Hi Risto,
seems I got this to be working and receive one correlate message with whole
info i needed. Thanks a lot for your help.
*Raw log:*
type=SYSCALL msg=audit(1479718141.164:570635): arch=c000003e syscall=59
success=yes exit=0 a0=c9b1a0 a1=c9b880 a2=c9b270 a3=7ffdbf1ac860 items=3
ppid=26962 pid=26963 auid=1003 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 ses=72 comm="lesspipe.sh" exe="/usr/bin/bash"
key=(null)
type=EXECVE msg=audit(1479718141.164:570635): argc=3 a0="/bin/sh"
a1="/usr/bin/lesspipe.sh" a2="sec.log"
type=CWD msg=audit(1479718141.164:570635): cwd="/var/log"
type=PATH msg=audit(1479718141.164:570635): item=0
name="/usr/bin/lesspipe.sh" inode=25322516 dev=ca:01 mode=0100755 ouid=0
ogid=0 rdev=00:00 objtype=NORMAL
type=PATH msg=audit(1479718141.164:570635): item=1 name="/bin/sh"
inode=25168137 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
objtype=NORMAL
type=PATH msg=audit(1479718141.164:570635): item=2
name="/lib64/ld-linux-x86-64.so.2" inode=1813292 dev=ca:01 mode=0100755
ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
*Correlated log:*
*type=SYSCALL msg=audit(Mon Nov 21 08:49:01 2016:570635): arch=x86_64
syscall=execve success=yes ppid="less" pid="26963" auid="<username>"
uid="root" gid="root" euid="root" suid="root" fsuid=0 egid="root"
sgid="root" fsgid=0 tty=pts0 comm="lesspipe.sh" exe="/usr/bin/bash"
key=(null) cwd="/var/log" obj_name="/usr/bin/lesspipe.sh"
full_command="/bin/sh /usr/bin/lesspipe.sh sec.log"*
My whole SEC correlation rule:
# ---- Rule 1
# This rule for SYSCALL hash generating
# Next, we want to load the hashes at start, restart, soft restart (so that
we can modify the file and send SEC an SIGHUP)
type=Single
desc=Load hashes for SYSCALLs at STARTUP
ptype=RegExp
continue=TakeNext
pattern=SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART
context=SEC_INTERNAL_EVENT
action=lcall %syscalls -> ( sub { %SyscallHashes = (); @syscalls =
split(/\n/,`/bin/ausyscall --dump`); shift @syscalls; \
foreach (@syscalls) { my ($key, $val) = split(/\s+/, $_);
$SyscallHashes{"$key"} = $val; }; return %SyscallHashes; } )
# # ---- Rule 2
# # This rule for User hash generating
# # Next, we want to load the hashes at start, restart, soft restart
type=Single
desc=Load hashes for UIDS at STARTUP
ptype=RegExp
continue=TakeNext
pattern=SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART
context=SEC_INTERNAL_EVENT
action=lcall %uids -> ( sub { %UsersHashes = (); open(PASSWD_FILE,
"</etc/passwd"); \
while (<PASSWD_FILE>) { my @user = split /:/; $UsersHashes{"$user[2]"} =
$user[0]; }; return %UsersHashes; } )
# # ---- Rule 3
# # This rule for Group hash generating
# # Next, we want to load the hashes at start, restart, soft restart
type=Single
desc=Load hashes for GIDS at STARTUP
ptype=RegExp
continue=TakeNext
pattern=SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART
context=SEC_INTERNAL_EVENT
action=lcall %guids -> ( sub { %GroupHashes = (); open(GROUP_FILE,
"</etc/group"); \
while (<GROUP_FILE>) { my @group = split /:/; $GroupHashes{"$group[2]"} =
$group[0]; }; return %GroupHashes; } )
# ---- Rule 4
# type=SYSCALL msg=audit(1479282146.936:22853): arch=c000003e syscall=59
success=yes exit=0 a0=71e670 a1=721da0 a2=726530 a3=7ffe9b6741c0 items=2
ppid=16512 pid=16575 auid=1003 uid=1003 gid=1003 euid=0 suid=0 fsuid=0
egid=1003 sgid=1003 fsgid=1003 tty=pts3 ses=16 comm="sudo"
exe="/usr/bin/sudo" key=(null)
# type=BPRM_FCAPS msg=audit(1479282146.936:22853): fver=0
fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=0000000000000000
old_pi=0000000000000000 old_pe=0000000000000000 new_pp=0000001fffffffff
new_pi=0000000000000000 new_pe=0000001fffffffff
# type=EXECVE msg=audit(1479282146.936:22853): argc=2 a0="sudo" a1="-s"
# type=CWD msg=audit(1479282146.936:22853): cwd="/home/nikolay.srebniuk"
# type=PATH msg=audit(1479282146.936:22853): item=0 name="/usr/bin/sudo"
inode=25166426 dev=ca:01 mode=0104111 ouid=0 ogid=0 rdev=00:00
objtype=NORMAL
# type=PATH msg=audit(1479282146.936:22853): item=1
name="/lib64/ld-linux-x86-64.so.2" inode=1813292 dev=ca:01 mode=0100755
ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
type=Single
ptype=RegExp2
pattern=^(type=SYSCALL msg=audit\(([\d:.]+)\):.*)\ntype=CWD
msg=audit\(\2\):\s+(.*)
desc=generate a synthetic event for normalized auditd message
action=event CORRelated $1 $3 execve="none"
type=Single
ptype=RegExp3
pattern=^(type=SYSCALL msg=audit\(([\d:.]+)\):.*)\ntype=EXECVE
msg=audit\(\2\):\s+argc=\d+\s+(.*)\ntype=CWD msg=audit\(\2\):\s+(.*)
desc=join two last lines if input buffer if their IDs are identical
action=event CORRelated $1 $4 execve="$3"
# Correlate messages type=PATH with fields item=(1|0);
objtype=(CREATE|NORMAL|UNKNOWN)
type=Pair
ptype=RegExp
pattern=^CORRelated type=SYSCALL msg=audit\((\d+\.\d+):(\d+)\): arch=(\w+)
syscall=(\d+) success=(\w+).+?ppid=(.+?) pid=(.+?) auid=(\d+) uid=(\d+)
gid=(\d+) euid=(\d+) suid=(\d+) fsuid=(\d+) egid=(\d+) sgid=(\d+)
fsgid=(\d+) tty=(\w+) ses=\d+ comm="(.+?)" exe="(.+?)" key=\((.+?)\)
cwd="(.+?)" execve="(.*)"
varmap= time=1; event_id=2; arch=3; syscall=4; success=5; ppid=6; pid=7;
auid=8; uid=9; gid=10; euid=11; suid=12; fsuid=13; egid=14; sgid=15;
fsgid=16; tty=17; comm=18; exe=19; key=20; cwd=21; execve=22
desc=wait for PATH event for $+{time} $+{event_id}
action=event $+{time} $+{event_id} $+{execve}
ptype2=RegExp
pattern2=^type=PATH msg=audit\($+{time}:$+{event_id}\): (?:item=1
name="(?<obj_name>.+?)".*objtype=CREATE|item=0 name="(?<obj_name>.+?)".*
objtype=NORMAL)
desc2=PATH event seen %1:%2
action2=lcall %cur_scall %4 -> ( sub { if($SyscallHashes{$_[0]}){return
$SyscallHashes{$_[0]};} return $_[0];} ); \
lcall %cur_time %1 -> ( sub { my $human_time = scalar localtime($_[0]);
return $human_time; } ); \
lcall %cur_arch %3 -> ( sub { if($_[0]='c000003e'){return 'x86_64';}
return 'x86';} ); \
lcall %cur_scall %4 -> ( sub { if($SyscallHashes{$_[0]}){return
$SyscallHashes{$_[0]};} return $_[0];} ); \
lcall %cur_ppid %6 -> ( sub { my $id = qx(ps -p $_[0] -o comm=); chomp
$id; if ($id){return $id}; return $_[0];} ); \
lcall %cur_auid %8 -> ( sub { if($UsersHashes{$_[0]}){return
$UsersHashes{$_[0]};} return $_[0];} ); \
lcall %cur_uid %9 -> ( sub { if($UsersHashes{$_[0]}){return
$UsersHashes{$_[0]};} return $_[0];} ); \
lcall %cur_euid %11 -> ( sub { if($UsersHashes{$_[0]}){return
$UsersHashes{$_[0]};} return $_[0];} ); \
lcall %cur_suid %12 -> ( sub { if($UsersHashes{$_[0]}){return
$UsersHashes{$_[0]};} return $_[0];} ); \
lcall %cur_gid %10 -> ( sub { if($GroupHashes{$_[0]}){return
$GroupHashes{$_[0]};} return $_[0];} ); \
lcall %cur_egid %14 -> ( sub { if($GroupHashes{$_[0]}){return
$GroupHashes{$_[0]};} return $_[0];} ); \
lcall %cur_sgid %15 -> ( sub { if($GroupHashes{$_[0]}){return
$GroupHashes{$_[0]};} return $_[0];} ); \
lcall %cur_exec %22 -> ( sub { print("execve", $_[0], "\n"); if($_[0] ne
'none'){ my @args = split(/ /, $_[0]); \
foreach my $arg (@args){ ($arg) = ($arg =~ /a[0-9]+="?(.*?)"?$/);if ($arg
=~ m/[A-Z0-9]+/) \
{ $arg = pack("H*", $arg);};}; my $comm = join " ", @args; return $comm; };
\
return 'no_command';};); \
tcpsock 127.0.0.1:1515 type=SYSCALL msg=audit(%cur_time:%2): arch=%cur_arch
syscall=%cur_scall success=%5 ppid="%cur_ppid" pid="%7" auid="%cur_auid"
uid="%cur_uid" gid="%cur_gid" euid="%cur_euid" suid="%cur_suid" fsuid=%13
egid="%cur_egid" sgid="%cur_sgid" fsgid=%16 tty=%17 comm="%18" exe="%19"
key=(%20) cwd="%21" obj_name="$+{obj_name}" full_command="%cur_exec"%.cr%.nl
window=10
Regards,
Nikolay
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
