[ossec-list] Re: Logtest behave different then analysisd with compiled rules

Mon, 12 Jul 2010 06:13:21 -0700 

Nobody can help me?



On 6 Lug, 15:51, Stefano Pedretti <stefano.pedre...@gmail.com> wrote:
> Dears,
> I have still not solved my problem.
>
> I need to monitor audits of only a set of users. I build a compiled
> rule to check if the dstuser of
> These are the facts: I
>
> - create a logman.c file (that's reported on bottom)
> - registered the rule with register_rule.sh script
> - used the install.sh script to compile and install a new ossec
> istance.
> - i modified the msauth xml file with <compiled_rule>logman</
> compiled_rule>
> - i create and 777ed /var/ossec/adslist file with usernames i need to
> monitor.
>
> Testing it with ossec-logtest work's like a charme but the same log
> (captured from windows agent debug log) never match.
>
> What's wrong in my procedure?
>
> ===  log test  ===
>
> WinEvtLog: Security: AUDIT_SUCCESS(528): Security: stefano.pedretti:
> AOVV: PROTOCOLLO: Successful Logon:     User Name: stefano.pedretti
>         Domain:         AOVV            Logon ID:       (0x0,0xBC31F0D)       
>   Logon Type: 10
> Logon Process: User32           Authentication Package: Negotiate
> Workstation Name: PROTOCOLLO            Logon GUID: {0e5df325-5cbf-
> aa8c-81c3-0e4778ca5241}         Caller User Name: PROTOCOLLO$           Caller
> Domain: AOVV            Caller Logon ID: (0x0,0x3E7)            Caller 
> Process ID:
> 3204            Transited Services: -           Source Network Address:
> 11.128.128.1            Source Port: 36567
>
> **Phase 1: Completed pre-decoding.
>        full event: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security:
> stefano.pedretti: AOVV: PROTOCOLLO: Successful Logon:           User Name:
> stefano.pedretti        Domain:         AOVV            Logon ID:       
> (0x0,0xBC31F0D)
> Logon Type: 10          Logon Process: User32           Authentication 
> Package:
> Negotiate       Workstation Name: PROTOCOLLO            Logon GUID:
> {0e4df325-5cbf-aa8c-81c3-0e4778ca5241}          Caller User Name: PROTOCOLLO
> $       Caller Domain: AOVV     Caller Logon ID: (0x0,0x3E7)            Caller
> Process ID: 3204        Transited Services: -           Source Network 
> Address:
> 10.128.128.1    Source Port: 36567    '
>        hostname: 'nordcom'
>        program_name: '(null)'
>        log: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security:
> stefano.pedretti: AOVV: PROTOCOLLO: Successful Logon:           User Name:
> stefano.pedretti    Domain:     AOVV            Logon ID:       
> (0x0,0xBC31F0D)
> Logon Type: 10          Logon Process: User32           Authentication 
> Package:
> Negotiate       Workstation Name: PROTOCOLLO            Logon GUID:
> {0e4df325-5cbf-aa8c-81c3-0e4778ca5241}          Caller User Name: PROTOCOLLO
> $       Caller Domain: AOVV     Caller Logon ID: (0x0,0x3E7)            Caller
> Process ID: 3204        Transited Services: -           Source Network 
> Address:
> 10.128.128.1            Source Port: 36567    '
>
> **Phase 2: Completed decoding.
>        decoder: 'windows'
>        status: 'AUDIT_SUCCESS'
>        id: '528'
>        extra_data: 'Security'
>        dstuser: 'stefano.pedretti'
>        system_name: 'PROTOCOLLO'
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '18107'
>        Level: '3'
>        Description: 'Windows Logon Success.'
> **Alert to be generated.
>
> === logman.c ===
>
> /*
>  * This program is a free software; you can redistribute it
>  * and/or modify it under the terms of the GNU General Public
>  * License (version 2) as published by the FSF - Free Software
>  * Foundation.
>
> Stefano Pedretti - NordCom S.p.A Italy
> Compiled rule logman for userlist matching.
> Put in a ossec readable file /var/ossec/adslist
> the user list in lower case.
>
> Changelog
>         rev 1.2 Comments
>         rev 1.1 Review and semplification
>         rev 1.0 Initial code implementation
>
>         <compiled_rule>logman</compiled_rule>
>
> */
>
> #include "shared.h"
> #include "eventinfo.h"
> #include "config.h"
> #include <stdio.h>
>
> void *logman(Eventinfo *lf)
> {
>     static const char filename[] = "/var/ossec/adslist";
>     char *user = NULL;
>     char line[256];
>     int i = 0;
>
>     //printf("Inizio custom rule logman.\n");
>
>     if(!lf->dstuser)
>     {
>         // Cosa fare nel caso in cui il campo dstuser non è previsto dal
> decoder?
>         //printf("Campo dstuser nullo.\n");
>
>         //Accettare
>        // return(lf);
>
>         //Rifiutare
>        return(NULL);
>     }
>
>     user = lf->dstuser;
>
>     //printf("Utente: %s\n",user);
>
>     Eventinfo *lfr = NULL;
>
>    if(strlen(user) > 0){
>       FILE *file = fopen ( filename, "r" );
>
>       if ( file != NULL ){
>
>           while (fgets(line, 256, file) != NULL){
>
>             line[strlen(line)-1] = 0;
>
>       //      printf("-%s-,-%s-\n",lf->dstuser,line);
>       //      printf("-%d-,-%d-\n",strlen(lf->dstuser), strlen(line));
>
>           if (strlen(user) == (strlen(line))){
>
>             for (i=0; i < strlen(line) ; i++)
>               line[i] = tolower(line[i]);
>               if (strcmp(user,line) == 0){
>                 lfr=lf;
>                 break;
>               }
>            }
>          }
>          fclose ( file );
>       }
>       else
>       {
>          perror ( filename );
>       }
>     }
>     return(lfr);
>
> }
>
> =====EOF=================
>
> Thank you!
>
> On 25 Giu, 15:10, Stefano Pedretti <stefano.pedre...@gmail.com> wrote:
>
>
>
> > Thank you for your reply,
>
> > On 15 Giu, 14:31, Daniel Cid <daniel....@gmail.com> wrote:
> >  --- cut --

Reply via email to