store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Thu Sep 19, 2019 9:29 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: How to extract IP from Log
Unread postPosted: Mon Jul 01, 2019 6:01 am 
Offline
New Forum User
New Forum User

Joined: Mon Jul 01, 2019 5:42 am
Posts: 3
Location: Austria
Hi All

Is there a way to extract the IP from the remote address in this Log-example to block it in a rule?

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

{"reqId":"Dh6pNaRlXRvL7dD7d03i","level":2,"time":"2019-06-25T02:02:38+02:00","remoteAddr":"194.99.106.230","user":"--","app":"core","method":"GET","url":"\/index.php?seite=0","message":"Trusted domain error. \"194.99.106.230\" tried to access host."}
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

regards
almi.support


Top
 Profile  
Reply with quote  
 Post subject: Re: How to extract IP from Log
Unread postPosted: Fri Jul 05, 2019 2:54 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4085
Location: Chantilly, VA
Yes, you just need to create a decoder for that application/platforms log format, which will then allow you assign key values for each position/pattern/delimiter in your log file. You'll find decoders in /var/ossec/etc/decoders.d/

For example:

May 14 17:49:12 auth openvpn: Sun May 14 17:49:12 2017 200.200.200.200:17777 [chapolin] Peer Connection Initiated with [AF_INET]200.200.200.200:53230
-->
<decoder name="openvpn-ip-user">
<parent>openvpn</parent>
<prematch>\S+:\d+ [</prematch>
<regex>(\S+):(\d+) [(\S+)]</regex>
<order>srcip,srcport,srcuser</order>
</decoder>


If you have a commercial support license for OSSEC, just send along your licensed username and type of license to support and they can take care of this for you. Please remember to include your username for your license in your request. You can access support here:

support.atomicorp.com

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: How to extract IP from Log
Unread postPosted: Mon Jul 15, 2019 3:15 am 
Offline
New Forum User
New Forum User

Joined: Mon Jul 01, 2019 5:42 am
Posts: 3
Location: Austria
Hi support

Thanks for your help. By my default ossec-server installation the "decoders.d" folder is missing. How to tell ossec to use decoders from this folder?

regards

almi support


Top
 Profile  
Reply with quote  
 Post subject: Re: How to extract IP from Log
Unread postPosted: Thu Jul 18, 2019 1:29 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4085
Location: Chantilly, VA
What version of OSSEC are you using?

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: How to extract IP from Log
Unread postPosted: Mon Jul 22, 2019 4:58 am 
Offline
New Forum User
New Forum User

Joined: Mon Jul 01, 2019 5:42 am
Posts: 3
Location: Austria
OSSEC HIDS v3.3.0 - OSSEC Foundation


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group