BTW: the UID/SUID might be useful items to extrapolate, along with the program name and or files being touched. That's just off the top of my head - haven't really looked too much further in.
The other log I set this up for was the auditd logs. I Googled around and found someone who had already done this, however it only seems to work with PAM enabled: http://blog.securestate.com/post/2010/09/03/Getting-OSSEC-To-Parse-Auditd.aspx I think I may have modified it to match similarly like Snoopy though - just looking for the "auditd" program name and then doing a basic keyword match on anything else. On Fri, Jun 24, 2011 at 8:39 AM, Jeremy Lee <[email protected]> wrote: > Thanks for the heads-up on local_decoder.xml - I had no idea that existed > until reading your response! > > > On Fri, Jun 24, 2011 at 5:39 AM, Michael Starks < > [email protected]> wrote: > >> On 06/23/2011 10:25 PM, Jeremy Lee wrote: >> >>> Actually, I'm a bit embarrassed, but all I did was add this to >>> decoder.xml >>> >>> <decoder name="snoopy-logger"> >>> <program_name>^snoopy</**program_name> >>> </decoder> >>> >>> >>> Then in local_rules I added the following: >>> >>> <rule id="100040" level="0"> >>> <decoded_as>snoopy-logger</**decoded_as> >>> <description>Ignore Snoopy logger events</description> >>> </rule> >>> >>> <rule id="100041" level="15"> >>> <if_sid>100040</if_sid> >>> <match>whatever</match> >>> <description>file access (snoopy)</description> >>> </rule> >>> >> >> No need to be embarrassed. Snoopy logs look pretty simple. I'll see if >> there is any need to extend it to match on more info. >> >> Also, you may want to create and put this in local_decoder.xml; otherwise, >> your decoder will be lost when you upgrade. >> > >
