<br> >>><br>
>>> Im using 2.0 version.<br>
>><br>
>><br>
>> 2.0 is ancient. Not much I can do to help with that.<br>
>><br>
>>><br>
>>> Im not able to find the syntax error.<br>
>>><br>
>>> Thanks!<br>
>>><br>
>>> El vie., 11 oct. 2019 a las 14:51, dan (ddp) (<<a \
rel="nofollow">ddp...@gmail.com</a>>) escribió:<br> >>>><br>
>>>> On Fri, Oct 11, 2019 at 1:41 PM Diego S <<a \
rel="nofollow">rabi...@gmail.com</a>> wrote:<br> >>>> ><br>
>>>> > Thnaks you very much for your response.<br>
>>>> > Let me know if am i wrong. The decoder will be like this:<br>
>>>> ><br>
>>>> > <decoder name="Brocade-format"><br>
>>>> > <prematch>^\d+\s\w\w\w\w\w, </prematch><br>
>>>> > </decoder><br>
>>>> ><br>
>>>> > <decoder name="Brocade-login"><br>
>>>> > <parent>Brocade-format</parent><br>
>>>> > <regex \
offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\), \
\[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),</regex><br> >>>> > \
<order>user,second</order><br> >>>> > </decoder><br>
>>>> ><br>
>>>> > <decoder name="squid-accesslog"><br>
>>>> > <type>squid</type><br>
>>>> > <prematch>^\d+ \S+ </prematch><br>
>>>> > <regex>^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) \
</regex><br> >>>> > \
<order>srcip,action,id,url</order><br> >>>> > \
</decoder><br> >>>> ><br>
>>>> > But im getting a syntax error and i dont know why or where.<br>
>>>> ><br>
>>>> > 2019/10/11 12:05:07 ossec-analysisd(1450): ERROR: Syntax error \
on regex: '^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d\(\S+\), \[\S+\], \S+, \S+, \
(\S+)/\S+(/\w+/\S+)': 6.<br> >>>> ><br>
>>>><br>
>>>> I'm not sure what's wrong there. Which version of OSSEC are \
you using?<br> >>>><br>
>>>> > Thanks and regards!<br>
>>>> ><br>
>>>> > --<br>
>>>> ><br>
>>>> > ---<br>
>>>> > You received this message because you are subscribed to the \
Google Groups "ossec-list" group.<br> >>>> > To unsubscribe \
from this group and stop receiving emails from it, send an email to <a \
rel="nofollow">ossec...@googlegroups.com</a>.<br> >>>> > To view this \
discussion on the web visit <a \
href="https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com" \
rel="nofollow" target="_blank">https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com</a>.<br>
>>>><br>
>>>> --<br>
>>>><br>
>>>> ---<br>
>>>> You received this message because you are subscribed to the Google \
Groups "ossec-list" group.<br> >>>> To unsubscribe from this \
group and stop receiving emails from it, send an email to <a \
rel="nofollow">ossec...@googlegroups.com</a>.<br> >>>><br>
>>>> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com" \
rel="nofollow" target="_blank">https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com</a>.<br>
>>><br>
>>> --<br>
>>><br>
>>> ---<br>
>>> You received this message because you are subscribed to the Google \
Groups "ossec-list" group.<br> >>> To unsubscribe from this group \
and stop receiving emails from it, send an email to <a \
rel="nofollow">ossec...@googlegroups.com</a>.<br> >>> To view this \
discussion on the web visit <a \
href="https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com" \
rel="nofollow" target="_blank">https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com</a>.<br>
>><br>
>> --<br>
>><br>
>> ---<br>
>> You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br> >> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
rel="nofollow">ossec...@googlegroups.com</a>.<br> >> To view this discussion on \
the web visit <a href="https://groups.google.com/d/msgid/ossec-list/CAMyQvMrEQhqC%3D5_ggxQkf8hLExg3iJVG77b9xxp4_YmTB-jt8A%40mail.gmail.com" \
rel="nofollow" target="_blank">https://groups.google.com/d/msgid/ossec-list/CAMyQvMrEQhqC%3D5_ggxQkf8hLExg3iJVG77b9xxp4_YmTB-jt8A%40mail.gmail.com</a>.<br>
><br>
> --<br>
><br>
> ---<br>
> You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br> > To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
rel="nofollow">ossec...@googlegroups.com</a>.<br> > To view this discussion on the \
web visit <a href="https://groups.google.com/d/msgid/ossec-list/CAGQH4FLLsptFocLfeLdZ0vLnCKVN_RkWVA5EbJPs_X2SVQytwQ%40mail.gmail.com" \
rel="nofollow" target="_blank">https://groups.google.com/d/msgid/ossec-list/CAGQH4FLLsptFocLfeLdZ0vLnCKVN_RkWVA5EbJPs_X2SVQytwQ%40mail.gmail.com</a>.<br>
<br>
-- <br>
<br>
--- <br>
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a rel="nofollow">ossec...@googlegroups.com</a>.<br> \
To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/ossec-list/CAMyQvMpafeA_0FcmJ5jc%2BtfpiE79FjdbGgApzTVVANCCQpCAYQ%40mail.gmail.com" \
rel="nofollow" target="_blank">https://groups.google.com/d/msgid/ossec-list/CAMyQvMpafeA_0FcmJ5jc%2BtfpiE79FjdbGgApzTVVANCCQpCAYQ%40mail.gmail.com</a>.<br>
</blockquote></div>
</blockquote></div>
<p></p>
-- <br>
<br>
--- <br>
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com" \
target="_blank">ossec-list+unsubscribe@googlegroups.com</a>.<br> To view this \
discussion on the web visit <a \
href="https://groups.google.com/d/msgid/ossec-list/b91bc177-aa8b-4f15-9b6c-41421ae373fe%40googlegroups.com?utm_medium=email&utm_source=footer" \
target="_blank">https://groups.google.com/d/msgid/ossec-list/b91bc177-aa8b-4f15-9b6c-41421ae373fe%40googlegroups.com</a>.<br>
</blockquote></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/ossec-list/CAGQH4FJ863zrOAVVSPS4TqBZhzrnAdCX1C \
7N3_v3hrJH9WXT_g%40mail.gmail.com?utm_medium=email&utm_source=footer">https://groups.g \
oogle.com/d/msgid/ossec-list/CAGQH4FJ863zrOAVVSPS4TqBZhzrnAdCX1C7N3_v3hrJH9WXT_g%40mail.gmail.com</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic