And here's the pull request: https://github.com/ossec/ossec-hids/pull/1440
On Fri, Jun 22, 2018 at 11:37 AM, dan (ddp) <[email protected]> wrote: > On Fri, Jun 22, 2018 at 11:22 AM, dan (ddp) <[email protected]> wrote: >> On Thu, Jun 21, 2018 at 3:28 PM, Mark M <[email protected]> wrote: >>> >>> >>> I don't see anything in my rsyslog.conf that should affect local log format? >>> Why might the decoder be failing? >>> >>> Jun 21 12:27:37 dactyl unix_chkpwd[4723]: password check failed for user >>> (root) >>> Jun 21 12:27:37 dactyl su: pam_unix(su-l:auth): authentication failure; >>> logname=mmoorcro uid=853945932 euid=0 tty=pts/1 ruser=mmoorcro rhost= >>> user=root >>> Jun 21 12:27:37 dactyl su: pam_succeed_if(su-l:auth): requirement "uid >= >>> 1000" not met by user "root" >>> >> >> I don't think it's anything you changed. Log messages change over time >> and sometimes by distro/OS. >> The log messages you're getting don't quite fit what we had seen previously. >> > > To follow up on this, here are how the 3 log messages in your message > are decoded: > ix# /var/ossec/bin/ossec-logtest -q > 2018/06/22 11:23:46 ossec-testrule: INFO: Reading the lists file: > 'rules/lists/ossec.block' > 2018/06/22 11:23:46 ossec-testrule: INFO: Started (pid: 86160). > ossec-testrule: Type one log per line. > > Jun 21 12:27:37 dactyl unix_chkpwd[4723]: password check failed for user > (root) > > > **Phase 1: Completed pre-decoding. > full event: 'Jun 21 12:27:37 dactyl unix_chkpwd[4723]: password > check failed for user (root)' > hostname: 'dactyl' > program_name: 'unix_chkpwd' > log: 'password check failed for user (root)' > > **Phase 2: Completed decoding. > decoder: 'unix_chkpwd' > srcuser: 'root' > > **Phase 3: Completed filtering (rules). > Rule id: '5557' > Level: '5' > Description: 'Password check failed.' > **Alert to be generated. > > > Jun 21 12:27:37 dactyl su: pam_unix(su-l:auth): authentication > failure; logname=mmoorcro uid=853945932 euid=0 tty=pts/1 > ruser=mmoorcro rhost= user=root > > > **Phase 1: Completed pre-decoding. > full event: 'Jun 21 12:27:37 dactyl su: pam_unix(su-l:auth): > authentication failure; logname=mmoorcro uid=853945932 euid=0 > tty=pts/1 ruser=mmoorcro rhost= user=root' > hostname: 'dactyl' > program_name: 'su' > log: 'pam_unix(su-l:auth): authentication failure; > logname=mmoorcro uid=853945932 euid=0 tty=pts/1 ruser=mmoorcro rhost= > user=root' > > **Phase 2: Completed decoding. > decoder: 'pam' > dstuser: 'mmoorcro' > > **Phase 3: Completed filtering (rules). > Rule id: '5503' > Level: '5' > Description: 'User login failed.' > **Alert to be generated. > > > Jun 21 12:27:37 dactyl su: pam_succeed_if(su-l:auth): requirement "uid >>= 1000" not met by user "root" > > > **Phase 1: Completed pre-decoding. > full event: 'Jun 21 12:27:37 dactyl su: > pam_succeed_if(su-l:auth): requirement "uid >= 1000" not met by user > "root"' > hostname: 'dactyl' > program_name: 'su' > log: 'pam_succeed_if(su-l:auth): requirement "uid >= 1000" not > met by user "root"' > > **Phase 2: Completed decoding. > decoder: 'su' > > This last one doesn't produce a rule. I'm not sure a rule is necessary > for it (but feel free to change my mind). The others decode just fine. > > Changing the "su" decoder's regex a little gives us better results for > your original message: > > Jun 20 17:19:59 dactyl su: FAILED SU (to root) mmoorcro on pts/0 > > > **Phase 1: Completed pre-decoding. > full event: 'Jun 20 17:19:59 dactyl su: FAILED SU (to root) > mmoorcro on pts/0' > hostname: 'dactyl' > program_name: 'su' > log: 'FAILED SU (to root) mmoorcro on pts/0' > > **Phase 2: Completed decoding. > decoder: 'su' > srcuser: 'root' > dstuser: 'mmoorcro' > > **Phase 3: Completed filtering (rules). > Rule id: '5301' > Level: '5' > Description: 'User missed the password to change UID (user id).' > **Alert to be generated. > > 5302 still failed though. I'm not sure if the "<user>root</user>" > check in 5302 will check both src and dst user (which seems to be > backwards anyway). > > So what happens if I flip the users around in the log message? Let's find out. > > Jun 20 17:19:59 dactyl su: FAILED SU (to mmoorcro) root on pts/0 > > > **Phase 1: Completed pre-decoding. > full event: 'Jun 20 17:19:59 dactyl su: FAILED SU (to mmoorcro) > root on pts/0' > hostname: 'dactyl' > program_name: 'su' > log: 'FAILED SU (to mmoorcro) root on pts/0' > > **Phase 2: Completed decoding. > decoder: 'su' > srcuser: 'mmoorcro' > dstuser: 'root' > > **Phase 3: Completed filtering (rules). > Rule id: '5302' > Level: '9' > Description: 'User missed the password to change UID to root.' > **Alert to be generated. > > 5302 is properly triggered this time. > > So adding the following decoder between "su" and "su-detail2": > <decoder name="su-failed"> > <parent>su</parent> > <prematch>^FAILED SU </prematch> > <regex offset="after_prematch">^\(to (\S+) (\S+) on</regex> > <order>dstuser, srcuser</order> > </decoder> > > Gives us these results: > **Phase 1: Completed pre-decoding. > full event: 'Jun 20 17:19:59 dactyl su: FAILED SU (to root) > mmoorcro on pts/0' > hostname: 'dactyl' > program_name: 'su' > log: 'FAILED SU (to root) mmoorcro on pts/0' > > **Phase 2: Completed decoding. > decoder: 'su' > dstuser: 'root)' > srcuser: 'mmoorcro' > > **Phase 3: Completed filtering (rules). > Rule id: '5302' > Level: '9' > Description: 'User missed the password to change UID to root.' > **Alert to be generated. > > So now I have to make sure we have tests for previous su log messages, > and add yours to the tests to make sure they all still work. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
