Nobody can help me?
On 6 Lug, 15:51, Stefano Pedretti <stefano.pedre...@gmail.com> wrote: > Dears, > I have still not solved my problem. > > I need to monitor audits of only a set of users. I build a compiled > rule to check if the dstuser of > These are the facts: I > > - create a logman.c file (that's reported on bottom) > - registered the rule with register_rule.sh script > - used the install.sh script to compile and install a new ossec > istance. > - i modified the msauth xml file with <compiled_rule>logman</ > compiled_rule> > - i create and 777ed /var/ossec/adslist file with usernames i need to > monitor. > > Testing it with ossec-logtest work's like a charme but the same log > (captured from windows agent debug log) never match. > > What's wrong in my procedure? > > === log test === > > WinEvtLog: Security: AUDIT_SUCCESS(528): Security: stefano.pedretti: > AOVV: PROTOCOLLO: Successful Logon: User Name: stefano.pedretti > Domain: AOVV Logon ID: (0x0,0xBC31F0D) > Logon Type: 10 > Logon Process: User32 Authentication Package: Negotiate > Workstation Name: PROTOCOLLO Logon GUID: {0e5df325-5cbf- > aa8c-81c3-0e4778ca5241} Caller User Name: PROTOCOLLO$ Caller > Domain: AOVV Caller Logon ID: (0x0,0x3E7) Caller > Process ID: > 3204 Transited Services: - Source Network Address: > 11.128.128.1 Source Port: 36567 > > **Phase 1: Completed pre-decoding. > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: > stefano.pedretti: AOVV: PROTOCOLLO: Successful Logon: User Name: > stefano.pedretti Domain: AOVV Logon ID: > (0x0,0xBC31F0D) > Logon Type: 10 Logon Process: User32 Authentication > Package: > Negotiate Workstation Name: PROTOCOLLO Logon GUID: > {0e4df325-5cbf-aa8c-81c3-0e4778ca5241} Caller User Name: PROTOCOLLO > $ Caller Domain: AOVV Caller Logon ID: (0x0,0x3E7) Caller > Process ID: 3204 Transited Services: - Source Network > Address: > 10.128.128.1 Source Port: 36567 ' > hostname: 'nordcom' > program_name: '(null)' > log: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: > stefano.pedretti: AOVV: PROTOCOLLO: Successful Logon: User Name: > stefano.pedretti Domain: AOVV Logon ID: > (0x0,0xBC31F0D) > Logon Type: 10 Logon Process: User32 Authentication > Package: > Negotiate Workstation Name: PROTOCOLLO Logon GUID: > {0e4df325-5cbf-aa8c-81c3-0e4778ca5241} Caller User Name: PROTOCOLLO > $ Caller Domain: AOVV Caller Logon ID: (0x0,0x3E7) Caller > Process ID: 3204 Transited Services: - Source Network > Address: > 10.128.128.1 Source Port: 36567 ' > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_SUCCESS' > id: '528' > extra_data: 'Security' > dstuser: 'stefano.pedretti' > system_name: 'PROTOCOLLO' > > **Phase 3: Completed filtering (rules). > Rule id: '18107' > Level: '3' > Description: 'Windows Logon Success.' > **Alert to be generated. > > === logman.c === > > /* > * This program is a free software; you can redistribute it > * and/or modify it under the terms of the GNU General Public > * License (version 2) as published by the FSF - Free Software > * Foundation. > > Stefano Pedretti - NordCom S.p.A Italy > Compiled rule logman for userlist matching. > Put in a ossec readable file /var/ossec/adslist > the user list in lower case. > > Changelog > rev 1.2 Comments > rev 1.1 Review and semplification > rev 1.0 Initial code implementation > > <compiled_rule>logman</compiled_rule> > > */ > > #include "shared.h" > #include "eventinfo.h" > #include "config.h" > #include <stdio.h> > > void *logman(Eventinfo *lf) > { > static const char filename[] = "/var/ossec/adslist"; > char *user = NULL; > char line[256]; > int i = 0; > > //printf("Inizio custom rule logman.\n"); > > if(!lf->dstuser) > { > // Cosa fare nel caso in cui il campo dstuser non è previsto dal > decoder? > //printf("Campo dstuser nullo.\n"); > > //Accettare > // return(lf); > > //Rifiutare > return(NULL); > } > > user = lf->dstuser; > > //printf("Utente: %s\n",user); > > Eventinfo *lfr = NULL; > > if(strlen(user) > 0){ > FILE *file = fopen ( filename, "r" ); > > if ( file != NULL ){ > > while (fgets(line, 256, file) != NULL){ > > line[strlen(line)-1] = 0; > > // printf("-%s-,-%s-\n",lf->dstuser,line); > // printf("-%d-,-%d-\n",strlen(lf->dstuser), strlen(line)); > > if (strlen(user) == (strlen(line))){ > > for (i=0; i < strlen(line) ; i++) > line[i] = tolower(line[i]); > if (strcmp(user,line) == 0){ > lfr=lf; > break; > } > } > } > fclose ( file ); > } > else > { > perror ( filename ); > } > } > return(lfr); > > } > > =====EOF================= > > Thank you! > > On 25 Giu, 15:10, Stefano Pedretti <stefano.pedre...@gmail.com> wrote: > > > > > Thank you for your reply, > > > On 15 Giu, 14:31, Daniel Cid <daniel....@gmail.com> wrote: > > --- cut --