0

I'm having some trouble using a custom decoder I defined for OSSEC 3.7.0. I only need to extract srcip, dstip and protocol from my iptables logs, but OSSEC's decoders also extract srcport and dstport, which I do not need. My solution was to define another decoder and only extract the fields that I wanted (if you have a better solution, please share it!).

This is what I did:

I put this decoder inside /var/ossec/etc/decoder.xml (between the iptables and iptables-1 decoders):

<decoder name="iptables-noports">
   <parent>iptables</parent>
   <type>firewall</type>
   <prematch_pcre2>^NOPORTS IN=</prematch_pcre2>
   <pcre2>^\S+ .+ SRC=(\S+) DST=(\S+) .+ </pcre2>
   <pcre2>PROTO=(\w+) </pcre2>
   <order>srcip,dstip,protocol</order>
</decoder>

I configured OSSEC to analyze the /var/log/ulog/syslogemu.log file. Since I'm running everything inside a Docker container, I had to redirect all logs to this file because log messages in network namespaces are intentionally suppressed.

The iptables command I used to generate my logs is:

iptables -A INPUT -p tcp -j NFLOG --nflog-group 0 --nflog-prefix "kernel: NOPORTS"

Then, I defined this test rule inside /var/ossec/rules/local_rules.xml:

<rule id="100009" level="1">
  <if_sid>4100</if_sid>
  <decoded_as>iptables</decoded_as>
  <description>Individual TCP SYN request detected</description>
  <dstip>192.168.1.1</dstip>
</rule>

After all of this, I tested my rule by running this command:

/var/ossec/bin/ossec-logtest -U 100009:1:iptables

and by providing this log entry (I copy-pasted it from syslogemu.log):

Nov  9 16:58:35 myserver kernel: NOPORTS IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.1.2 DST=192.168.1.1 LEN=44 TOS=00 PREC=0x00 TTL=50 ID=38150 PROTO=TCP SPT=49448 DPT=4445 SEQ=4283765322 ACK=0 WINDOW=1024 SYN URGP=0 MARK=0

This is the output I get:

2023/11/10 10:32:04 ossec-testrule: INFO: Reading local decoder file.
2023/11/10 10:32:04 ossec-testrule: INFO: Started (pid: 1656).
ossec-testrule: Type one log per line.

Nov  9 16:58:35 myserver kernel: NOPORTS IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.1.2 DST=192.168.1.1 LEN=44 TOS=00 PREC=0x00 TTL=50 ID=38150 PROTO=TCP SPT=49448 DPT=4445 SEQ=4283765322 ACK=0 WINDOW=1024 SYN URGP=0 MARK=0 


**Phase 1: Completed pre-decoding.
       full event: 'Nov  9 16:58:35 myserver kernel: NOPORTS IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.1.2 DST=192.168.1.1 LEN=44 TOS=00 PREC=0x00 TTL=50 ID=38150 PROTO=TCP SPT=49448 DPT=4445 SEQ=4283765322 ACK=0 WINDOW=1024 SYN URGP=0 MARK=0 '
       hostname: 'myserver'
       program_name: 'kernel'
       log: 'NOPORTS IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.1.2 DST=192.168.1.1 LEN=44 TOS=00 PREC=0x00 TTL=50 ID=38150 PROTO=TCP SPT=49448 DPT=4445 SEQ=4283765322 ACK=0 WINDOW=1024 SYN URGP=0 MARK=0 '

**Phase 2: Completed decoding.
       decoder: 'iptables'
       srcip: '192.168.1.2'
       dstip: '192.168.1.1'
       proto: 'TCP'

**Phase 3: Completed filtering (rules).
       Rule id: '100009'
       Level: '1'
       Description: 'Individual TCP SYN request detected'
lf->decoder_info->name: 'iptables'
ut_decoder_name       : 'iptables'
0

As you can see, it works as expected. However, if I actually try to run OSSEC, it does not detect anything. If I remove my custom decoder and restart OSSEC, it starts working again. Why? How can I fix it?

0

You must log in to answer this question.

Browse other questions tagged .