On Mon, Feb 3, 2014 at 11:25 AM, dan (ddp) <[email protected]> wrote:
> On Mon, Feb 3, 2014 at 10:58 AM, Sean Jackson <[email protected]> wrote:
>> Hope everyone had a good weekend.
>>
>> I'm wondering if ossec is actually parsing the regex now. Here's what I
>> have in decoder.xml:
>>
>>
>> <decoder name="bash">
>> <prematch>^bash</prematch>
>> </decoder>
>>
>> <decoder name="bash-command">
>> <parent>bash</parent>
>> <regex offset="after_parent">^(\S+)[\d+] (\S+ \d+ \S+) \d+:
>> (\.+)$</regex>
>> <order>user, extra_data, action</order>
>> </decoder>
>>
>> Here are the logs I'm running through logtest (just found out I don't need
>> to restart ossec-control to do that, just save decoder.xml):
>>
>> Jan 29 17:07:41 clu bash sjackson[11132] 10.207.50.143 40313 10.207.53.15
>> 22: vim /etc/sysconfig/iptables-config
>>
>>
>>
>> Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 15374 10.7.20.28 22: ssh
>> aws-control1
>>
>>
>>
>> Jan 29 17:04:14 clu bash update-users[12773] : cat known_hosts
>>
>>
>>
>> Jan 29 17:03:26 clu bash jtanner[11132] 10.207.50.143 40313 10.207.53.15 22:
>> service iptables stop
>>
>>
>> And then this is what I see in ossec-logtest:
>>
>>
>> Jan 29 17:07:41 clu bash root[11132] 10.207.50.143 40313 10.207.53.15 22:
>> vim /etc/sysconfig/iptables-config
>>
>>
>> **Phase 1: Completed pre-decoding.
>> full event: 'Jan 29 17:07:41 clu bash root[11132] 10.207.50.143 40313
>> 10.207.53.15 22: vim /etc/sysconfig/iptables-config'
>> hostname: 'clu'
>> program_name: '(null)'
>> log: 'bash root[11132] 10.207.50.143 40313 10.207.53.15 22: vim
>> /etc/sysconfig/iptables-config'
>>
>> **Phase 2: Completed decoding.
>> decoder: 'bash'
>>
>>
>>
>> Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 15374 10.7.20.28 22: ssh
>> aws-control1
>>
>> **Phase 1: Completed pre-decoding.
>> full event: 'Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 15374
>> 10.7.20.28 22: ssh aws-control1'
>> hostname: 'clu'
>> program_name: '(null)'
>> log: 'bash root[13365] 64.55.86.101 15374 10.7.20.28 22: ssh
>> aws-control1'
>>
>> **Phase 2: Completed decoding.
>> decoder: 'bash'
>>
>>
>>
>> Jan 29 17:04:14 clu bash update-users[12773] : cat known_hosts
>>
>> **Phase 1: Completed pre-decoding.
>> full event: 'Jan 29 17:04:14 clu bash update-users[12773] : cat
>> known_hosts'
>> hostname: 'clu'
>> program_name: '(null)'
>> log: 'bash update-users[12773] : cat known_hosts'
>>
>> **Phase 2: Completed decoding.
>> decoder: 'bash'
>>
>>
>>
>> Jan 29 17:03:26 clu bash root[11132] 10.207.50.143 40313 10.207.53.15 22:
>> service iptables stop
>>
>> **Phase 1: Completed pre-decoding.
>> full event: 'Jan 29 17:03:26 clu bash root[11132] 10.207.50.143 40313
>> 10.207.53.15 22: service iptables stop'
>> hostname: 'clu'
>> program_name: '(null)'
>> log: 'bash root[11132] 10.207.50.143 40313 10.207.53.15 22: service
>> iptables stop'
>>
>> **Phase 2: Completed decoding.
>> decoder: 'bash'
>>
>>
>> Am I correct that the regex isn't being parsed at all?
>>
>
> Probably not. It's probably being parsed, just not matching for some reason.
>
What follows will be the log samples I used, the output of
ossec-logtest, and then the decoders in local_decoder.xml:
# cat /tmp/logsamples
Jan 29 17:07:41 clu bash sjackson[11132] 10.207.50.143 40313
10.207.53.15 22: vim /etc/sysconfig/iptables-config
Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 15374 10.7.20.28 22:
ssh aws-control1
Jan 29 17:04:14 clu bash update-users[12773] : cat known_hosts
Jan 29 17:03:26 clu bash jtanner[11132] 10.207.50.143 40313
10.207.53.15 22: service iptables stop
# cat /tmp/logsamples | /var/ossec/ossec-hybrid/bin/ossec-logtest 2>&1 | more
2014/02/03 11:39:32 ossec-testrule: INFO: Reading local decoder file.
2014/02/03 11:39:32 ossec-testrule: INFO: Started (pid: 14749).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Jan 29 17:07:41 clu bash sjackson[11132]
10.207.50.143 40313 10.207.53.15 22: vim
/etc/sysconfig/iptables-config'
hostname: 'clu'
program_name: '(null)'
log: 'bash sjackson[11132] 10.207.50.143 40313 10.207.53.15 22:
vim /etc/sysconfig/iptables-config'
**Phase 2: Completed decoding.
decoder: 'bash'
srcuser: 'sjackson'
extra_data: '10.207.50.143 40313 10.207.53.15'
extra_data: 'vim /etc/sysconfig/iptables-config'
**Phase 1: Completed pre-decoding.
full event: 'Jan 29 17:10:56 clu bash root[13365] 64.55.86.101
15374 10.7.20.28 22: ssh aws-control1'
hostname: 'clu'
program_name: '(null)'
log: 'bash root[13365] 64.55.86.101 15374 10.7.20.28 22: ssh
aws-control1'
**Phase 2: Completed decoding.
decoder: 'bash'
srcuser: 'root'
extra_data: '64.55.86.101 15374 10.7.20.28'
extra_data: 'ssh aws-control1'
**Phase 1: Completed pre-decoding.
full event: 'Jan 29 17:04:14 clu bash update-users[12773] : cat
known_hosts'
hostname: 'clu'
program_name: '(null)'
log: 'bash update-users[12773] : cat known_hosts'
**Phase 2: Completed decoding.
decoder: 'bash'
**Phase 1: Completed pre-decoding.
full event: 'Jan 29 17:03:26 clu bash jtanner[11132]
10.207.50.143 40313 10.207.53.15 22: service iptables stop'
hostname: 'clu'
program_name: '(null)'
log: 'bash jtanner[11132] 10.207.50.143 40313 10.207.53.15 22:
service iptables stop'
**Phase 2: Completed decoding.
decoder: 'bash'
srcuser: 'jtanner'
extra_data: '10.207.50.143 40313 10.207.53.15'
extra_data: 'service iptables stop'
<decoder name="bash">
<prematch>^bash </prematch>
</decoder>
<decoder name="bash2">
<parent>bash</parent>
<regex offset="after_parent">^(\S+)[\d+] (\S+ \d+ \S+) \d+: (\.+)$</regex>
<order>srcuser,extra_data, extra_data</order>
</decoder>
>
>> --Sean
>>
>>
>>
>>
>>
>> On Tuesday, January 28, 2014 1:57:21 PM UTC-7, Sean Jackson wrote:
>>>
>>> Hello all,
>>>
>>> I'm tracking bash commands through syslogging and the logs look like this:
>>>
>>> Jan 27 15:33:46 [HOSTNAME] bash [USERNAME] [SESSION ID] [SSH CONNECTION
>>> INFO]: [THE BASH COMMAND]
>>>
>>> The command to save these logs is:
>>> PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p
>>> local6.debug -t "bash $USER[$$] $SSH_CONNECTION")'
>>>
>>>
>>> The logs are saved thusly (hostnames and IPs edited):
>>> Jan 27 15:29:54 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX 22: cd
>>> jskains
>>> Jan 27 15:33:46 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX 22: tar
>>> -cvf chef-dev.tar *.pem
>>> Jan 28 10:47:48 XXX bash root[25510] 64.55.41.120 40348 XX.XX.XX.XX 22:
>>> traceroute bing.com
>>>
>>> Here's what I'm doing right now, and my mind is telling me that I'm going
>>> down the wrong path.
>>>
>>> <decoder name="bash">
>>>
>>> <program_name>^bash</program_name>
>>>
>>> </decoder>
>>>
>>>
>>>
>>> <decoder name="bash-activity">
>>>
>>> <parent>bash</parent>
>>>
>>> <regex>???</regex>
>>>
>>> </decoder>
>>>
>>>
>>>
>>> Can anyone help me figure out how to get OSSEC watching these logs so I
>>> can then create alerts if I see certain commands executed? I want to know
>>> the time, the host, the user, the ssh connection info, and then the command.
>>>
>>>
>>> Thank you in advance (and likely afterwards)!
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
