Tim, the negative lookahead is working, but the Pair rule needs some improvements. First of all, the 'desc' field of the rule contains no $1 variable, which means that the rule correlates all audit messages with one operation only. Secondly, the 'pattern2' field contains no reference to a relevant log entry id ($1, that is).
As a result, the following line that contains no uid=12653 and has an id 15584: type=SYSCALL msg=audit(1213918944.731:15584): arch=40000003 syscall=5 success=yes exit=3 a0=984abd8 a1=8000 a2=0 a3=8000 items=1 pid=29557 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="pwreset_backend" exe="/bin/bash" starts a correlation operation, and this line with the id 15585: type=FS_WATCH msg=audit(1213918944.731:15585): watch_inode=3347157 watch="backend.sh" filterkey=backend-script perm=4 perm_mask=4 matches the second regular expression of the operation. Since the id 15585 is also associated with a log messages containing uid=12653, the match produces an unwanted effect. I revised your rule -- try if the following scheme works for you: type=pair ptype=regexp pattern=audit\(\d+\.\d+\:(\d+)\).*success\=yes\s.*\suid\=(?!12653) desc=Successful command execution for $1 action=none ptype2=regexp pattern2=msg\=audit\(\d+\.\d+\:($1)\)\:.*filterkey\=backend\-script desc2=$0 action2=shellcmd /sbin/ausearch -a $1 window=2 Here both the 'desc' and 'pattern2' fields have a reference to the $1 variable. hth, risto > From: Tim Rupp <[EMAIL PROTECTED]> > Subject: [Simple-evcorr-users] negative lookahead > To: [email protected] > Date: Thursday, June 19, 2008, 4:51 PM > Hi list, > > I'm trying to use a negative lookahead in my pattern > for a particular > event in my audit log and it doesn't appear to be > working. I was > wondering if negative lookaheads work to begin with, and if > they do, I > was hoping someone could spot my mistake. > > I am using a pair type. Basically I want to find patterns > that match > everything in that pattern except for that number in the > negative > lookahead, and then, match that filterkey=backend-script > line > > > > type=pair > ptype=regexp > pattern=audit\(\d+\.\d+\:(\d+)\).*success\=yes\s[0-9a-zA-Z= > > ]+\suid\=(?!12653) > desc="Successful command execution" > action=none > ptype2=regexp > pattern2=^.*audit\(\d+\.\d+\:(\d+)\)\:.*filterkey\=backend\-script > desc2=$0 > action2=shellcmd /sbin/ausearch -a $1 > window=2 > > > And a sample of logs > > > type=SYSCALL msg=audit(1213918944.731:15585): arch=40000003 > syscall=5 > success=yes exit=3 a0=984abd8 a1=8000 a2=0 a3=8000 items=1 > pid=29557 > auid=4294967295 uid=12653 gid=12653 euid=12653 suid=12653 > fsuid=12653 > egid=12653 sgid=12653 fsgid=12653 > comm="pwreset_backend" exe="/bin/bash" > > type=FS_WATCH msg=audit(1213918944.731:15585): > watch_inode=3347157 > watch="backend.sh" filterkey=backend-script > perm=4 perm_mask=4 > > type=FS_INODE msg=audit(1213918944.731:15585): > inode=3347157 > inode_uid=1733 inode_gid=100 inode_dev=03:02 > inode_rdev=00:00 > > > > So for instance, I dont want to match that first line, > because it has > uid=12653. But I would want to match that line if it had > any other > number in-place of that 12653, so this should match > > > type=SYSCALL msg=audit(1213918944.731:15585): arch=40000003 > syscall=5 > success=yes exit=3 a0=984abd8 a1=8000 a2=0 a3=8000 items=1 > pid=29557 > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 > comm="pwreset_backend" exe="/bin/bash" > > > However my pair is matching the 12653 line. Any ideas? > > Thanks in advance, > Tim > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
