[ossec-list] Re: Logtest behave different then analysisd with compiled rules

Tue, 06 Jul 2010 08:04:55 -0700 

Dears,
I have still not solved my problem.

I need to monitor audits of only a set of users. I build a compiled
rule to check if the dstuser of
These are the facts: I

- create a logman.c file (that's reported on bottom)
- registered the rule with register_rule.sh script
- used the install.sh script to compile and install a new ossec
istance.
- i modified the msauth xml file with <compiled_rule>logman</
compiled_rule>
- i create and 777ed /var/ossec/adslist file with usernames i need to
monitor.

Testing it with ossec-logtest work's like a charme but the same log
(captured from windows agent debug log) never match.


What's wrong in my procedure?


===  log test  ===

WinEvtLog: Security: AUDIT_SUCCESS(528): Security: stefano.pedretti:
AOVV: PROTOCOLLO: Successful Logon:     User Name: stefano.pedretti
        Domain:         AOVV            Logon ID:       (0x0,0xBC31F0D)         
Logon Type: 10
Logon Process: User32           Authentication Package: Negotiate
Workstation Name: PROTOCOLLO            Logon GUID: {0e5df325-5cbf-
aa8c-81c3-0e4778ca5241}         Caller User Name: PROTOCOLLO$           Caller
Domain: AOVV            Caller Logon ID: (0x0,0x3E7)            Caller Process 
ID:
3204            Transited Services: -           Source Network Address:
11.128.128.1            Source Port: 36567


**Phase 1: Completed pre-decoding.
       full event: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security:
stefano.pedretti: AOVV: PROTOCOLLO: Successful Logon:           User Name:
stefano.pedretti        Domain:         AOVV            Logon ID:       
(0x0,0xBC31F0D)
Logon Type: 10          Logon Process: User32           Authentication Package:
Negotiate       Workstation Name: PROTOCOLLO            Logon GUID:
{0e4df325-5cbf-aa8c-81c3-0e4778ca5241}          Caller User Name: PROTOCOLLO
$       Caller Domain: AOVV     Caller Logon ID: (0x0,0x3E7)            Caller
Process ID: 3204        Transited Services: -           Source Network Address:
10.128.128.1    Source Port: 36567    '
       hostname: 'nordcom'
       program_name: '(null)'
       log: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security:
stefano.pedretti: AOVV: PROTOCOLLO: Successful Logon:           User Name:
stefano.pedretti    Domain:     AOVV            Logon ID:       (0x0,0xBC31F0D)
Logon Type: 10          Logon Process: User32           Authentication Package:
Negotiate       Workstation Name: PROTOCOLLO            Logon GUID:
{0e4df325-5cbf-aa8c-81c3-0e4778ca5241}          Caller User Name: PROTOCOLLO
$       Caller Domain: AOVV     Caller Logon ID: (0x0,0x3E7)            Caller
Process ID: 3204        Transited Services: -           Source Network Address:
10.128.128.1            Source Port: 36567    '

**Phase 2: Completed decoding.
       decoder: 'windows'
       status: 'AUDIT_SUCCESS'
       id: '528'
       extra_data: 'Security'
       dstuser: 'stefano.pedretti'
       system_name: 'PROTOCOLLO'

**Phase 3: Completed filtering (rules).
       Rule id: '18107'
       Level: '3'
       Description: 'Windows Logon Success.'
**Alert to be generated.

=== logman.c ===

/*
 * This program is a free software; you can redistribute it
 * and/or modify it under the terms of the GNU General Public
 * License (version 2) as published by the FSF - Free Software
 * Foundation.

Stefano Pedretti - NordCom S.p.A Italy
Compiled rule logman for userlist matching.
Put in a ossec readable file /var/ossec/adslist
the user list in lower case.

Changelog
        rev 1.2 Comments
        rev 1.1 Review and semplification
        rev 1.0 Initial code implementation

        <compiled_rule>logman</compiled_rule>

*/

#include "shared.h"
#include "eventinfo.h"
#include "config.h"
#include <stdio.h>

void *logman(Eventinfo *lf)
{
    static const char filename[] = "/var/ossec/adslist";
    char *user = NULL;
    char line[256];
    int i = 0;


    //printf("Inizio custom rule logman.\n");

    if(!lf->dstuser)
    {
        // Cosa fare nel caso in cui il campo dstuser non รจ previsto dal
decoder?
        //printf("Campo dstuser nullo.\n");

        //Accettare
       // return(lf);

        //Rifiutare
       return(NULL);
    }


    user = lf->dstuser;

    //printf("Utente: %s\n",user);

    Eventinfo *lfr = NULL;

   if(strlen(user) > 0){
      FILE *file = fopen ( filename, "r" );

      if ( file != NULL ){

          while (fgets(line, 256, file) != NULL){

            line[strlen(line)-1] = 0;

      //      printf("-%s-,-%s-\n",lf->dstuser,line);
      //      printf("-%d-,-%d-\n",strlen(lf->dstuser), strlen(line));

          if (strlen(user) == (strlen(line))){

            for (i=0; i < strlen(line) ; i++)
              line[i] = tolower(line[i]);
              if (strcmp(user,line) == 0){
                lfr=lf;
                break;
              }
           }
         }
         fclose ( file );
      }
      else
      {
         perror ( filename );
      }
    }
    return(lfr);
}


=====EOF=================

Thank you!




On 25 Giu, 15:10, Stefano Pedretti <[email protected]> wrote:
> Thank you for your reply,
>
> On 15 Giu, 14:31, Daniel Cid <[email protected]> wrote:
>  --- cut --

Reply via email to