Le jeudi 20 février 2014 14:02:59 UTC-5, dan (ddpbsd) a écrit :
> OSSEC has its own regex syntax. It's not very deep, but there is some
> documentation on the site.
>
ok
> > * reference usb device
> > Feb 15 20:21:34 HOST kernel[0]: USBMSC Identifier (non-unique):
> > 574343344530333937339999 0x1058 0x1230 0x1050, 2
> >
> > <decoder name="kernel">
> > <program_name>^kernel</program_name>
> > </decoder>
> >
>
> Just use the iptables decoder. It already matches.
>
>
ok. But I would think for the future, kernel (be it linux, darwin, bsd or
whatever) would be more appropriate. tagging a rule w iptables on something
other than linux can be confusing at first.
>
> > In all those case, I didn't managed to get ossec-logtest match and don't
> > understand why? any help?
> >
>
> Without seeing the ossec-logtest output I can't be of much help (and
> of course I can't run it right now).
>
>
Here, we are for the first and second example
>>>
/opt/local/var/ossec/bin/ossec-logtest -v 2>&1
2014/02/20 15:19:23 ossec-testrule: INFO: Reading decoder file
/opt/local/var/ossec/etc/decoder.xml.
2014/02/20 15:19:23 ossec-testrule: INFO: Reading decoder file
/opt/local/var/ossec/etc/decoder_local_mac.xml.
2014/02/20 15:19:23 ossec-testrule: INFO: Started (pid: 68920).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Feb 15 20:21:34 HOST kernel[0]: USBMSC Identifier
(non-unique): 574343344530333937333935 0x1058 0x1230 0x1050, 2'
hostname: 'HOST'
program_name: 'kernel'
log: 'USBMSC Identifier (non-unique): 574343344530333937333935
0x1058 0x1230 0x1050, 2'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5700 - SSHD messages grouped.
Trying rule: 5600 - Grouping for the telnetd rules
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2507 - OpenLDAP group.
Trying rule: 2550 - rshd messages grouped.
Trying rule: 2701 - Ignoring procmail messages.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages
*Rule 5100 matched.
*Trying child rules.
Trying rule: 5101 - Informative message from the kernel.
Trying rule: 5102 - Informative message from the kernel
Trying rule: 5105 - Invalid request to /dev/fd0 (bug on the kernel).
Trying rule: 5106 - NFS incompability between Linux and Solaris.
Trying rule: 5107 - NFS incompability between Linux and Solaris.
Trying rule: 5111 - Kernel device error.
Trying rule: 5112 - Kernel usbhid probe error (ignored).
Trying rule: 2935 - Grouping for the mptscrih rules.
Trying rule: 2936 - Grouping for the mptbase rules.
Trying rule: 5108 - System running out of memory. Availability of the
system is in risk.
Trying rule: 5103 - Error message from the kernel. Ping of death attack.
Trying rule: 5104 - Interface entered in promiscuous(sniffing) mode.
Trying rule: 5113 - System is shutting down.
Trying rule: 5130 - Monitor ADSL line is down.
Trying rule: 5109 - Kernel Input/Output error
Trying rule: 5110 - IRC misconfiguration
Trying rule: 5131 - Monitor ADSL line is up.
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 2830 - Crontab rule group.
Trying rule: 5300 - Initial grouping for su messages.
Trying rule: 5400 - Initial group for sudo messages
Trying rule: 9100 - PPTPD messages grouped
Trying rule: 9200 - Squid syslog messages grouped
Trying rule: 2900 - Dpkg (Debian Package) log.
Trying rule: 2930 - Yum logs.
Trying rule: 2931 - Yum logs.
Trying rule: 7200 - Grouping of the arpwatch rules.
Trying rule: 7300 - Grouping of Symantec AV rules.
Trying rule: 7400 - Grouping of Symantec Web Security rules.
Trying rule: 4300 - Grouping of PIX rules
Trying rule: 12100 - Grouping of the named rules
Trying rule: 13100 - Grouping for the smbd rules.
Trying rule: 13106 - (null)
Trying rule: 11400 - Grouping for the vsftpd rules.
Trying rule: 11300 - Grouping for the pure-ftpd rules.
Trying rule: 11310 - Rule grouping for pure ftpd transfers.
Trying rule: 11200 - Grouping for the proftpd rules.
Trying rule: 11500 - Grouping for the Microsoft ftp rules.
Trying rule: 11100 - Grouping for the ftpd rules.
Trying rule: 9300 - Grouping for the Horde imp rules.
Trying rule: 9400 - Roundcube messages groupe.d
Trying rule: 9500 - Wordpress messages grouped.
Trying rule: 9600 - cimserver messages grouped.
Trying rule: 9900 - Grouping for the vpopmail rules.
Trying rule: 9800 - Grouping for the vm-pop3d rules.
Trying rule: 3900 - Grouping for the courier rules.
Trying rule: 30100 - Apache messages grouped.
Trying rule: 31300 - Nginx messages grouped.
Trying rule: 31404 - PHP Warning message.
Trying rule: 31405 - PHP Fatal error.
Trying rule: 31406 - PHP Parse error.
Trying rule: 50100 - MySQL messages grouped.
Trying rule: 50500 - PostgreSQL messages grouped.
Trying rule: 4700 - Grouping of Cisco IOS rules.
Trying rule: 4500 - Grouping for the Netscreen Firewall rules
Trying rule: 4800 - SonicWall messages grouped.
Trying rule: 3300 - Grouping of the postfix reject rules.
Trying rule: 3320 - Grouping of the postfix rules.
Trying rule: 3390 - Grouping of the clamsmtpd rules.
Trying rule: 3100 - Grouping of the sendmail rules.
Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.
Trying rule: 3600 - Grouping of the imapd rules.
Trying rule: 3700 - Grouping of mailscanner rules.
Trying rule: 9700 - Dovecot Messages Grouped.
Trying rule: 3800 - Grouping of Exchange rules.
Trying rule: 14100 - Grouping of racoon rules.
Trying rule: 14200 - Grouping of Cisco VPN concentrator rules
Trying rule: 3500 - Grouping for the spamd rules
Trying rule: 7600 - Grouping of Trend OSCE rules.
Trying rule: 31200 - Grouping of Zeus rules.
Trying rule: 6100 - Solaris BSM Auditing messages grouped.
Trying rule: 19100 - VMWare messages grouped.
Trying rule: 19101 - VMWare ESX syslog messages grouped.
Trying rule: 6300 - Grouping for the MS-DHCP rules.
Trying rule: 6350 - Grouping for the MS-DHCP rules.
Trying rule: 6200 - Asterisk messages grouped.
Trying rule: 600 - Active Response Messages Grouped
Trying rule: 102001 - (null)
Trying rule: 102002 - (null)
Trying rule: 102003 - (null)
Trying rule: 102004 - (null)
Trying rule: 110000 - USB device app group.
Trying rule: 120000 - Google Chrome log noise
Trying rule: 120001 - Google Chrome log noise
Trying rule: 40102 - Buffer overflow attack on rpc.statd
Trying rule: 40103 - Buffer overflow on WU-FTPD versions prior to 2.6
Trying rule: 40107 - Heap overflow in the Solaris cachefsd service.
Trying rule: 1003 - Non standard syslog message (size too large).
Trying rule: 40104 - Possible buffer overflow attempt.
Trying rule: 40105 - "Null" user changed some information.
Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd).
Trying rule: 40109 - Stack overflow attempt or program exiting with
SEGV (Solaris).
Trying rule: 2301 - Excessive number connections to a service.
Trying rule: 2502 - User missed the password more than one time
Trying rule: 2504 - Illegal root login.
Trying rule: 7101 - Problems with the tripwire checking
Trying rule: 5901 - New group added to the system
Trying rule: 5902 - New user added to the system
Trying rule: 5904 - Information from the user was changed
Trying rule: 12110 - Serial number from master is lower than stored.
Trying rule: 12111 - Unable to perform zone transfer.
Trying rule: 18128 - Group account added/changed/deleted.
Trying rule: 1007 - File system full.
Trying rule: 30200 - Modsecurity alert.
Trying rule: 5604 - Reverse lookup error (bad hostname config).
Trying rule: 1004 - Syslogd exiting (logging stopped).
Trying rule: 1005 - Syslogd restarted.
Trying rule: 1006 - Syslogd restarted.
Trying rule: 1008 - Process exiting (killed).
Trying rule: 2501 - User authentication failure.
Trying rule: 2503 - Connection blocked by Tcp Wrappers.
Trying rule: 14101 - VPN authentication failed.
Trying rule: 5553 - PAM misconfiguration.
Trying rule: 5554 - PAM misconfiguration.
Trying rule: 2103 - Unable to mount the NFS directory.
Trying rule: 12112 - Zone transfer error.
Trying rule: 5555 - User changed password.
Trying rule: 2505 - Physical root login.
Trying rule: 2506 - Pop3 Authentication passed.
Trying rule: 13112 - Segfault in gvfs-smb.
Trying rule: 1001 - File missing. Root access unrestricted.
Trying rule: 1002 - Unknown problem somewhere in the system.
Trying rule: 5903 - Group (or user) deleted from the system
**Phase 1: Completed pre-decoding.
full event: 'Feb 20 11:20:36 HOST Google Chrome Helper[59050]:
Process unable to create connection because the sandbox denied the right to
lookup com.apple.coreservices.launchservicesd and so this process cannot
talk to launchservicesd.'
hostname: 'HOST'
program_name: '(null)'
log: 'Google Chrome Helper[59050]: Process unable to create
connection because the sandbox denied the right to lookup
com.apple.coreservices.launchservicesd and so this process cannot talk to
launchservicesd.'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5700 - SSHD messages grouped.
Trying rule: 5600 - Grouping for the telnetd rules
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2507 - OpenLDAP group.
Trying rule: 2550 - rshd messages grouped.
Trying rule: 2701 - Ignoring procmail messages.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 2830 - Crontab rule group.
Trying rule: 5300 - Initial grouping for su messages.
Trying rule: 5400 - Initial group for sudo messages
Trying rule: 9100 - PPTPD messages grouped
Trying rule: 9200 - Squid syslog messages grouped
Trying rule: 2900 - Dpkg (Debian Package) log.
Trying rule: 2930 - Yum logs.
Trying rule: 2931 - Yum logs.
Trying rule: 7200 - Grouping of the arpwatch rules.
Trying rule: 7300 - Grouping of Symantec AV rules.
Trying rule: 7400 - Grouping of Symantec Web Security rules.
Trying rule: 4300 - Grouping of PIX rules
Trying rule: 12100 - Grouping of the named rules
Trying rule: 13100 - Grouping for the smbd rules.
Trying rule: 13106 - (null)
Trying rule: 11400 - Grouping for the vsftpd rules.
Trying rule: 11300 - Grouping for the pure-ftpd rules.
Trying rule: 11310 - Rule grouping for pure ftpd transfers.
Trying rule: 11200 - Grouping for the proftpd rules.
Trying rule: 11500 - Grouping for the Microsoft ftp rules.
Trying rule: 11100 - Grouping for the ftpd rules.
Trying rule: 9300 - Grouping for the Horde imp rules.
Trying rule: 9400 - Roundcube messages groupe.d
Trying rule: 9500 - Wordpress messages grouped.
Trying rule: 9600 - cimserver messages grouped.
Trying rule: 9900 - Grouping for the vpopmail rules.
Trying rule: 9800 - Grouping for the vm-pop3d rules.
Trying rule: 3900 - Grouping for the courier rules.
Trying rule: 30100 - Apache messages grouped.
Trying rule: 31300 - Nginx messages grouped.
Trying rule: 31404 - PHP Warning message.
Trying rule: 31405 - PHP Fatal error.
Trying rule: 31406 - PHP Parse error.
Trying rule: 50100 - MySQL messages grouped.
Trying rule: 50500 - PostgreSQL messages grouped.
Trying rule: 4700 - Grouping of Cisco IOS rules.
Trying rule: 4500 - Grouping for the Netscreen Firewall rules
Trying rule: 4800 - SonicWall messages grouped.
Trying rule: 3300 - Grouping of the postfix reject rules.
Trying rule: 3320 - Grouping of the postfix rules.
Trying rule: 3390 - Grouping of the clamsmtpd rules.
Trying rule: 3100 - Grouping of the sendmail rules.
Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.
Trying rule: 3600 - Grouping of the imapd rules.
Trying rule: 3700 - Grouping of mailscanner rules.
Trying rule: 9700 - Dovecot Messages Grouped.
Trying rule: 3800 - Grouping of Exchange rules.
Trying rule: 14100 - Grouping of racoon rules.
Trying rule: 14200 - Grouping of Cisco VPN concentrator rules
Trying rule: 3500 - Grouping for the spamd rules
Trying rule: 7600 - Grouping of Trend OSCE rules.
Trying rule: 31200 - Grouping of Zeus rules.
Trying rule: 6100 - Solaris BSM Auditing messages grouped.
Trying rule: 19100 - VMWare messages grouped.
Trying rule: 19101 - VMWare ESX syslog messages grouped.
Trying rule: 6300 - Grouping for the MS-DHCP rules.
Trying rule: 6350 - Grouping for the MS-DHCP rules.
Trying rule: 6200 - Asterisk messages grouped.
Trying rule: 600 - Active Response Messages Grouped
Trying rule: 102001 - (null)
Trying rule: 102002 - (null)
Trying rule: 102003 - (null)
Trying rule: 102004 - (null)
Trying rule: 110000 - USB device app group.
Trying rule: 120000 - Google Chrome log noise
Trying rule: 120001 - Google Chrome log noise
Trying rule: 40102 - Buffer overflow attack on rpc.statd
Trying rule: 40103 - Buffer overflow on WU-FTPD versions prior to 2.6
Trying rule: 40107 - Heap overflow in the Solaris cachefsd service.
Trying rule: 1003 - Non standard syslog message (size too large).
Trying rule: 40104 - Possible buffer overflow attempt.
Trying rule: 40105 - "Null" user changed some information.
Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd).
Trying rule: 40109 - Stack overflow attempt or program exiting with
SEGV (Solaris).
Trying rule: 2301 - Excessive number connections to a service.
Trying rule: 2502 - User missed the password more than one time
Trying rule: 2504 - Illegal root login.
Trying rule: 7101 - Problems with the tripwire checking
Trying rule: 5901 - New group added to the system
Trying rule: 5902 - New user added to the system
Trying rule: 5904 - Information from the user was changed
Trying rule: 12110 - Serial number from master is lower than stored.
Trying rule: 12111 - Unable to perform zone transfer.
Trying rule: 18128 - Group account added/changed/deleted.
Trying rule: 1007 - File system full.
Trying rule: 30200 - Modsecurity alert.
Trying rule: 5604 - Reverse lookup error (bad hostname config).
Trying rule: 1004 - Syslogd exiting (logging stopped).
Trying rule: 1005 - Syslogd restarted.
Trying rule: 1006 - Syslogd restarted.
Trying rule: 1008 - Process exiting (killed).
Trying rule: 2501 - User authentication failure.
Trying rule: 2503 - Connection blocked by Tcp Wrappers.
Trying rule: 14101 - VPN authentication failed.
Trying rule: 5553 - PAM misconfiguration.
Trying rule: 5554 - PAM misconfiguration.
Trying rule: 2103 - Unable to mount the NFS directory.
Trying rule: 12112 - Zone transfer error.
Trying rule: 5555 - User changed password.
Trying rule: 2505 - Physical root login.
Trying rule: 2506 - Pop3 Authentication passed.
Trying rule: 13112 - Segfault in gvfs-smb.
Trying rule: 1001 - File missing. Root access unrestricted.
Trying rule: 1002 - Unknown problem somewhere in the system.
*Rule 1002 matched.
*Trying child rules.
Trying rule: 1009 - Ignoring known false positives on rule 1002..
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
<<<
There is no decoder matching as describe in doc:
http://www.ossec.net/doc/manual/rules-decoders/create-custom.html
so obviously rules don't either.
Looking at other syslog_rules, I'm adding on mine '<if_sid>5100</if_sid>'
but it doesn't change a thing. also maybe better to use <match> instead of
<regex> if we don't extract data ? but in this case how do we escape the
PID in case of non-recognized program_name (space), just a '[*]' ?
I tried googling to find more information on macos, but was unable to
> do so. Is it a Linux distro? Do you have a link?
>
Macos = Mac OS = OS X = Mac = Darwin = Apple = http://www.apple.com/osx/
Thanks.
Cheers,
Julien
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
