Buen dia, Jorge simplemente genial la idea, estabamos buscando exatamente
eso en la empresa..
Queria ver si podrias darme una ayuda, el programa funciona y hace
correctamente el filtrado hasta que llega a la fase 3:
**Phase 1: Completed pre-decoding.
full event: 'Dec 13 08:10:36 manuel smbd[8667]:
manuel|192.168.107.20|unlink|ok|dir1/ss.txt'
hostname: 'manuel'
program_name: 'smbd'
log: 'raul|192.168.107.20|unlink|ok|dir1/ss.txt'
**Phase 2: Completed decoding.
decoder: 'smbd'
dstuser: 'manuel'
srcip: '192.168.107.20'
**Phase 3: Completed filtering (rules).
Rule id: '2513'
Level: '10'
Description: 'Archivo eliminado - Samba audit'
**Alert to be generated.
Ahora quisiera saber donde esa alerta es registrada y si es posible
visualizarla a través de la interface web *ossec-wui*
Gracias de antemano.
El jueves, 24 de marzo de 2011 13:51:57 UTC-5, Jorge Armando Medina
escribió:
>
> Hi there,
>
>
> I'm working on a project where I need to send alerts when somebody
> deletes a file from a samba share, Samba includes the module full_audit
> which records something like this:
>
> Mar 23 13:44:18 fs1 smbd_audit: jperez|192.168.221.50|unlink|ok|dir1/ss.txt
> Mar 23 13:44:18 fs1 smbd_audit:
> jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt
>
> The important information is the username (first field), Client IP
> address (second field) and the operation (third).
>
> So I created a decoder like this:
>
> <!-- Samba Audit decoder.
> - Mar 23 13:44:18 fs1 smbd_audit:
> jperez|192.168.221.50|unlink|ok|dir1/ss.txt
> - Mar 23 13:44:18 fs1 smbd_audit:
> jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt
> -->
> <decoder name="smbd_audit">
> <program_name>smbd_audit</program_name>
> <regex>^(\w+\p*\w*)\|(\d+.\d+.\d+.\d+)\|\S+</regex>
> <order>user, srcip</order>
> </decoder>
>
> I used (\w+\p*\w*) to match usernames with single word like jperez and
> those whose use a "." like jorge.perez. and next the IP Address.
>
> I effectively decode the information like this:
>
> # bin/ossec-logtest
> 2011/03/23 17:54:05 ossec-testrule: INFO: Reading local decoder file.
> 2011/03/23 17:54:05 ossec-testrule: INFO: Started (pid: 27198).
> ossec-testrule: Type one log per line.
>
> Mar 23 13:44:18 fs1 smbd_audit:
> jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Mar 23 13:44:18 fs1 smbd_audit:
> jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt'
> hostname: 'fs1'
> program_name: 'smbd_audit'
> log: 'jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt'
>
> **Phase 2: Completed decoding.
> decoder: 'smbd_audit'
> dstuser: 'jorge.perez'
> srcip: '192.168.221.50'
>
> Then I created a rule so i detect the "unlink" operation and send a alert:
>
> <rule id="2513" level="10">
> <decoded_as>smbd_audit</decoded_as>
> <match>unlink</match>
> <description>Samba audit, file deleted.</description>
> </rule>
>
> I restarted ossec and now I get alerts like this:
>
> OSSEC HIDS Notification.
> 2011 Mar 24 10:45:47
>
> Received From: (fs1.example.com) 192.168.221.10->/var/log/messages
> Rule: 2513 fired (level 10) -> "Samba audit, file deleted."
> Portion of the log(s):
>
> Mar 24 10:45:46 fs1 smbd_audit:
> jorge.perez|192.168.221.50|unlink|ok|BASESX/filetest.exe
>
> I hope you can give comments about this, probably someone wants to
> improveit so we detect new files.
>
>
> Bye the way, I had to scape the "|" character so I cant use it as the
> separator, probably it is a good
> idea to add the | character to the list in the regex documentation at
> http://www.ossec.net/wiki/Know_How:Regex_Readme
>
> Best regards.
>
> --
> Jorge Armando Medina
> Computación Gráfica de México
> Web: http://www.e-compugraf.com
> Tel: 55 51 40 72, Ext: 124
> Email: [email protected] <javascript:>
> GPG Key: 1024D/28E40632 2007-07-26
> GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
