The ossec-logtest application is in the source tarball, just not built by default (hopefully that will change for server installs in the future). Check Daniel Cid's blog entry at http://www.ossec.net/dcid/?p=136
I'm not sure why the rule would be firing in that case, haven't run into that type of problem yet. On Fri, Jun 12, 2009 at 2:53 PM, tm<[email protected]> wrote: > > Where do I get the ossec-logtest application and how is it used? It > isn't in the src directory when I download OSSEC from the website. > > As I noted in my second-mail, I wrote a decoder like this: > > <decoder name="su-pam"> > <program_name>^su$</program_name> > <prematch>^\(pam_unix\)</prematch> > </decoder> > > I discovered much the same as you: the decoder has to be placed ahead > of the pam decoders in order for it to be used. The implication is > that when an event arrives, the first applicable decoder found in > decoder.xml is the one that fires and no other root decoders (i.e. > decoders that don't have a <parent></parent> section) are checked > after that. > > My su section of the decoder.xml file looks like this: > > <decoder name="su"> > <program_name>^su$</program_name> > </decoder> > > <decoder name="su-detail"> > <parent>su</parent> > <prematch>^'su </prematch> > <regex>^'su (\S+)' \S+ for (\S+) on \S+$</regex> > <order>dstuser, srcuser</order> > <fts>name, srcuser, location</fts> > </decoder> > > <!-- customization SU 1 --> > <!-- Used for decoding su events in the SuSE environment --> > <!-- Note that this decoder must come before su-detail2 because su- > detail2 has no --> > <!-- program_name or prematch element. This means that su-detail2 is > not conditional. --> > <!-- It will be executed if no decoder before it is executed. --> > > <decoder name="su-detail3"> > <parent>su</parent> > <prematch>\(to </prematch> > <regex offset="after_prematch">^(\S+)\) (\S+) on \S+$</regex> > <order>dstuser, srcuser</order> > <fts>name, srcuser, location</fts> > </decoder> > <!-- end: customization SU 1 --> > > <!-- customization SU 2 --> > <!-- Used for decoding su events in the RHE environment --> > <!-- Note that this decoder must come before su-detail2 because su- > detail2 has no --> > <!-- program_name or prematch element. This means that su-detail2 is > not conditional. --> > <!-- It will be executed if no decoder before it is executed. --> > > <decoder name="su-detail4"> > <parent>su-pam</parent> > <regex>session opened for user (\S+) by (\S+)\(</regex> > <order>dstuser, srcuser</order> > <fts>name, srcuser, location</fts> > </decoder> > <!-- end: customization SU 2 --> > > <decoder name="su-detail2"> > <parent>su</parent> > <regex>^BAD SU (\S+) to (\S+) on|</regex> > <regex>^failed: \S+ changing from (\S+) to (\S+)|</regex> > <regex>^\S \S+ (\S+)\p(\S+)$|^(\S+) to (\S+) on </regex> > <order>srcuser, dstuser</order> > <fts>name, srcuser, location</fts> > </decoder> > > <decoder name="su"> > <prematch>^SU \S+ \S+ </prematch> > <regex offset="after_prematch">^\S \S+ (\S+)-(\S+)$</regex> > <order>srcuser, dstuser</order> > <fts>name, srcuser, location</fts> > </decoder> > > What's curious about this is that it generates a 5304 alert (which is > what I wanted) even though 5304 depends on 5300 which specifies > <decoded_as>su</decoded_as>. Since the decoder name is "su-pam" I > don't know why 5300 fires. > > Any ideas? >
