The rule id's that we use has to be unique. The range of rule IDs for
syslog type is from 1000 to 1999. In the ossec installation path at
/var/ossec/rules folder we have various rules made available by ossec
distribution by default. There is one for syslog rules. We need to make
sure that the new rules that we add do not conflict with existing rule IDs.
That is the reason for choosing those rule IDs. It is quite possible to
come with a different ones in the same range but not used already.
The range of rule has been documented at many places included '01000' kind
of format and I just used it. It is perfect to use '1000' instead.
Some log samples follow:
Dec 18 18:02:50 my-host-name krb5kdc[29191](info): AS_REQ (4 etypes {18 17
16 23}) 127.0.0.1: CLIENT_NOT_FOUND: hdfs/[email protected] for
krbtgt/[email protected], Client not found in Kerberos database
Dec 18 18:03:07 my-host-name krb5kdc[29191](info): AS_REQ (4 etypes {18 17
16 23}) 127.0.0.1: ISSUE: authtime 1418905987, etypes {rep=18 tkt=18
ses=18} , [email protected] for krbtgt/[email protected]
Again, these are just samples on how to match something in the log by the
decoder and the rule that we write with a match pattern. It is purely up to
you on what to match and capture that from log as an alert in ossec.
Sethukumar
On Friday, 12 December 2014 18:16:07 UTC+5:30, dan (ddpbsd) wrote:
>
> On Fri, Dec 12, 2014 at 7:15 AM, Sethukumar Ramachandran
> <[email protected] <javascript:>> wrote:
> > There could be lot things that spit out in kerberos logs which might be
> of
> > interest from ossec perspective, say to create an alert or capture some
> > information for audit pupose. Can use some words or phrases or regular
> > expressions for match.
> >
> > On Wednesday, 10 December 2014 18:05:45 UTC+5:30, dan (ddpbsd) wrote:
> >>
> >> On Wed, Dec 10, 2014 at 7:13 AM, Sethukumar Ramachandran
> >> <[email protected]> wrote:
> >> >
> >> >
> >> > On Saturday, 1 March 2014 21:54:23 UTC+5:30, Michiel van Es wrote:
> >> >>
> >> >> Hi,
> >> >>
> >> >> Has anyone added the Kerberos 5 krb5kdc.log logfile to OSSEC and if
> so
> >> >> is
> >> >> willing to share its decoder and local_rules.xml config? (i am not
> >> >> trying to
> >> >> reinvent the wheel here and google has nothing on it expect Vic
> >> >> Hargrave's
> >> >> blog but I can not post on it because of technical issues at this
> >> >> blog).
> >> >>
> >> >> Regards,
> >> >>
> >> >> Michiel
> >> >
> >> >
> >> > Hi Michiel,
> >> >
> >> > I was trying to do the same and found this query and finally had to
> do
> >> > it
> >> > myself. For the benefit of anybody who is going
> >> > through this mail group, I'm posting the solution that I had working
> for
> >> > me.
> >> > I have the following in my /var/ossec/etc/ossec.conf file:
> >> > <localfile>
> >> > <log_format>syslog</log_format>
> >> > <location>/var/log/krb5/kdc.log</location>
> >> > </localfile>
> >> >
> >> > <localfile>
> >> > <log_format>syslog</log_format>
> >> > <location>/var/log/kadmin.log</location>
> >> > </localfile>
> >> >
> >> >
> >> > Then in /var/ossec/etc/decoder.xml I have added the following:
> >> >
> >> > <decoder name="krb5">
> >> > <prematch>^krb5kdc</prematch>
> >> > </decoder>
> >> >
> >> > Then I created a new rule file in /var/ossec/rules/kerberos_rules.xml
> >> > with
> >> > some rules as below:
> >> >
> >> >
> >> > <group name="syslog,krb5,">
> >> > <rule id="01900" level="0" noalert="1">
> >> > <decoded_as>krb5</decoded_as>
> >> > <description>Grouping of kerberos rules.</description>
> >> > </rule>
> >> >
> >> > <rule id="01901" level="8">
> >> > <if_sid>01900</if_sid>
> >> > <match>ISSUE:</match>
> >> > <description>Successful Kerberos
> authetication.</description>
> >> > <group>authentication_success,</group>
> >> > </rule>
> >> >
> >> > <rule id="01902" level="8">
> >> > <if_sid>01900</if_sid>
> >> > <match>UNKNOWN_SERVER:</match>
> >> > <description>Server not found in Kerberos
> >> > database</description>
> >> > <group>Kerberos ticket request failed</group>
> >> > </rule>
> >> > </group>
> >> >
> >> > The rule ID that we assign to these rules need to be within the range
> >> > being
> >> > allocated for the syslog type which is 01000 to 01999.
> >>
> >> Why?
> >>
>
> I actually was vurious why you had to use those IDs. And actually why
> you started them with a 0.
> Still hoping for log samples. :)
>
> >> > The match criteria is as per requirement and one has to choose it.
> >> >
> >> > That's it!
> >> >
> >>
> >> If you have some sample logs you can provide, we can add these to the
> >> install.
> >>
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
