1. The choice of IDs boil down to 2 things. First it is of syslog category
and the range for rule ID for this is 1000 to 1999.
2. starting with a '0' was just a copy paste from various places where
similar rule IDs mentioned. It is perfectly OK to leave those.
3. Some log samples below, which is just for illustration:
Dec 02 18:36:47 my-host-name krb5kdc[28005](info): AS_REQ (6 etypes {18 17
16 23 1 3}) 192.0.4.77: ISSUE: authtime 1417525607, etypes {rep=18 tkt=18
ses=18}, nn/[email protected] for krbtgt/[email protected]
Dec 03 12:48:32 my-host-name krb5kdc[28005](info): AS_REQ (4 etypes {18 17
16 23}) 192.0.4.145: CLIENT_NOT_FOUND: [email protected] for
krbtgt/[email protected], Client not found in Kerberos database
On Friday, 12 December 2014 18:16:07 UTC+5:30, dan (ddpbsd) wrote:
>
> On Fri, Dec 12, 2014 at 7:15 AM, Sethukumar Ramachandran
> <[email protected] <javascript:>> wrote:
> > There could be lot things that spit out in kerberos logs which might be
> of
> > interest from ossec perspective, say to create an alert or capture some
> > information for audit pupose. Can use some words or phrases or regular
> > expressions for match.
> >
> > On Wednesday, 10 December 2014 18:05:45 UTC+5:30, dan (ddpbsd) wrote:
> >>
> >> On Wed, Dec 10, 2014 at 7:13 AM, Sethukumar Ramachandran
> >> <[email protected]> wrote:
> >> >
> >> >
> >> > On Saturday, 1 March 2014 21:54:23 UTC+5:30, Michiel van Es wrote:
> >> >>
> >> >> Hi,
> >> >>
> >> >> Has anyone added the Kerberos 5 krb5kdc.log logfile to OSSEC and if
> so
> >> >> is
> >> >> willing to share its decoder and local_rules.xml config? (i am not
> >> >> trying to
> >> >> reinvent the wheel here and google has nothing on it expect Vic
> >> >> Hargrave's
> >> >> blog but I can not post on it because of technical issues at this
> >> >> blog).
> >> >>
> >> >> Regards,
> >> >>
> >> >> Michiel
> >> >
> >> >
> >> > Hi Michiel,
> >> >
> >> > I was trying to do the same and found this query and finally had to
> do
> >> > it
> >> > myself. For the benefit of anybody who is going
> >> > through this mail group, I'm posting the solution that I had working
> for
> >> > me.
> >> > I have the following in my /var/ossec/etc/ossec.conf file:
> >> > <localfile>
> >> > <log_format>syslog</log_format>
> >> > <location>/var/log/krb5/kdc.log</location>
> >> > </localfile>
> >> >
> >> > <localfile>
> >> > <log_format>syslog</log_format>
> >> > <location>/var/log/kadmin.log</location>
> >> > </localfile>
> >> >
> >> >
> >> > Then in /var/ossec/etc/decoder.xml I have added the following:
> >> >
> >> > <decoder name="krb5">
> >> > <prematch>^krb5kdc</prematch>
> >> > </decoder>
> >> >
> >> > Then I created a new rule file in /var/ossec/rules/kerberos_rules.xml
> >> > with
> >> > some rules as below:
> >> >
> >> >
> >> > <group name="syslog,krb5,">
> >> > <rule id="01900" level="0" noalert="1">
> >> > <decoded_as>krb5</decoded_as>
> >> > <description>Grouping of kerberos rules.</description>
> >> > </rule>
> >> >
> >> > <rule id="01901" level="8">
> >> > <if_sid>01900</if_sid>
> >> > <match>ISSUE:</match>
> >> > <description>Successful Kerberos
> authetication.</description>
> >> > <group>authentication_success,</group>
> >> > </rule>
> >> >
> >> > <rule id="01902" level="8">
> >> > <if_sid>01900</if_sid>
> >> > <match>UNKNOWN_SERVER:</match>
> >> > <description>Server not found in Kerberos
> >> > database</description>
> >> > <group>Kerberos ticket request failed</group>
> >> > </rule>
> >> > </group>
> >> >
> >> > The rule ID that we assign to these rules need to be within the range
> >> > being
> >> > allocated for the syslog type which is 01000 to 01999.
> >>
> >> Why?
> >>
>
> I actually was vurious why you had to use those IDs. And actually why
> you started them with a 0.
> Still hoping for log samples. :)
>
> >> > The match criteria is as per requirement and one has to choose it.
> >> >
> >> > That's it!
> >> >
> >>
> >> If you have some sample logs you can provide, we can add these to the
> >> install.
> >>
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
