On Mon, Dec 16, 2013 at 1:50 PM, Leonel Algaré <[email protected]> wrote:
> Hi dan,
>
> Decoders seems to work,
>
> ossec-logtest example:
>
> type=PATH msg=audit(1387218689.294:9245): item=0 name="/home/proof/proof/"
> inode=475 dev=fd:00 mode=040555 ouid=0 ogid=0 rdev=00:00
>
> **Phase 1: Completed pre-decoding.
>        full event: 'type=PATH msg=audit(1387218689.294:9245): item=0
> name="/home/proof/proof/" inode=475 dev=fd:00 mode=040555 ouid=0 ogid=0
> rdev=00:00'
>        hostname: 'server'
>        program_name: '(null)'
>        log: 'type=PATH msg=audit(1387218689.294:9245): item=0
> name="/home/proof/prueba/" inode=475 dev=fd:00 mode=040555 ouid=0 ogid=0
> rdev=00:00'
>
> **Phase 2: Completed decoding.
>        decoder: 'auditd'
>        action: 'PATH'
>        id: '9245'
>        extra_data: '/home/proof/proof/'
>
> **Rule debugging:
>     Trying rule: 1 - Generic template for all syslog rules.
>        *Rule 1 matched.
>        *Trying child rules.
>     Trying rule: 5500 - Grouping of the pam_unix rules.
>     Trying rule: 5700 - SSHD messages grouped.
>     Trying rule: 5600 - Grouping for the telnetd rules
>     Trying rule: 2100 - NFS rules grouped.
>     Trying rule: 2507 - OpenLDAP group.
>     Trying rule: 2550 - rshd messages grouped.
>     Trying rule: 2701 - Ignoring procmail messages.
>     Trying rule: 2800 - Pre-match rule for smartd.
>     Trying rule: 5100 - Pre-match rule for kernel messages
>     Trying rule: 5200 - Ignoring hpiod for producing useless logs.
>     Trying rule: 100302 - Reglas pertenecientes a VTS 1
>     Trying rule: 100303 - Reglas pertenecientes a VTS 2
>     Trying rule: 100311 - Evento que agrupa los logs provenientes de el
> demonio AUDITD
>        *Rule 100311 matched.
>        *Trying child rules.
>     Trying rule: 100312 - Regla creacion de usuario prueba auditd
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '100311'
>        Level: '0'
>        Description: 'Evento que agrupa los logs provenientes de el demonio
> AUDITD'
>
>
> I have an example rule like that:
>
> <rule id="100311" level="5">
>         <decoded_as>auditd</decoded_as>
>         <description>AUDITD RULES</description>
> </rule>
>
> in ossec.conf i have that:
>
>  <localfile>
>      <log_format>syslog</log_format>
>      <location>/var/log/audit/audit.log</location>
>  </localfile>
>
> in alerts.log file:
>
> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
>
> Only that, why my example rule is not firing?
>

Because your other 100311 is firing:

**Phase 3: Completed filtering (rules).
       Rule id: '100311'
       Level: '0'
       Description: 'Evento que agrupa los logs provenientes de el
demonio AUDITD'



>
> El lunes, 16 de diciembre de 2013 15:25:26 UTC-3, dan (ddpbsd) escribió:
>>
>> On Mon, Dec 16, 2013 at 12:52 PM, Leonel Algaré <[email protected]>
>> wrote:
>> > Hi guys,
>> >
>> >
>> > Can someone tell me how i can create rules based in the auditd decoders
>> > that
>> > i had wrote?
>> >
>> > My decoders:
>> >
>> > <decoder name="auditd">
>> >         <prematch>^type=</prematch>
>> > </decoder>
>> >
>> > <decoder name="auditd-syscall">
>> >         <parent>auditd</parent>
>> >         <prematch offset="after_parent">^SYSCALL </prematch>
>> >         <regex offset="after_parent">^(SYSCALL)
>> >
>> > msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+arch=\w+\s+syscall=\d+\s+success=(\S+)\s+exit=\S+\s+a0=\w+\s+a1=\w+\s+a2=\w+\s+a3=\w+\s+items=\d+\s+ppid=\d+\s+pid=\d+\s+auid=\d+\s+uid=\d+\s+gid=\d+\s+euid=\d+\s+suid=\d+\s+fsuid=\d+\s+egid=\d+\s+sgid=\d+\s+fsgid=\d+\s+tty=\S+\s+ses=\d+\s+comm="\S+"\s+exe="(\S+)"\s+key="(\w+)"</regex>
>> >         <order>system_name,id,status,action,extra_data</order>
>> > </decoder>
>> >
>> >
>> > <decoder name="auditd-cwd">
>> >         <parent>auditd</parent>
>> >         <prematch offset="after_parent">^CWD </prematch>
>> >         <regex offset="after_parent">^(CWD)
>> > msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+cwd="(\.+)"</regex>
>> >         <order>system_name,id,extra_data</order>
>> > </decoder>
>> >
>> > <decoder name="auditd-path">
>> >         <parent>auditd</parent>
>> >         <prematch offset="after_parent">^PATH </prematch>
>> >         <regex offset="after_parent">^(PATH)
>> >
>> > msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+item=\d+\s+name="(\.+)"\s+inode=\d+\s+dev=\S+\s+mode=\d+\s+ouid=\d+\s+ogid=\d+\s+rdev=\S+</regex>
>> >         <order>action,id,extra_data</order>
>> > </decoder>
>> >
>> >
>> >
>> > The multi-log feature in ossec 2.7 for auditd dont work?
>> > Im having problems to correlate rules.
>> >
>> > Sorry for my bad english.
>> >
>>
>>
>> You need to get log samples, and write rules based on those logs. Use
>> ossec-logtest to help determine what is going on and for testing.
>>
>> > Regards,
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to