I'm having some trouble using a custom decoder I defined for OSSEC 3.7.0. I only need to extract srcip
, dstip
and protocol
from my iptables
logs, but OSSEC's decoders also extract srcport
and dstport
, which I do not need. My solution was to define another decoder and only extract the fields that I wanted (if you have a better solution, please share it!).
This is what I did:
I put this decoder inside /var/ossec/etc/decoder.xml
(between the iptables
and iptables-1
decoders):
<decoder name="iptables-noports">
<parent>iptables</parent>
<type>firewall</type>
<prematch_pcre2>^NOPORTS IN=</prematch_pcre2>
<pcre2>^\S+ .+ SRC=(\S+) DST=(\S+) .+ </pcre2>
<pcre2>PROTO=(\w+) </pcre2>
<order>srcip,dstip,protocol</order>
</decoder>
I configured OSSEC to analyze the /var/log/ulog/syslogemu.log
file.
Since I'm running everything inside a Docker container, I had to redirect all logs to this file because log messages in network namespaces are intentionally suppressed.
The iptables
command I used to generate my logs is:
iptables -A INPUT -p tcp -j NFLOG --nflog-group 0 --nflog-prefix "kernel: NOPORTS"
Then, I defined this test rule inside /var/ossec/rules/local_rules.xml
:
<rule id="100009" level="1">
<if_sid>4100</if_sid>
<decoded_as>iptables</decoded_as>
<description>Individual TCP SYN request detected</description>
<dstip>192.168.1.1</dstip>
</rule>
After all of this, I tested my rule by running this command:
/var/ossec/bin/ossec-logtest -U 100009:1:iptables
and by providing this log entry (I copy-pasted it from syslogemu.log
):
Nov 9 16:58:35 myserver kernel: NOPORTS IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.1.2 DST=192.168.1.1 LEN=44 TOS=00 PREC=0x00 TTL=50 ID=38150 PROTO=TCP SPT=49448 DPT=4445 SEQ=4283765322 ACK=0 WINDOW=1024 SYN URGP=0 MARK=0
This is the output I get:
2023/11/10 10:32:04 ossec-testrule: INFO: Reading local decoder file.
2023/11/10 10:32:04 ossec-testrule: INFO: Started (pid: 1656).
ossec-testrule: Type one log per line.
Nov 9 16:58:35 myserver kernel: NOPORTS IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.1.2 DST=192.168.1.1 LEN=44 TOS=00 PREC=0x00 TTL=50 ID=38150 PROTO=TCP SPT=49448 DPT=4445 SEQ=4283765322 ACK=0 WINDOW=1024 SYN URGP=0 MARK=0
**Phase 1: Completed pre-decoding.
full event: 'Nov 9 16:58:35 myserver kernel: NOPORTS IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.1.2 DST=192.168.1.1 LEN=44 TOS=00 PREC=0x00 TTL=50 ID=38150 PROTO=TCP SPT=49448 DPT=4445 SEQ=4283765322 ACK=0 WINDOW=1024 SYN URGP=0 MARK=0 '
hostname: 'myserver'
program_name: 'kernel'
log: 'NOPORTS IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.1.2 DST=192.168.1.1 LEN=44 TOS=00 PREC=0x00 TTL=50 ID=38150 PROTO=TCP SPT=49448 DPT=4445 SEQ=4283765322 ACK=0 WINDOW=1024 SYN URGP=0 MARK=0 '
**Phase 2: Completed decoding.
decoder: 'iptables'
srcip: '192.168.1.2'
dstip: '192.168.1.1'
proto: 'TCP'
**Phase 3: Completed filtering (rules).
Rule id: '100009'
Level: '1'
Description: 'Individual TCP SYN request detected'
lf->decoder_info->name: 'iptables'
ut_decoder_name : 'iptables'
0
As you can see, it works as expected. However, if I actually try to run OSSEC, it does not detect anything. If I remove my custom decoder and restart OSSEC, it starts working again. Why? How can I fix it?