[Simple-evcorr-users] EventGroup correlation issue with AUDITD messages

Wed, 16 Nov 2016 06:55:00 -0800 

Hi Everybody,

i'm struggling 2nd day to make this rule to be working, but no results.

What I want to achieve:
1. I have 3 auditd log messages: SYSCALL, CWD, PATH
2. I want to correlate these messages by fields time_id and event_id
3. Generate one correlate rules with:
    a) all fields from SYSCALL message
    b) with one filed (cwd) from CWD message
    c) with one filed (name) from  PATH message

ISSUE:
1. Only fields from SYSCALL message are inserting in CORRELATED event.
2. Fileds from CWD and PATH are emptry

Question:
How to get this to work? Kindly appreciate your help.

*Rule:*
type=EventGroup3
ptype=RegExp
pattern=type=CWD msg=audit\((\d+\.\d+):(\d+)\):\s+cwd="(.+?)"
varmap=vcwd; time=1; event_id=2; cwd=3
ptype2=RegExp
pattern2=type=PATH msg=audit\((\d+\.\d+):(\d+)\): item=\d+ name="(.+?)"
(inode=|objtype=).*
varmap2= time=1; event_id=2; obj_name=3
ptype3=RegExp
pattern3=type=SYSCALL msg=audit\((\d+\.\d+):(\d+)\): arch=(.+?)
syscall=(\d+) success=(.+?).+?ppid=(\d+) pid=(\d+) auid=(\d+) uid=(\d+)
gid=(\d+) euid=(\d+) suid=(\d+) fsuid=(\d+) egid=(\d+) sgid=(\d+)
fsgid=(\d+) tty=(.+?) ses=\d+ comm="(.+?)" exe="(.+?)" key=\(.+?\)
varmap3= time=1; event_id=2; arch=3; syscall=4; success=5; ppid=6; pid=7;
auid=8; uid=9; gid=10; euid=11; suid=12; fsuid=13; egid=14; sgid=15;
fsgid=16; tty=17; comm=18; exe=19; key=20
desc=Rules matched $+{time}_$+{event_id}
action=create FINAL_MATCH_$+{time}_$+{event_id}; event type=SYSCALL
msg=audit($+{time}:$+{event_id}): arch=$+{arch} syscall=$+{syscall}
success=$+{success} ppid=$+{ppid} pid=$+{pid} auid=$+{auid} uid=$+{uid}
gid=$+{gid} euid=$+{euid} suid=$+{suid} fsuid=$+{fsuid} egid=$+{egid}
sgid=$+{sgid} fsgid=$+{fsgid} tty=$+{tty} comm=$+{comm} exe=$+{exe}
key=$+{key} cwd=$:{vcwd:cwd} obj_name=$+{obj_name}
init=create $+{time}_$+{event_id} 20
slide=delete $+{time}_$+{event_id}; reset 0
end=delete $+{time}_$+{event_id}
window=20

*Sec service configuration:*
[Service]
Type=forking
PIDFile=/run/sec.pid
ExecStart=/usr/bin/sec --detach --pid=/run/sec.pid
--conf=/etc/sec/auditd-sec.conf --input=/var/log/audit/audit.log
--log=/var/log/sec.log --intevents --syslog=20 --debug=6
--dump=/tmp/sec_dump --bufsize=100

*Raw log input:*
type=SYSCALL msg=audit(1479282206.600:23242): arch=c000003e syscall=2
success=yes exit=3 a0=7ffede744e2a a1=0 a2=0 a3=7ffede743d80 items=1
ppid=16533 pid=16670
auid=1003 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
ses=10 comm="tail" exe="/usr/bin/tail" key=(null)
type=CWD msg=audit(1479282206.600:23242):  cwd="/home/user"
type=PATH msg=audit(1479282206.600:23242): item=0 name="/var/log/sec"
inode=16837888 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
objtype=NORMAL


-- 
Best regards,
Nikolay

------------------------------------------------------------------------------

_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to