Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extract dstuser nginx decoders #151

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Extract dstuser nginx decoders #151

wants to merge 3 commits into from

Conversation

SitoRBJ
Copy link
Contributor

@SitoRBJ SitoRBJ commented Jun 28, 2018

Hello team,

Based on #141, we have added two twin decoders in order to get the "dstuser" field when the event contains the user.

The new decoders:

<decoder name="nginx-errorlog-user-ip">
  <parent>nginx-errorlog</parent>
  <prematch offset="after_parent"> user "\.+"</prematch>
  <regex offset="after_parent"> user "(\.+)"</regex>
  <order>dstuser</order>
</decoder>

<decoder name="nginx-errorlog-user-ip">
  <parent>nginx-errorlog</parent>
  <regex offset="after_regex">client: (\S+),</regex>
  <order>srcip</order>
</decoder>

Logtest ouput without user:


2009/09/15 20:55:40 [error] 63858#0: *3663 open() "/srv/www/ossec.net/robots.txt" failed (2: No such file or directory), client: 1.2.3.4, server: ossec.net, request: "GET /robots.txt HTTP/1.1", host: "www.ossec.net"


**Phase 1: Completed pre-decoding.
       full event: '2009/09/15 20:55:40 [error] 63858#0: *3663 open() "/srv/www/ossec.net/robots.txt" failed (2: No such file or directory), client: 1.2.3.4, server: ossec.net, request: "GET /robots.txt HTTP/1.1", host: "www.ossec.net"'
       timestamp: '(null)'
       hostname: 'manager'
       program_name: '(null)'
       log: '2009/09/15 20:55:40 [error] 63858#0: *3663 open() "/srv/www/ossec.net/robots.txt" failed (2: No such file or directory), client: 1.2.3.4, server: ossec.net, request: "GET /robots.txt HTTP/1.1", host: "www.ossec.net"'

**Phase 2: Completed decoding.
       decoder: 'nginx-errorlog'
       srcip: '1.2.3.4'

**Phase 3: Completed filtering (rules).
       Rule id: '31310'
       Level: '0'
       Description: 'Nginx: Server returned 404 (reported in the access.log).'

2009/09/15 19:51:07 [error] 37992#0: accept() failed (53: Software caused connection abort)


**Phase 1: Completed pre-decoding.
       full event: '2009/09/15 19:51:07 [error] 37992#0: accept() failed (53: Software caused connection abort)'
       timestamp: '(null)'
       hostname: 'manager'
       program_name: '(null)'
       log: '2009/09/15 19:51:07 [error] 37992#0: accept() failed (53: Software caused connection abort)'

**Phase 2: Completed decoding.
       decoder: 'nginx-errorlog'

**Phase 3: Completed filtering (rules).
       Rule id: '31311'
       Level: '0'
       Description: 'Nginx: Incomplete client request.'

Logtest output with user:

2018/05/26 06:46:11 [error] 31963#31963: *28769 user "user1" was not found in "/etc/nginx/conf.d/users.htpasswd", client: 1.2.3.4, server: example.com, request: "GET / HTTP/1.1", host: "example.com"


**Phase 1: Completed pre-decoding.
       full event: '2018/05/26 06:46:11 [error] 31963#31963: *28769 user "user1" was not found in "/etc/nginx/conf.d/users.htpasswd", client: 1.2.3.4, server: example.com, request: "GET / HTTP/1.1", host: "example.com"'
       timestamp: '(null)'
       hostname: 'manager'
       program_name: '(null)'
       log: '2018/05/26 06:46:11 [error] 31963#31963: *28769 user "user1" was not found in "/etc/nginx/conf.d/users.htpasswd", client: 1.2.3.4, server: example.com, request: "GET / HTTP/1.1", host: "example.com"'

**Phase 2: Completed decoding.
       decoder: 'nginx-errorlog'
       dstuser: 'user1'
       srcip: '1.2.3.4'

**Phase 3: Completed filtering (rules).
       Rule id: '31315'
       Level: '5'
       Description: 'Nginx: Web authentication failed.'
**Alert to be generated.

2018/05/27 10:22:20 [error] 31972#31972: *52363 user "test user": password mismatch, client: 1.2.3.4, server: example.com, request: "GET / HTTP/2.0", host: "example.com"


**Phase 1: Completed pre-decoding.
       full event: '2018/05/27 10:22:20 [error] 31972#31972: *52363 user "test user": password mismatch, client: 1.2.3.4, server: example.com, request: "GET / HTTP/2.0", host: "example.com"'
       timestamp: '(null)'
       hostname: 'manager'
       program_name: '(null)'
       log: '2018/05/27 10:22:20 [error] 31972#31972: *52363 user "test user": password mismatch, client: 1.2.3.4, server: example.com, request: "GET / HTTP/2.0", host: "example.com"'

**Phase 2: Completed decoding.
       decoder: 'nginx-errorlog'
       dstuser: 'test user'
       srcip: '1.2.3.4'

**Phase 3: Completed filtering (rules).
       Rule id: '31315'
       Level: '5'
       Description: 'Nginx: Web authentication failed.'
**Alert to be generated.

Kind regards,

Alfonso Ruiz-Bravo

iasdeoupxe and others added 3 commits May 27, 2018 10:57
@iasdeoupxe
Extract the dstuser for nginx basic auth
5465b56
@SitoRBJ
Merge pull request #141 from iasdeoupxe/patch-1
098854c 
Extract the dstuser for nginx basic auth
@SitoRBJ
upgrade 0170-nginx_decoders.xml
33734c6 
We have added two twin decoders in order to get the "dstuser" field when the event contains the user.
@SitoRBJ SitoRBJ mentioned this pull request Jun 28, 2018
Merged
@iasdeoupxe
Copy link
Contributor

iasdeoupxe commented Jun 28, 2018
edited

Hey, nice and thanks for the heads-up for my suggestion. Will try to test this in a few days.

@SitoRBJ SitoRBJ changed the base branch from master to 3.7 September 12, 2018 09:39
@iasdeoupxe
Copy link
Contributor

Completely forgot to add my feedback here 🙁 . I haven't found any issues during my short tests.

@SitoRBJ @migruiz4 @jesuslinares Anything required to push / get this forward as it seems it's stuck since more then a year.

@eliasgrana eliasgrana mentioned this pull request Apr 6, 2020
Open
@vikman90 vikman90 changed the base branch from 3.7 to develop July 31, 2020 12:13
@vikman90 vikman90 changed the base branch from develop to master September 25, 2020 08:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jesuslinares jesuslinares Awaiting requested review from jesuslinares

@migruiz4 migruiz4 Awaiting requested review from migruiz4

At least 1 approving review is required to merge this pull request.

Assignees

@migruiz4 migruiz4

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@SitoRBJ @iasdeoupxe @migruiz4