On Mon, Dec 16, 2013 at 12:52 PM, Leonel Algaré <[email protected]> wrote: > Hi guys, > > > Can someone tell me how i can create rules based in the auditd decoders that > i had wrote? > > My decoders: > > <decoder name="auditd"> > <prematch>^type=</prematch> > </decoder> > > <decoder name="auditd-syscall"> > <parent>auditd</parent> > <prematch offset="after_parent">^SYSCALL </prematch> > <regex offset="after_parent">^(SYSCALL) > msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+arch=\w+\s+syscall=\d+\s+success=(\S+)\s+exit=\S+\s+a0=\w+\s+a1=\w+\s+a2=\w+\s+a3=\w+\s+items=\d+\s+ppid=\d+\s+pid=\d+\s+auid=\d+\s+uid=\d+\s+gid=\d+\s+euid=\d+\s+suid=\d+\s+fsuid=\d+\s+egid=\d+\s+sgid=\d+\s+fsgid=\d+\s+tty=\S+\s+ses=\d+\s+comm="\S+"\s+exe="(\S+)"\s+key="(\w+)"</regex> > <order>system_name,id,status,action,extra_data</order> > </decoder> > > > <decoder name="auditd-cwd"> > <parent>auditd</parent> > <prematch offset="after_parent">^CWD </prematch> > <regex offset="after_parent">^(CWD) > msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+cwd="(\.+)"</regex> > <order>system_name,id,extra_data</order> > </decoder> > > <decoder name="auditd-path"> > <parent>auditd</parent> > <prematch offset="after_parent">^PATH </prematch> > <regex offset="after_parent">^(PATH) > msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+item=\d+\s+name="(\.+)"\s+inode=\d+\s+dev=\S+\s+mode=\d+\s+ouid=\d+\s+ogid=\d+\s+rdev=\S+</regex> > <order>action,id,extra_data</order> > </decoder> > > > > The multi-log feature in ossec 2.7 for auditd dont work? > Im having problems to correlate rules. > > Sorry for my bad english. >
You need to get log samples, and write rules based on those logs. Use ossec-logtest to help determine what is going on and for testing. > Regards, > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
