Thanks for the help. I'll look look for the ossec-logtest application. Cheers! Trevor
On Jun 12, 12:30 pm, ddp <[email protected]> wrote: > The ossec-logtest application is in the source tarball, just not built > by default > (hopefully that will change for server installs in the future). Check > Daniel Cid's > blog entry athttp://www.ossec.net/dcid/?p=136 > > I'm not sure why the rule would be firing in that case, haven't run > into that type > of problem yet. > > > > On Fri, Jun 12, 2009 at 2:53 PM, tm<[email protected]> wrote: > > > Where do I get the ossec-logtest application and how is it used? It > > isn't in the src directory when I download OSSEC from the website. > > > As I noted in my second-mail, I wrote a decoder like this: > > > <decoder name="su-pam"> > > <program_name>^su$</program_name> > > <prematch>^\(pam_unix\)</prematch> > > </decoder> > > > I discovered much the same as you: the decoder has to be placed ahead > > of the pam decoders in order for it to be used. The implication is > > that when an event arrives, the first applicable decoder found in > > decoder.xml is the one that fires and no other root decoders (i.e. > > decoders that don't have a <parent></parent> section) are checked > > after that. > > > My su section of the decoder.xml file looks like this: > > > <decoder name="su"> > > <program_name>^su$</program_name> > > </decoder> > > > <decoder name="su-detail"> > > <parent>su</parent> > > <prematch>^'su </prematch> > > <regex>^'su (\S+)' \S+ for (\S+) on \S+$</regex> > > <order>dstuser, srcuser</order> > > <fts>name, srcuser, location</fts> > > </decoder> > > > <!-- customization SU 1 --> > > <!-- Used for decoding su events in the SuSE environment --> > > <!-- Note that this decoder must come before su-detail2 because su- > > detail2 has no --> > > <!-- program_name or prematch element. This means that su-detail2 is > > not conditional. --> > > <!-- It will be executed if no decoder before it is executed. --> > > > <decoder name="su-detail3"> > > <parent>su</parent> > > <prematch>\(to </prematch> > > <regex offset="after_prematch">^(\S+)\) (\S+) on \S+$</regex> > > <order>dstuser, srcuser</order> > > <fts>name, srcuser, location</fts> > > </decoder> > > <!-- end: customization SU 1 --> > > > <!-- customization SU 2 --> > > <!-- Used for decoding su events in the RHE environment --> > > <!-- Note that this decoder must come before su-detail2 because su- > > detail2 has no --> > > <!-- program_name or prematch element. This means that su-detail2 is > > not conditional. --> > > <!-- It will be executed if no decoder before it is executed. --> > > > <decoder name="su-detail4"> > > <parent>su-pam</parent> > > <regex>session opened for user (\S+) by (\S+)\(</regex> > > <order>dstuser, srcuser</order> > > <fts>name, srcuser, location</fts> > > </decoder> > > <!-- end: customization SU 2 --> > > > <decoder name="su-detail2"> > > <parent>su</parent> > > <regex>^BAD SU (\S+) to (\S+) on|</regex> > > <regex>^failed: \S+ changing from (\S+) to (\S+)|</regex> > > <regex>^\S \S+ (\S+)\p(\S+)$|^(\S+) to (\S+) on </regex> > > <order>srcuser, dstuser</order> > > <fts>name, srcuser, location</fts> > > </decoder> > > > <decoder name="su"> > > <prematch>^SU \S+ \S+ </prematch> > > <regex offset="after_prematch">^\S \S+ (\S+)-(\S+)$</regex> > > <order>srcuser, dstuser</order> > > <fts>name, srcuser, location</fts> > > </decoder> > > > What's curious about this is that it generates a 5304 alert (which is > > what I wanted) even though 5304 depends on 5300 which specifies > > <decoded_as>su</decoded_as>. Since the decoder name is "su-pam" I > > don't know why 5300 fires. > > > Any ideas?- Hide quoted text - > > - Show quoted text -
