nice suggestion and observation dan but I believe windows usernames sometimes do use spaces so i dont see it working consistently. Spaces are valid in win usernames.
On Thu, 2011-03-24 at 16:16 -0400, dan (ddp) wrote: > Oh,and would using "\S+" for the username be easier? Are spaces valid > characters in Windows usernames? > > 2011/3/24 Jorge Armando Medina <[email protected]>: > > Hi there, > > > > > > I'm working on a project where I need to send alerts when somebody > > deletes a file from a samba share, Samba includes the module full_audit > > which records something like this: > > > > Mar 23 13:44:18 fs1 smbd_audit: jperez|192.168.221.50|unlink|ok|dir1/ss.txt > > Mar 23 13:44:18 fs1 smbd_audit: > > jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt > > > > The important information is the username (first field), Client IP > > address (second field) and the operation (third). > > > > So I created a decoder like this: > > > > <!-- Samba Audit decoder. > > - Mar 23 13:44:18 fs1 smbd_audit: > > jperez|192.168.221.50|unlink|ok|dir1/ss.txt > > - Mar 23 13:44:18 fs1 smbd_audit: > > jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt > > --> > > <decoder name="smbd_audit"> > > <program_name>smbd_audit</program_name> > > <regex>^(\w+\p*\w*)\|(\d+.\d+.\d+.\d+)\|\S+</regex> > > <order>user, srcip</order> > > </decoder> > > > > I used (\w+\p*\w*) to match usernames with single word like jperez and > > those whose use a "." like jorge.perez. and next the IP Address. > > > > I effectively decode the information like this: > > > > # bin/ossec-logtest > > 2011/03/23 17:54:05 ossec-testrule: INFO: Reading local decoder file. > > 2011/03/23 17:54:05 ossec-testrule: INFO: Started (pid: 27198). > > ossec-testrule: Type one log per line. > > > > Mar 23 13:44:18 fs1 smbd_audit: > > jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'Mar 23 13:44:18 fs1 smbd_audit: > > jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt' > > hostname: 'fs1' > > program_name: 'smbd_audit' > > log: 'jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt' > > > > **Phase 2: Completed decoding. > > decoder: 'smbd_audit' > > dstuser: 'jorge.perez' > > srcip: '192.168.221.50' > > > > Then I created a rule so i detect the "unlink" operation and send a alert: > > > > <rule id="2513" level="10"> > > <decoded_as>smbd_audit</decoded_as> > > <match>unlink</match> > > <description>Samba audit, file deleted.</description> > > </rule> > > > > I restarted ossec and now I get alerts like this: > > > > OSSEC HIDS Notification. > > 2011 Mar 24 10:45:47 > > > > Received From: (fs1.example.com) 192.168.221.10->/var/log/messages > > Rule: 2513 fired (level 10) -> "Samba audit, file deleted." > > Portion of the log(s): > > > > Mar 24 10:45:46 fs1 smbd_audit: > > jorge.perez|192.168.221.50|unlink|ok|BASESX/filetest.exe > > > > I hope you can give comments about this, probably someone wants to > > improveit so we detect new files. > > > > > > Bye the way, I had to scape the "|" character so I cant use it as the > > separator, probably it is a good > > idea to add the | character to the list in the regex documentation at > > http://www.ossec.net/wiki/Know_How:Regex_Readme > > > > Best regards. > > > > > > > > > > > > -- > > Jorge Armando Medina > > Computación Gráfica de México > > Web: http://www.e-compugraf.com > > Tel: 55 51 40 72, Ext: 124 > > Email: [email protected] > > GPG Key: 1024D/28E40632 2007-07-26 > > GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632 > > > > > > >
