Excuse me, but, to do this, i need to set "frequency" and "timeframe" attributes, so, in this case, which are this values?
El domingo, 21 de agosto de 2011 00:30:32 UTC-3, Michael Starks escribió: > > On 08/17/2011 01:14 PM, jplee3 wrote: > > Hey all, > > > > I was wondering if anyone working with the audit logs has come up with > > a way to correlate actions/events to usernames. > > > > This is an example of an event I'd be interested in correlating to a > > user: > > > > ---- > > type=PATH msg=audit(08/17/2011 10:06:46.243:548) : flags=follow,open > > inode=213007 dev=fd:00 mode=file,755 ouid=r > > oot ogid=root rdev=00:00 > > type=PATH msg=audit(08/17/2011 10:06:46.243:548) : name=/bin/cat > > flags=follow,open inode=1163295 dev=fd:00 mode=f > > ile,755 ouid=root ogid=root rdev=00:00 > > type=CWD msg=audit(08/17/2011 10:06:46.243:548) : cwd=/etc > > type=EXECVE msg=audit(08/17/2011 10:06:46.243:548) : argv[0]="less" > > argv[1]="passwd" > > type=SYSCALL msg=audit(08/17/2011 10:06:46.243:548) : arch=i386 > > syscall=execve success=yes exit=0 a0=8b53850 a1=8 > > b66e50 a2=8b54a80 a3=8b66e50 items=2 pid=13051 auid=jplee3 uid=root > > gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root > > comm=cat exe=/bin/cat > > I am going to answer somewhat generally so this is applicable to more > situations. When you want to correlate logs from multiple sources or > events, of course you need a common denominator. > > In this case, the ID is what ties these events together. So what you > need to do is write your child rules based on the ID (same_id), then add > another qualifier. So the password rule might be first, then you can > write the child rule to match on something unique like exe=, along with > same_id, then the alert should fire. Unfortunately, it will not give you > both lines--just the one that finally alerted. > > There are some other ways to do it, but perhaps this is all you need. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
