On 03/24/2011 02:16 PM, dan (ddp) wrote: > Oh,and would using "\S+" for the username be easier? Are spaces valid > characters in Windows usernames? That was the first thing I tried, I m not good with regex, let me check if I can use it.
I think that, at least in active directory it is not allowed to create usernames with spaces, I m not sure with windows in stand alone mode. > 2011/3/24 Jorge Armando Medina <jmed...@e-compugraf.com>: >> Hi there, >> >> >> I'm working on a project where I need to send alerts when somebody >> deletes a file from a samba share, Samba includes the module full_audit >> which records something like this: >> >> Mar 23 13:44:18 fs1 smbd_audit: jperez|192.168.221.50|unlink|ok|dir1/ss.txt >> Mar 23 13:44:18 fs1 smbd_audit: >> jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt >> >> The important information is the username (first field), Client IP >> address (second field) and the operation (third). >> >> So I created a decoder like this: >> >> <!-- Samba Audit decoder. >> - Mar 23 13:44:18 fs1 smbd_audit: >> jperez|192.168.221.50|unlink|ok|dir1/ss.txt >> - Mar 23 13:44:18 fs1 smbd_audit: >> jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt >> --> >> <decoder name="smbd_audit"> >> <program_name>smbd_audit</program_name> >> <regex>^(\w+\p*\w*)\|(\d+.\d+.\d+.\d+)\|\S+</regex> >> <order>user, srcip</order> >> </decoder> >> >> I used (\w+\p*\w*) to match usernames with single word like jperez and >> those whose use a "." like jorge.perez. and next the IP Address. >> >> I effectively decode the information like this: >> >> # bin/ossec-logtest >> 2011/03/23 17:54:05 ossec-testrule: INFO: Reading local decoder file. >> 2011/03/23 17:54:05 ossec-testrule: INFO: Started (pid: 27198). >> ossec-testrule: Type one log per line. >> >> Mar 23 13:44:18 fs1 smbd_audit: >> jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Mar 23 13:44:18 fs1 smbd_audit: >> jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt' >> hostname: 'fs1' >> program_name: 'smbd_audit' >> log: 'jorge.perez|192.168.221.50|unlink|ok|dir1/ss.txt' >> >> **Phase 2: Completed decoding. >> decoder: 'smbd_audit' >> dstuser: 'jorge.perez' >> srcip: '192.168.221.50' >> >> Then I created a rule so i detect the "unlink" operation and send a alert: >> >> <rule id="2513" level="10"> >> <decoded_as>smbd_audit</decoded_as> >> <match>unlink</match> >> <description>Samba audit, file deleted.</description> >> </rule> >> >> I restarted ossec and now I get alerts like this: >> >> OSSEC HIDS Notification. >> 2011 Mar 24 10:45:47 >> >> Received From: (fs1.example.com) 192.168.221.10->/var/log/messages >> Rule: 2513 fired (level 10) -> "Samba audit, file deleted." >> Portion of the log(s): >> >> Mar 24 10:45:46 fs1 smbd_audit: >> jorge.perez|192.168.221.50|unlink|ok|BASESX/filetest.exe >> >> I hope you can give comments about this, probably someone wants to improveit >> so we detect new files. >> >> >> Bye the way, I had to scape the "|" character so I cant use it as the >> separator, probably it is a good >> idea to add the | character to the list in the regex documentation at >> http://www.ossec.net/wiki/Know_How:Regex_Readme >> >> Best regards. >> >> >> >> >> >> -- >> Jorge Armando Medina >> Computación Gráfica de México >> Web: http://www.e-compugraf.com >> Tel: 55 51 40 72, Ext: 124 >> Email: jmed...@e-compugraf.com >> GPG Key: 1024D/28E40632 2007-07-26 >> GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632 >> >> >> -- Jorge Armando Medina Computación Gráfica de México Web: http://www.e-compugraf.com Tel: 55 51 40 72, Ext: 124 Email: jmed...@e-compugraf.com GPG Key: 1024D/28E40632 2007-07-26 GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632
signature.asc
Description: OpenPGP digital signature