Hi Stefano, Did you restart OSSEC after making all those changes? The steps you took look correctly to me, so if it is working inside logtest it should work as well inside analysisd.
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Jul 6, 2010 at 10:51 AM, Stefano Pedretti <[email protected]> wrote: > Dears, > I have still not solved my problem. > > I need to monitor audits of only a set of users. I build a compiled > rule to check if the dstuser of > These are the facts: I > > - create a logman.c file (that's reported on bottom) > - registered the rule with register_rule.sh script > - used the install.sh script to compile and install a new ossec > istance. > - i modified the msauth xml file with <compiled_rule>logman</ > compiled_rule> > - i create and 777ed /var/ossec/adslist file with usernames i need to > monitor. > > Testing it with ossec-logtest work's like a charme but the same log > (captured from windows agent debug log) never match. > > > What's wrong in my procedure? > > > === log test === > > WinEvtLog: Security: AUDIT_SUCCESS(528): Security: stefano.pedretti: > AOVV: PROTOCOLLO: Successful Logon: User Name: stefano.pedretti > Domain: AOVV Logon ID: (0x0,0xBC31F0D) > Logon Type: 10 > Logon Process: User32 Authentication Package: Negotiate > Workstation Name: PROTOCOLLO Logon GUID: {0e5df325-5cbf- > aa8c-81c3-0e4778ca5241} Caller User Name: PROTOCOLLO$ Caller > Domain: AOVV Caller Logon ID: (0x0,0x3E7) Caller > Process ID: > 3204 Transited Services: - Source Network Address: > 11.128.128.1 Source Port: 36567 > > > **Phase 1: Completed pre-decoding. > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: > stefano.pedretti: AOVV: PROTOCOLLO: Successful Logon: User Name: > stefano.pedretti Domain: AOVV Logon ID: > (0x0,0xBC31F0D) > Logon Type: 10 Logon Process: User32 Authentication > Package: > Negotiate Workstation Name: PROTOCOLLO Logon GUID: > {0e4df325-5cbf-aa8c-81c3-0e4778ca5241} Caller User Name: PROTOCOLLO > $ Caller Domain: AOVV Caller Logon ID: (0x0,0x3E7) Caller > Process ID: 3204 Transited Services: - Source Network > Address: > 10.128.128.1 Source Port: 36567 ' > hostname: 'nordcom' > program_name: '(null)' > log: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: > stefano.pedretti: AOVV: PROTOCOLLO: Successful Logon: User Name: > stefano.pedretti Domain: AOVV Logon ID: > (0x0,0xBC31F0D) > Logon Type: 10 Logon Process: User32 Authentication > Package: > Negotiate Workstation Name: PROTOCOLLO Logon GUID: > {0e4df325-5cbf-aa8c-81c3-0e4778ca5241} Caller User Name: PROTOCOLLO > $ Caller Domain: AOVV Caller Logon ID: (0x0,0x3E7) Caller > Process ID: 3204 Transited Services: - Source Network > Address: > 10.128.128.1 Source Port: 36567 ' > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_SUCCESS' > id: '528' > extra_data: 'Security' > dstuser: 'stefano.pedretti' > system_name: 'PROTOCOLLO' > > **Phase 3: Completed filtering (rules). > Rule id: '18107' > Level: '3' > Description: 'Windows Logon Success.' > **Alert to be generated. > > === logman.c === > > /* > * This program is a free software; you can redistribute it > * and/or modify it under the terms of the GNU General Public > * License (version 2) as published by the FSF - Free Software > * Foundation. > > Stefano Pedretti - NordCom S.p.A Italy > Compiled rule logman for userlist matching. > Put in a ossec readable file /var/ossec/adslist > the user list in lower case. > > Changelog > rev 1.2 Comments > rev 1.1 Review and semplification > rev 1.0 Initial code implementation > > <compiled_rule>logman</compiled_rule> > > */ > > #include "shared.h" > #include "eventinfo.h" > #include "config.h" > #include <stdio.h> > > void *logman(Eventinfo *lf) > { > static const char filename[] = "/var/ossec/adslist"; > char *user = NULL; > char line[256]; > int i = 0; > > > //printf("Inizio custom rule logman.\n"); > > if(!lf->dstuser) > { > // Cosa fare nel caso in cui il campo dstuser non è previsto dal > decoder? > //printf("Campo dstuser nullo.\n"); > > //Accettare > // return(lf); > > //Rifiutare > return(NULL); > } > > > user = lf->dstuser; > > //printf("Utente: %s\n",user); > > Eventinfo *lfr = NULL; > > if(strlen(user) > 0){ > FILE *file = fopen ( filename, "r" ); > > if ( file != NULL ){ > > while (fgets(line, 256, file) != NULL){ > > line[strlen(line)-1] = 0; > > // printf("-%s-,-%s-\n",lf->dstuser,line); > // printf("-%d-,-%d-\n",strlen(lf->dstuser), strlen(line)); > > if (strlen(user) == (strlen(line))){ > > for (i=0; i < strlen(line) ; i++) > line[i] = tolower(line[i]); > if (strcmp(user,line) == 0){ > lfr=lf; > break; > } > } > } > fclose ( file ); > } > else > { > perror ( filename ); > } > } > return(lfr); > } > > > =====EOF================= > > Thank you! > > > > > On 25 Giu, 15:10, Stefano Pedretti <[email protected]> wrote: >> Thank you for your reply, >> >> On 15 Giu, 14:31, Daniel Cid <[email protected]> wrote: >> --- cut --
