On Thu, Dec 18, 2014 at 5:07 AM, Sethukumar Ramachandran
<[email protected]> wrote:
>
> 1. The choice of IDs boil down to 2 things. First it is of syslog category
> and the range for rule ID for this is 1000 to 1999.
Be careful with this, anytime there is a new version of OSSEC your
rules could get overwritten and those IDs taken. That's why there is a
range for custom rules that does not conflict with the IDs reserved by
the project.
Also, if you're adding your rules to syslog_rules.xml or the like be
careful about upgrades. These files will also be overwritten by newer
versions.
> 2. starting with a '0' was just a copy paste from various places where
> similar rule IDs mentioned. It is perfectly OK to leave those.
> 3. Some log samples below, which is just for illustration:
>
> Dec 02 18:36:47 my-host-name krb5kdc[28005](info): AS_REQ (6 etypes {18 17
> 16 23 1 3}) 192.0.4.77: ISSUE: authtime 1417525607, etypes {rep=18 tkt=18
> ses=18}, nn/[email protected] for krbtgt/[email protected]
>
> Dec 03 12:48:32 my-host-name krb5kdc[28005](info): AS_REQ (4 etypes {18 17
> 16 23}) 192.0.4.145: CLIENT_NOT_FOUND: [email protected] for
> krbtgt/[email protected], Client not found in Kerberos database
>
>
>
>
> On Friday, 12 December 2014 18:16:07 UTC+5:30, dan (ddpbsd) wrote:
>>
>> On Fri, Dec 12, 2014 at 7:15 AM, Sethukumar Ramachandran
>> <[email protected]> wrote:
>> > There could be lot things that spit out in kerberos logs which might be
>> > of
>> > interest from ossec perspective, say to create an alert or capture some
>> > information for audit pupose. Can use some words or phrases or regular
>> > expressions for match.
>> >
>> > On Wednesday, 10 December 2014 18:05:45 UTC+5:30, dan (ddpbsd) wrote:
>> >>
>> >> On Wed, Dec 10, 2014 at 7:13 AM, Sethukumar Ramachandran
>> >> <[email protected]> wrote:
>> >> >
>> >> >
>> >> > On Saturday, 1 March 2014 21:54:23 UTC+5:30, Michiel van Es wrote:
>> >> >>
>> >> >> Hi,
>> >> >>
>> >> >> Has anyone added the Kerberos 5 krb5kdc.log logfile to OSSEC and if
>> >> >> so
>> >> >> is
>> >> >> willing to share its decoder and local_rules.xml config? (i am not
>> >> >> trying to
>> >> >> reinvent the wheel here and google has nothing on it expect Vic
>> >> >> Hargrave's
>> >> >> blog but I can not post on it because of technical issues at this
>> >> >> blog).
>> >> >>
>> >> >> Regards,
>> >> >>
>> >> >> Michiel
>> >> >
>> >> >
>> >> > Hi Michiel,
>> >> >
>> >> > I was trying to do the same and found this query and finally had to
>> >> > do
>> >> > it
>> >> > myself. For the benefit of anybody who is going
>> >> > through this mail group, I'm posting the solution that I had working
>> >> > for
>> >> > me.
>> >> > I have the following in my /var/ossec/etc/ossec.conf file:
>> >> > <localfile>
>> >> > <log_format>syslog</log_format>
>> >> > <location>/var/log/krb5/kdc.log</location>
>> >> > </localfile>
>> >> >
>> >> > <localfile>
>> >> > <log_format>syslog</log_format>
>> >> > <location>/var/log/kadmin.log</location>
>> >> > </localfile>
>> >> >
>> >> >
>> >> > Then in /var/ossec/etc/decoder.xml I have added the following:
>> >> >
>> >> > <decoder name="krb5">
>> >> > <prematch>^krb5kdc</prematch>
>> >> > </decoder>
>> >> >
>> >> > Then I created a new rule file in /var/ossec/rules/kerberos_rules.xml
>> >> > with
>> >> > some rules as below:
>> >> >
>> >> >
>> >> > <group name="syslog,krb5,">
>> >> > <rule id="01900" level="0" noalert="1">
>> >> > <decoded_as>krb5</decoded_as>
>> >> > <description>Grouping of kerberos rules.</description>
>> >> > </rule>
>> >> >
>> >> > <rule id="01901" level="8">
>> >> > <if_sid>01900</if_sid>
>> >> > <match>ISSUE:</match>
>> >> > <description>Successful Kerberos
>> >> > authetication.</description>
>> >> > <group>authentication_success,</group>
>> >> > </rule>
>> >> >
>> >> > <rule id="01902" level="8">
>> >> > <if_sid>01900</if_sid>
>> >> > <match>UNKNOWN_SERVER:</match>
>> >> > <description>Server not found in Kerberos
>> >> > database</description>
>> >> > <group>Kerberos ticket request failed</group>
>> >> > </rule>
>> >> > </group>
>> >> >
>> >> > The rule ID that we assign to these rules need to be within the range
>> >> > being
>> >> > allocated for the syslog type which is 01000 to 01999.
>> >>
>> >> Why?
>> >>
>>
>> I actually was vurious why you had to use those IDs. And actually why
>> you started them with a 0.
>> Still hoping for log samples. :)
>>
>> >> > The match criteria is as per requirement and one has to choose it.
>> >> >
>> >> > That's it!
>> >> >
>> >>
>> >> If you have some sample logs you can provide, we can add these to the
>> >> install.
>> >>
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> > send
>> >> > an
>> >> > email to [email protected].
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
