Thanks Dan for remindning me of the potential danger!, I'll refactor to use the custom ranges for my needs.
Sethukumar On Thursday, 18 December 2014 18:20:44 UTC+5:30, dan (ddpbsd) wrote: > > On Thu, Dec 18, 2014 at 5:07 AM, Sethukumar Ramachandran > <[email protected] <javascript:>> wrote: > > > > 1. The choice of IDs boil down to 2 things. First it is of syslog > category > > and the range for rule ID for this is 1000 to 1999. > > Be careful with this, anytime there is a new version of OSSEC your > rules could get overwritten and those IDs taken. That's why there is a > range for custom rules that does not conflict with the IDs reserved by > the project. > Also, if you're adding your rules to syslog_rules.xml or the like be > careful about upgrades. These files will also be overwritten by newer > versions. > > > 2. starting with a '0' was just a copy paste from various places where > > similar rule IDs mentioned. It is perfectly OK to leave those. > > 3. Some log samples below, which is just for illustration: > > > > Dec 02 18:36:47 my-host-name krb5kdc[28005](info): AS_REQ (6 etypes {18 > 17 > > 16 23 1 3}) 192.0.4.77: ISSUE: authtime 1417525607, etypes {rep=18 > tkt=18 > > ses=18}, nn/[email protected] <javascript:> for krbtgt/ > [email protected] <javascript:> > > > > Dec 03 12:48:32 my-host-name krb5kdc[28005](info): AS_REQ (4 etypes {18 > 17 > > 16 23}) 192.0.4.145: CLIENT_NOT_FOUND: [email protected] > <javascript:> for > > krbtgt/[email protected] <javascript:>, Client not found in Kerberos > database > > > > > > > > > > On Friday, 12 December 2014 18:16:07 UTC+5:30, dan (ddpbsd) wrote: > >> > >> On Fri, Dec 12, 2014 at 7:15 AM, Sethukumar Ramachandran > >> <[email protected]> wrote: > >> > There could be lot things that spit out in kerberos logs which might > be > >> > of > >> > interest from ossec perspective, say to create an alert or capture > some > >> > information for audit pupose. Can use some words or phrases or > regular > >> > expressions for match. > >> > > >> > On Wednesday, 10 December 2014 18:05:45 UTC+5:30, dan (ddpbsd) wrote: > >> >> > >> >> On Wed, Dec 10, 2014 at 7:13 AM, Sethukumar Ramachandran > >> >> <[email protected]> wrote: > >> >> > > >> >> > > >> >> > On Saturday, 1 March 2014 21:54:23 UTC+5:30, Michiel van Es wrote: > >> >> >> > >> >> >> Hi, > >> >> >> > >> >> >> Has anyone added the Kerberos 5 krb5kdc.log logfile to OSSEC and > if > >> >> >> so > >> >> >> is > >> >> >> willing to share its decoder and local_rules.xml config? (i am > not > >> >> >> trying to > >> >> >> reinvent the wheel here and google has nothing on it expect Vic > >> >> >> Hargrave's > >> >> >> blog but I can not post on it because of technical issues at this > >> >> >> blog). > >> >> >> > >> >> >> Regards, > >> >> >> > >> >> >> Michiel > >> >> > > >> >> > > >> >> > Hi Michiel, > >> >> > > >> >> > I was trying to do the same and found this query and finally had > to > >> >> > do > >> >> > it > >> >> > myself. For the benefit of anybody who is going > >> >> > through this mail group, I'm posting the solution that I had > working > >> >> > for > >> >> > me. > >> >> > I have the following in my /var/ossec/etc/ossec.conf file: > >> >> > <localfile> > >> >> > <log_format>syslog</log_format> > >> >> > <location>/var/log/krb5/kdc.log</location> > >> >> > </localfile> > >> >> > > >> >> > <localfile> > >> >> > <log_format>syslog</log_format> > >> >> > <location>/var/log/kadmin.log</location> > >> >> > </localfile> > >> >> > > >> >> > > >> >> > Then in /var/ossec/etc/decoder.xml I have added the following: > >> >> > > >> >> > <decoder name="krb5"> > >> >> > <prematch>^krb5kdc</prematch> > >> >> > </decoder> > >> >> > > >> >> > Then I created a new rule file in > /var/ossec/rules/kerberos_rules.xml > >> >> > with > >> >> > some rules as below: > >> >> > > >> >> > > >> >> > <group name="syslog,krb5,"> > >> >> > <rule id="01900" level="0" noalert="1"> > >> >> > <decoded_as>krb5</decoded_as> > >> >> > <description>Grouping of kerberos rules.</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="01901" level="8"> > >> >> > <if_sid>01900</if_sid> > >> >> > <match>ISSUE:</match> > >> >> > <description>Successful Kerberos > >> >> > authetication.</description> > >> >> > <group>authentication_success,</group> > >> >> > </rule> > >> >> > > >> >> > <rule id="01902" level="8"> > >> >> > <if_sid>01900</if_sid> > >> >> > <match>UNKNOWN_SERVER:</match> > >> >> > <description>Server not found in Kerberos > >> >> > database</description> > >> >> > <group>Kerberos ticket request failed</group> > >> >> > </rule> > >> >> > </group> > >> >> > > >> >> > The rule ID that we assign to these rules need to be within the > range > >> >> > being > >> >> > allocated for the syslog type which is 01000 to 01999. > >> >> > >> >> Why? > >> >> > >> > >> I actually was vurious why you had to use those IDs. And actually why > >> you started them with a 0. > >> Still hoping for log samples. :) > >> > >> >> > The match criteria is as per requirement and one has to choose it. > >> >> > > >> >> > That's it! > >> >> > > >> >> > >> >> If you have some sample logs you can provide, we can add these to > the > >> >> install. > >> >> > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
