predecoding regex - Githubissues

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

http://www.ossec.net

Other

4.44k stars 1.04k forks source link

predecoding regex #1294

Open prashantgpt91 opened 6 years ago

prashantgpt91 commented 6 years ago

I know briefly how OSSEC HIDS operates on logs. But I am numbed to see what kind of Regex, runs behind predecoding stage of OSSEC.

I found sample example of predecoding of logs from here

Apr 14 17:32:06 linux_server sshd[1025]: Accepted password for dcid from
192.168.2.180 port 1618 ssh2

result of predecoding

hostname linux_server
program_name sshd
time/date Apr 14 17:32:06

To do this at a level where there can be any type of log, there has to be a myriad of Regex/rules.

I tried exploring this where i can only find decoder for decoding stage.

If someone can throw light on predecoding stage regex/rules it would be great.

Thanks

ddpbsd commented 6 years ago

I don't think it's regex, and I don't have time to search for the specifics at the moment. Predecoding is done in src/analysisd

prashantgpt91 commented 6 years ago

@ddpbsd ok thanks. Is it possible to try & test this specific src/analysisd part ?

ddpbsd commented 6 years ago

ossec-logtest might provide the functionality you're looking for, but without knowing exactly what you want I can't say definitively.

prashantgpt91 commented 6 years ago

@ddpbsd I am trying to extend the functionality of OSSEC-HIDS in terms of correctly parsing some more types of logs especially at the stage of predecoding.

having said that, I think ossec-logtest is not gonna help.

atomicturtle commented 6 years ago

Can you give us an example of what you're trying to do? There are a couple of different ways to do it

prashantgpt91 commented 6 years ago

I started ossec-logtest using this command sudo /var/ossec/bin/ossec-logtest

What happened? ossec-logtest is not able to correctly parse this log

log (input) System Audit: SSH Hardening - X: Port XX PCI_DSS: X.X.X File: /etc/ssh/sshd_config

output

**Phase 1: Completed pre-decoding.
       full event: 'System Audit: SSH Hardening - X: Port XX PCI_DSS: X.X.X File: /etc/ssh/sshd_config'
       hostname: 'ip-XXX-XX-XX-XX'
       program_name: '(null)'
       log: 'System Audit: SSH Hardening - X: Port XX PCI_DSS: X.X.X File: /etc/ssh/sshd_config'

**Phase 2: Completed decoding.
       No decoder matched.

Expected alert level while if we check here alert level is 3 for System Audit event

Question Am i passing the log incorrectly to ossec-logtest?? If not how could I make ossec-logtest to correctly parse such logs?

This is just one example, I've found many.

ddpbsd commented 6 years ago

What is the expected outcome? Where is the log from? It doesn't appear to be a syslog message. There is no discernible hostname or program name. Writing a decoder for it probably wouldn't be too difficult.

EDIT: If it's rootcheck, it should be handled by src/analysisd/decoders/rootcheck.c But I've never really looked into it.