On Mon, Dec 16, 2013 at 1:50 PM, Leonel Algaré <[email protected]> wrote:
> Hi dan,
>
> Decoders seems to work,
>
> ossec-logtest example:
>
> type=PATH msg=audit(1387218689.294:9245): item=0 name="/home/proof/proof/"
> inode=475 dev=fd:00 mode=040555 ouid=0 ogid=0 rdev=00:00
>
> **Phase 1: Completed pre-decoding.
> full event: 'type=PATH msg=audit(1387218689.294:9245): item=0
> name="/home/proof/proof/" inode=475 dev=fd:00 mode=040555 ouid=0 ogid=0
> rdev=00:00'
> hostname: 'server'
> program_name: '(null)'
> log: 'type=PATH msg=audit(1387218689.294:9245): item=0
> name="/home/proof/prueba/" inode=475 dev=fd:00 mode=040555 ouid=0 ogid=0
> rdev=00:00'
>
> **Phase 2: Completed decoding.
> decoder: 'auditd'
> action: 'PATH'
> id: '9245'
> extra_data: '/home/proof/proof/'
>
> **Rule debugging:
> Trying rule: 1 - Generic template for all syslog rules.
> *Rule 1 matched.
> *Trying child rules.
> Trying rule: 5500 - Grouping of the pam_unix rules.
> Trying rule: 5700 - SSHD messages grouped.
> Trying rule: 5600 - Grouping for the telnetd rules
> Trying rule: 2100 - NFS rules grouped.
> Trying rule: 2507 - OpenLDAP group.
> Trying rule: 2550 - rshd messages grouped.
> Trying rule: 2701 - Ignoring procmail messages.
> Trying rule: 2800 - Pre-match rule for smartd.
> Trying rule: 5100 - Pre-match rule for kernel messages
> Trying rule: 5200 - Ignoring hpiod for producing useless logs.
> Trying rule: 100302 - Reglas pertenecientes a VTS 1
> Trying rule: 100303 - Reglas pertenecientes a VTS 2
> Trying rule: 100311 - Evento que agrupa los logs provenientes de el
> demonio AUDITD
> *Rule 100311 matched.
> *Trying child rules.
> Trying rule: 100312 - Regla creacion de usuario prueba auditd
>
> **Phase 3: Completed filtering (rules).
> Rule id: '100311'
> Level: '0'
> Description: 'Evento que agrupa los logs provenientes de el demonio
> AUDITD'
>
>
> I have an example rule like that:
>
> <rule id="100311" level="5">
> <decoded_as>auditd</decoded_as>
> <description>AUDITD RULES</description>
> </rule>
>
> in ossec.conf i have that:
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/audit/audit.log</location>
> </localfile>
>
> in alerts.log file:
>
> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
>
> Only that, why my example rule is not firing?
>
Because your other 100311 is firing:
**Phase 3: Completed filtering (rules).
Rule id: '100311'
Level: '0'
Description: 'Evento que agrupa los logs provenientes de el
demonio AUDITD'
>
> El lunes, 16 de diciembre de 2013 15:25:26 UTC-3, dan (ddpbsd) escribió:
>>
>> On Mon, Dec 16, 2013 at 12:52 PM, Leonel Algaré <[email protected]>
>> wrote:
>> > Hi guys,
>> >
>> >
>> > Can someone tell me how i can create rules based in the auditd decoders
>> > that
>> > i had wrote?
>> >
>> > My decoders:
>> >
>> > <decoder name="auditd">
>> > <prematch>^type=</prematch>
>> > </decoder>
>> >
>> > <decoder name="auditd-syscall">
>> > <parent>auditd</parent>
>> > <prematch offset="after_parent">^SYSCALL </prematch>
>> > <regex offset="after_parent">^(SYSCALL)
>> >
>> > msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+arch=\w+\s+syscall=\d+\s+success=(\S+)\s+exit=\S+\s+a0=\w+\s+a1=\w+\s+a2=\w+\s+a3=\w+\s+items=\d+\s+ppid=\d+\s+pid=\d+\s+auid=\d+\s+uid=\d+\s+gid=\d+\s+euid=\d+\s+suid=\d+\s+fsuid=\d+\s+egid=\d+\s+sgid=\d+\s+fsgid=\d+\s+tty=\S+\s+ses=\d+\s+comm="\S+"\s+exe="(\S+)"\s+key="(\w+)"</regex>
>> > <order>system_name,id,status,action,extra_data</order>
>> > </decoder>
>> >
>> >
>> > <decoder name="auditd-cwd">
>> > <parent>auditd</parent>
>> > <prematch offset="after_parent">^CWD </prematch>
>> > <regex offset="after_parent">^(CWD)
>> > msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+cwd="(\.+)"</regex>
>> > <order>system_name,id,extra_data</order>
>> > </decoder>
>> >
>> > <decoder name="auditd-path">
>> > <parent>auditd</parent>
>> > <prematch offset="after_parent">^PATH </prematch>
>> > <regex offset="after_parent">^(PATH)
>> >
>> > msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+item=\d+\s+name="(\.+)"\s+inode=\d+\s+dev=\S+\s+mode=\d+\s+ouid=\d+\s+ogid=\d+\s+rdev=\S+</regex>
>> > <order>action,id,extra_data</order>
>> > </decoder>
>> >
>> >
>> >
>> > The multi-log feature in ossec 2.7 for auditd dont work?
>> > Im having problems to correlate rules.
>> >
>> > Sorry for my bad english.
>> >
>>
>>
>> You need to get log samples, and write rules based on those logs. Use
>> ossec-logtest to help determine what is going on and for testing.
>>
>> > Regards,
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
