On 03/24/2011 04:02 PM, Satish Patel wrote: > Epic! Bro. > > What configuration you did for samba to generate audit log? We have > older version of samba :(
I use this basic config: [data] comment = Datos path = /home/samba/data valid users = %U read only = No create mask = 0660 directory mask = 0770 browseable = Yes ; here starts the audit module setup: vfs objects = full_audit full_audit:prefix = %u|%I full_audit:failure = none full_audit:success = open write unlink close #full_audit:facility = LOCAL5 #full_audit:priority = NOTICE NOTE that by default samba will use local5.notice so you need to be sure to have a selector in you syslog. > > -- > Sent from my iPhone > > On Mar 24, 2011, at 4:10 PM, "dan (ddp)" <[email protected]> wrote: > >> Awesome work! Should the "unlink" be decoded as an "action" or >> something similar? >> dan >> >> 2011/3/24 Jorge Armando Medina <[email protected]>: >>> Hi there, >>> >>> >>> I'm working on a project where I need to send alerts when somebody >>> deletes a file from a samba share, Samba includes the module full_audit >>> which records something like this: >>> >>> Mar 23 13:44:18 fs1 smbd_audit: >>> jperez|192.168.221.50|unlink|ok|dir1/ss.txt >>> Mar 23 13:44:18 fs1 smbd_audit: >>> jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt >>> >>> The important information is the username (first field), Client IP >>> address (second field) and the operation (third). >>> >>> So I created a decoder like this: >>> >>> <!-- Samba Audit decoder. >>> - Mar 23 13:44:18 fs1 smbd_audit: >>> jperez|192.168.221.50|unlink|ok|dir1/ss.txt >>> - Mar 23 13:44:18 fs1 smbd_audit: >>> jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt >>> --> >>> <decoder name="smbd_audit"> >>> <program_name>smbd_audit</program_name> >>> <regex>^(\w+\p*\w*)\|(\d+.\d+.\d+.\d+)\|\S+</regex> >>> <order>user, srcip</order> >>> </decoder> >>> >>> I used (\w+\p*\w*) to match usernames with single word like jperez and >>> those whose use a "." like jorge.perez. and next the IP Address. >>> >>> I effectively decode the information like this: >>> >>> # bin/ossec-logtest >>> 2011/03/23 17:54:05 ossec-testrule: INFO: Reading local decoder file. >>> 2011/03/23 17:54:05 ossec-testrule: INFO: Started (pid: 27198). >>> ossec-testrule: Type one log per line. >>> >>> Mar 23 13:44:18 fs1 smbd_audit: >>> jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt >>> >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'Mar 23 13:44:18 fs1 smbd_audit: >>> jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt' >>> hostname: 'fs1' >>> program_name: 'smbd_audit' >>> log: 'jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'smbd_audit' >>> dstuser: 'jorge.perez' >>> srcip: '192.168.221.50' >>> >>> Then I created a rule so i detect the "unlink" operation and send a >>> alert: >>> >>> <rule id="2513" level="10"> >>> <decoded_as>smbd_audit</decoded_as> >>> <match>unlink</match> >>> <description>Samba audit, file deleted.</description> >>> </rule> >>> >>> I restarted ossec and now I get alerts like this: >>> >>> OSSEC HIDS Notification. >>> 2011 Mar 24 10:45:47 >>> >>> Received From: (fs1.example.com) 192.168.221.10->/var/log/messages >>> Rule: 2513 fired (level 10) -> "Samba audit, file deleted." >>> Portion of the log(s): >>> >>> Mar 24 10:45:46 fs1 smbd_audit: >>> jorge.perez|192.168.221.50|unlink|ok|BASESX/filetest.exe >>> >>> I hope you can give comments about this, probably someone wants to >>> improveit so we detect new files. >>> >>> >>> Bye the way, I had to scape the "|" character so I cant use it as >>> the separator, probably it is a good >>> idea to add the | character to the list in the regex documentation >>> at http://www.ossec.net/wiki/Know_How:Regex_Readme >>> >>> Best regards. >>> >>> >>> >>> >>> >>> -- >>> Jorge Armando Medina >>> Computación Gráfica de México >>> Web: http://www.e-compugraf.com >>> Tel: 55 51 40 72, Ext: 124 >>> Email: [email protected] >>> GPG Key: 1024D/28E40632 2007-07-26 >>> GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632 >>> >>> >>> -- Jorge Armando Medina Computación Gráfica de México Web: http://www.e-compugraf.com Tel: 55 51 40 72, Ext: 124 Email: [email protected] GPG Key: 1024D/28E40632 2007-07-26 GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632
signature.asc
Description: OpenPGP digital signature
