Hi list,
I was running OSSEC v0.92 to monitor snort log via remote snort sensor with syslog output. It was working fine until I upgraded to OSSEC v1.0. OSSEC could not decode the log into IDS category anymore. I digged into the code and found out the parsing logical changed in the function OS_CleanMSG and a new xml tag program_name was introduced. The new decoder.xml try to use this new tag but was not able to parse my log format as it could before.
The sample format of my snort log:
snort[3769]: [1:1420:11] SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 10.4.12.26:37020 -> 10.4.10.231:162
Then I noticed the difference of decoder.xml between 0.92 and 1.0. I did a slight modification for decoder.xml and it works perfectly now. The patch is attached as snippet with this email.
Finally I realized I should go to decoder.xml directly without digging into code first if I just want to save some time. Hey, at least I learned. :-)
Great stuff. Keep on.
John Li
Snippet:
--- decoder.xml 2007-02-01 16:26:11.000000000 -0500
+++ decoder-new.xml 2007-02-01 16:25:59.000000000 -0500
@@ -807,16 +807,23 @@
<decoder name="snort">
<type>ids</type>
+ <prematch>^snort[\d+]: [\d+:\d+:\d+] </prematch>
+</decoder>
+
+<decoder name="snort">
+ <type>ids</type>
<prematch>^[**] [\d+:\d+:\d+] </prematch>
</decoder>
<decoder name="snort2">
<parent>snort</parent>
<type>ids</type>
- <prematch>^[**] |^[\d+:\d+:\d+] </prematch>
+ <prematch>^[**] |^[\d+:\d+:\d+] |^snort[\d+]: </prematch>
<regex>^[**] [(\d+:\d+:\d+)] \.+ (\d+.\d+.\d+.\d+)\p*\d* -> </regex>
<regex>(\d+.\d+.\d+.\d+)|^[(\d+:\d+:\d+)] \.+ </regex>
<regex>(\d+.\d+.\d+.\d+)\p*\d* -> (\d+.\d+.\d+.\d+)</regex>
+ <regex>|^snort[\d+]: [(\d+:\d+:\d+)] \.+ </regex>
+ <regex>(\d+.\d+.\d+.\d+)\p*\d* -> (\d+.\d+.\d+.\d+)</regex>
<order>id,srcip,dstip</order>
<fts>name,id,srcip,dstip</fts>
</decoder>