For the following logs:
May 7 09:50:46 Server su(pam_unix)[17639]: authentication failure;
logname=username uid=500 euid=0 tty=pts/0 ruser=username rhost=
user=root
May 7 09:53:29 server su: pam_unix(su-l:auth): authentication
failure; logname=username uid=504 euid=0 tty=pts/0 ruser=username
rhost= user=root
the following rules give the same output:
<!-- Catch and treat su events logged by PAM on CentOS/RHEL -->
<rule id="100002" level="0" noalert="1">
<if_sid>5500</if_sid>
</rule>
<rule id="100003" level="9">
<if_sid>100002</if_sid>
<match>authentication fail</match>
<description>SU session to root attempted.</description>
<group>authentication_failure,</group>
</rule>
<rule id="100004" level="9">
<if_sid>100002</if_sid>
<match>session opened</match>
<description>SU session to root openned.</description>
<group>authentication_success,</group>
</rule>
<rule id="100005" level="9">
<if_sid>100002</if_sid>
<match>session closed</match>
<description>SU session to root closed.</description>
<group>authentication_success,</group>
</rule>
<rule id="100006" level="0" noalert="1">
<program_name>su(pam_unix)</program_name>
<match>authentication</match>
<description>su collection</description>
</rule>
<!--May 7 09:50:46 Server su(pam_unix)[17639]: authentication
failure; logname=username uid=500 euid=0 tty=pts/0 ruser=username
rhost= user=root-->
<rule id="100007" level="10">
<if_sid>100006</if_sid>
<match>failure</match>
<description>blahblah</description>
</rule>
# /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf
2010/05/11 19:30:41 ossec-testrule: INFO: Started (pid: 28267).
ossec-testrule: Type one log per line.
May 7 09:50:46 Server su(pam_unix)[17639]: authentication failure;
logname=username uid=500 euid=0 tty=pts/0 ruser=username rhost=
user=root
**Phase 1: Completed pre-decoding.
full event: 'May 7 09:50:46 Server su(pam_unix)[17639]:
authentication failure; logname=username uid=500 euid=0 tty=pts/0
ruser=username rhost= user=root'
hostname: 'Server'
program_name: 'su(pam_unix)'
log: 'authentication failure; logname=username uid=500 euid=0
tty=pts/0 ruser=username rhost= user=root'
**Phase 2: Completed decoding.
decoder: 'pam'
**Phase 3: Completed filtering (rules).
Rule id: '100003'
Level: '9'
Description: 'SU session to root attempted.'
**Alert to be generated.
May 7 09:53:29 server su: pam_unix(su-l:auth): authentication
failure; logname=username uid=504 euid=0 tty=pts/0 ruser=username
rhost= user=root
**Phase 1: Completed pre-decoding.
full event: 'May 7 09:53:29 server su: pam_unix(su-l:auth):
authentication failure; logname=username uid=504 euid=0 tty=pts/0
ruser=username rhost= user=root'
hostname: 'server'
program_name: 'su'
log: 'pam_unix(su-l:auth): authentication failure;
logname=username uid=504 euid=0 tty=pts/0 ruser=username rhost=
user=root'
**Phase 2: Completed decoding.
decoder: 'pam'
**Phase 3: Completed filtering (rules).
Rule id: '100003'
Level: '9'
Description: 'SU session to root attempted.'
**Alert to be generated.
On Tue, May 11, 2010 at 2:53 PM, Nicholas Ritter <[email protected]> wrote:
> The matching does not seem to work regardless of what I put it in.
>
