Where do I get the ossec-logtest application and how is it used? It isn't in the src directory when I download OSSEC from the website.
As I noted in my second-mail, I wrote a decoder like this: <decoder name="su-pam"> <program_name>^su$</program_name> <prematch>^\(pam_unix\)</prematch> </decoder> I discovered much the same as you: the decoder has to be placed ahead of the pam decoders in order for it to be used. The implication is that when an event arrives, the first applicable decoder found in decoder.xml is the one that fires and no other root decoders (i.e. decoders that don't have a <parent></parent> section) are checked after that. My su section of the decoder.xml file looks like this: <decoder name="su"> <program_name>^su$</program_name> </decoder> <decoder name="su-detail"> <parent>su</parent> <prematch>^'su </prematch> <regex>^'su (\S+)' \S+ for (\S+) on \S+$</regex> <order>dstuser, srcuser</order> <fts>name, srcuser, location</fts> </decoder> <!-- customization SU 1 --> <!-- Used for decoding su events in the SuSE environment --> <!-- Note that this decoder must come before su-detail2 because su- detail2 has no --> <!-- program_name or prematch element. This means that su-detail2 is not conditional. --> <!-- It will be executed if no decoder before it is executed. --> <decoder name="su-detail3"> <parent>su</parent> <prematch>\(to </prematch> <regex offset="after_prematch">^(\S+)\) (\S+) on \S+$</regex> <order>dstuser, srcuser</order> <fts>name, srcuser, location</fts> </decoder> <!-- end: customization SU 1 --> <!-- customization SU 2 --> <!-- Used for decoding su events in the RHE environment --> <!-- Note that this decoder must come before su-detail2 because su- detail2 has no --> <!-- program_name or prematch element. This means that su-detail2 is not conditional. --> <!-- It will be executed if no decoder before it is executed. --> <decoder name="su-detail4"> <parent>su-pam</parent> <regex>session opened for user (\S+) by (\S+)\(</regex> <order>dstuser, srcuser</order> <fts>name, srcuser, location</fts> </decoder> <!-- end: customization SU 2 --> <decoder name="su-detail2"> <parent>su</parent> <regex>^BAD SU (\S+) to (\S+) on|</regex> <regex>^failed: \S+ changing from (\S+) to (\S+)|</regex> <regex>^\S \S+ (\S+)\p(\S+)$|^(\S+) to (\S+) on </regex> <order>srcuser, dstuser</order> <fts>name, srcuser, location</fts> </decoder> <decoder name="su"> <prematch>^SU \S+ \S+ </prematch> <regex offset="after_prematch">^\S \S+ (\S+)-(\S+)$</regex> <order>srcuser, dstuser</order> <fts>name, srcuser, location</fts> </decoder> What's curious about this is that it generates a 5304 alert (which is what I wanted) even though 5304 depends on 5300 which specifies <decoded_as>su</decoded_as>. Since the decoder name is "su-pam" I don't know why 5300 fires. Any ideas? On Jun 12, 5:19 am, ddp <[email protected]> wrote: > I just tried your decoder with the rule in your original email, and no matter > where I put it, the pam event fires. > > If you put the following above the pam rules you get the desired result: > > <decoder name="su"> > <program_name>^su$</program_name> > </decoder> > > The ossec-logtest application can help you debug issues like this in the > future. > It's what I used to play around with this one. > dan > > > > On Thu, Jun 11, 2009 at 4:04 PM, tm<[email protected]> wrote: > > > The problem is that RHE 5 only registers a single su/pam event upon > > execution of a su command and that event is being decoded by the PAM > > decoder. > > > Our environment includes RHE, SuSE and Mac hosts. When I was testing > > ssh in that environment, the result was either just an ssh event or > > both an ssh event and a pam event, depending upon the OS. Thus, OSSEC > > always generated at least an ssh alert. > > > However, with su in the RHE 5 environment, there isn't an su event and > > a pam event, but a combined event which is being decoded by the PAM > > decoder. Our other hosts, SuSE and Mac, generate an su event which is > > decoded by the SU decoder. We override rules 5301, 5303 and 5304 in > > local_rules.xml to email the su alert. We don't want to email 5501 > > and 5503 (PAM) rules because we'll get not only alerts triggered by su > > but alerts triggered by other processes such as ssh. > > > Finally, it would be preferable for the sake of consistency, for all > > su attempts to generate su alerts. Right now, an su attempt in the > > RHE environment generates a pam alert. > > > So, could I add another su decoder in decoder.xml like this: > > > <decoder name="su"> > > <program_name>^su$</program_name> > > </decoder> > > > <decoder name="su"> > > <program_name>^su$</program_name> > > <prematch>^\(pam_unix\)</prematch> > > </decoder> > > > where the first decoder is the one that comes with OSSEC and the > > second one is mine? > > > However, would it ever be triggered given that the decoder: > > > <decoder name="pam"> > > <program_name></program_name> > > <prematch>^pam_unix|^\(pam_unix\)</prematch> > > </decoder> > > > which comes with OSSEC precedes my proposed new su decoder? > > > When OSSEC receives a new event, does it decode it in the order of > > decoders in the decoder.xml file? If that's the case could I move my > > new decoder ahead of the PAM decoders in the decoder.xml file? > > > Trevor- Hide quoted text - > > - Show quoted text -
