• Support
  • Forums
  • Blogs

Fix IIS logs in OSSEC Decoder

kr1spy84kr1spy84

New Life Form
+4

There is a bug with how decoder.xml decodes iis-default
messages (IIS 7.5 used as an example).  The code below is the decoder in
question:

 1

I am using the test string

2018-01-05 21:31:58 10.99.2.2 GET /dashboard/Dashboard_files/stylesheet.css - 443 test 10.99.1.23 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 200 0 0 15

 

When I run it through ossec-logtest I get the following
information

 2a

The decoder incorrectly identifies the user as the srcip

 If I were to make the change to the decoder.xml from

<regex offset="after_prematch">(\S+ \S*) \.*
(\S+) \S*\.* (\d\d\d) \S+ \S+ \S+</regex>

To

<regex offset="after_prematch">(\S+ \S*) \S*
\S* (\S+) \S*\.* (\d\d\d) \S+ \S+ \S+</regex>

 

I get the correct output:

3a



This should probably be fixed to the base
decoder.xml file or there needs to be a solution in terms of providing a
local_decoder.xml file that over rights this rule.
   

Share post:

Sign In or Register to comment.