Add cpanel decoders and rules. #1036
Conversation
etc/decoder.xml
Outdated
| - 10.1.5.19 - paul [11/18/2016:09:35:43 -0000] "GET" FAILED LOGIN cpdavd: Could not fetch system home directory for paul | ||
| --> | ||
|
|
||
| <decoder name="cpanel-access-failed"> |
There was a problem hiding this comment.
It looks like this decoder is causing the failures, but I'm not sure why yet.
There was a problem hiding this comment.
The log message associated with this didn't seem to match a decoder (at least on my setup), so using this decoder things seem to work so far:
<decoder name="cpanel-access-failed">
<!--<parent>web-accesslog</parent>
<prematch offset="after_parent">^FAILED LOGIN</prematch>-->
<prematch>^\S+ \S+ \S+ [\d\d/\d\d/\d\d\d\d:\d\d:\d\d:\d\d \S*\d+] "\S+" FAILED LOGIN</prematch>-->
<regex>^(\S+) \S+ (\S+)</regex>
<order>srcip,user</order>
</decoder>
There was a problem hiding this comment.
I have tested your proposed decoder and I am confirming it is working as expected and CI tests are passing. I have added the fix to pull request. Please merge.
There was a problem hiding this comment.
I think the postgresql_log log decoder should be fixed to avoid clashes with and duplication of the cpanel decoders and rules like I proposed.
There was a problem hiding this comment.
What's wrong with the postgresql_log decoder exactly?
There was a problem hiding this comment.
The problem with postgresql_log decoder is that it will decode messages like:
'[2017-02-03 01:21:31 -0500]' and not like '[2017-02-03 01:21:31 +0500]' (note the '+' sign). So to handle both cases I had to duplicate all rules and decoders for cpanel. One way to avoid this is to fix the postgresql_log decoder to be more specific to avoid it clashing with cpanel decoders altogether but I don't have much knowledge of their log format so can't propose how to do it.
etc/decoder.xml
Outdated
| @@ -2943,6 +2942,68 @@ Jul 26 13:57:56 mx1.example.org outbound/smtp: 127.0.0.1 1406297159-06f4a35b4df2 | |||
| <prematch offset="after_parent">^SMTP call from </prematch> | |||
| <regex offset="after_prematch">[(\S+)]:\d+ dropped: too many syntax or protocol errors</regex> | |||
| <order>srcip</order> | |||
|
|
|||
There was a problem hiding this comment.
You lost the </decoder> from the exim decoder here.
|
We should also capture these as tests in ossec-testing so we dont end up with collisions on other rules. As I recall cpanel environments frequently use windows timestamp format for example, I know that would overlap with the windows decoder |
This fix should detect successful logins from cpanel session_log instead of login_log and thus work on older versions of cpanel. In addition, the logout decoders and rules are made more specific since there are other 'PURGE' events in cpanel session_log with a different format and semantics than logout events.
This change is