Hi All
Is there a way to extract the IP from the remote address in this Log-example to block it in a rule?
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
{"reqId":"Dh6pNaRlXRvL7dD7d03i","level":2,"time":"2019-06-25T02:02:38+02:00","remoteAddr":"194.99.106.230","user":"--","app":"core","method":"GET","url":"\/index.php?seite=0","message":"Trusted domain error. \"194.99.106.230\" tried to access host."}
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
regards
almi.support
How to extract IP from Log
-
- New Forum User
- Posts: 3
- Joined: Mon Jul 01, 2019 5:42 am
- Location: Austria
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: How to extract IP from Log
Yes, you just need to create a decoder for that application/platforms log format, which will then allow you assign key values for each position/pattern/delimiter in your log file. You'll find decoders in /var/ossec/etc/decoders.d/
For example:
May 14 17:49:12 auth openvpn: Sun May 14 17:49:12 2017 200.200.200.200:17777 [chapolin] Peer Connection Initiated with [AF_INET]200.200.200.200:53230
-->
<decoder name="openvpn-ip-user">
<parent>openvpn</parent>
<prematch>\S+:\d+ [</prematch>
<regex>(\S+):(\d+) [(\S+)]</regex>
<order>srcip,srcport,srcuser</order>
</decoder>
If you have a commercial support license for OSSEC, just send along your licensed username and type of license to support and they can take care of this for you. Please remember to include your username for your license in your request. You can access support here:
support.atomicorp.com
For example:
May 14 17:49:12 auth openvpn: Sun May 14 17:49:12 2017 200.200.200.200:17777 [chapolin] Peer Connection Initiated with [AF_INET]200.200.200.200:53230
-->
<decoder name="openvpn-ip-user">
<parent>openvpn</parent>
<prematch>\S+:\d+ [</prematch>
<regex>(\S+):(\d+) [(\S+)]</regex>
<order>srcip,srcport,srcuser</order>
</decoder>
If you have a commercial support license for OSSEC, just send along your licensed username and type of license to support and they can take care of this for you. Please remember to include your username for your license in your request. You can access support here:
support.atomicorp.com
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
-
- New Forum User
- Posts: 3
- Joined: Mon Jul 01, 2019 5:42 am
- Location: Austria
Re: How to extract IP from Log
Hi support
Thanks for your help. By my default ossec-server installation the "decoders.d" folder is missing. How to tell ossec to use decoders from this folder?
regards
almi support
Thanks for your help. By my default ossec-server installation the "decoders.d" folder is missing. How to tell ossec to use decoders from this folder?
regards
almi support
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: How to extract IP from Log
What version of OSSEC are you using?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
-
- New Forum User
- Posts: 3
- Joined: Mon Jul 01, 2019 5:42 am
- Location: Austria
Re: How to extract IP from Log
OSSEC HIDS v3.3.0 - OSSEC Foundation