What are you trying to do with your local_rules exactly? dan
On Wed, Jun 10, 2009 at 8:04 PM, tm<[email protected]> wrote: > > Hello, > > We are currently running an OSSEC pilot. We are receiving events from > a Red Hat Enterprise 5.x host on our OSSEC server like this: > > 2009 Jun 10 12:29:34 (host.b.c.d) w.x.y.z->/var/log/secure Jun 10 > 12:29:32 host su: pam_unix(su-l:session): session opened for user > testuser by testuser(uid=45634) > > However, because of the way the decoders are written in decoders.xml, > this is decoded as a PAM event rather than an SU event: > > <decoder name="pam"> > <program_name>(pam_unix)$</program_name> > </decoder> > > <decoder name="pam"> > <program_name></program_name> > <prematch>^pam_unix|^\(pam_unix\)</prematch> > </decoder> > > So, pam_rules.xml fires off an alert rather than syslog_rules.xml: > > <group name="pam,syslog,"> > <rule id="5500" level="0" noalert="1"> > <decoded_as>pam</decoded_as> > <description>Grouping of the pam_unix rules.</description> > </rule> > > <rule id="5501" level="3"> > <if_sid>5500</if_sid> > <match>session opened for user </match> > <description>Login session opened.</description> > <group>authentication_success,</group> > </rule> > > Resulting in this alert: > > ** Alert 1244662174.3005033: - pam,syslog,authentication_success, > 2009 Jun 10 12:29:34 (host.b.c.d) w.x.y.z->/var/log/secure > Rule: 5501 (level 3) -> 'Login session opened.' > Src IP: (none) > User: (none) > Jun 10 12:29:32 host su: pam_unix(su-l:session): session opened for > user testuser by testuser(uid=45634) > > I'd prefer to overwrite rules 5301-5305 in local_rules.xml to handle > the regular expression but they depend on 5300 which depends on the > event being decoded by su rather than pam. > > Any suggestions as to handle this situation? > > Thanks, > Trevor McLeod >
