Hi Risto,
thank you for previous help and my apologize for disturbing you.
I had thought I understand how to build new correlation for EXECVE
messages. But I have faced again with next problem.
I'm receiving these messages in order: SYSCALL, EXECVE, CWD and PATH.
Depends on activity these message can arrive in such tuples:
1. SYSCALL, *EXECVE*, CWD and PATH.
For example:
type=SYSCALL msg=audit(1479314721.962:46624): arch=c000003e syscall=59
success=yes exit=0 a0=1d69a20 a1=1d69eb0 a2=1d71f00 a3=7fffe789d4a0 items=2
ppid=25160 pid=25161 auid=1003 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=12 comm="file" exe="/usr/bin/file" key=(null)
type=*EXECVE* msg=audit(1479314721.962:46624): *argc=3 a0="file" a1="-b"
a2="audit/audit.log"*
type=CWD msg=audit(1479314721.962:46624): cwd="/var/log"
type=PATH msg=audit(1479314721.962:46624): item=0 name="/bin/file"
inode=25305623 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
objtype=NORMAL
type=PATH msg=audit(1479314721.962:46624): item=1
name="/lib64/ld-linux-x86-64.so.2" inode=1813292 dev=ca:01 mode=0100755
ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
>From message type=EXECVE need to extract field *argc* and all fields which
start with *A.*
Field argc indicate how mach arguments are described next
FieldŃ– a[0-9]{1,} has arguments quoted in "".
2. SYSCALL, CWD and PATH (PATH with field item=1 is preferred) .
For example:
type=SYSCALL msg=audit(1479314815.075:46733): arch=c000003e syscall=2
success=yes exit=4 a0=1e804e0 a1=200c2 a2=180 a3=3 items=2 ppid=16576
pid=25277 auid=1003 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts3 ses=16 comm="vi" exe="/usr/bin/vi" key=(null)
type=CWD msg=audit(1479314815.075:46733): cwd="/etc/default"
type=PATH msg=audit(1479314815.075:46733): item=0 name="/etc/sec/"
inode=37805 dev=ca:01 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT
type=PATH msg=audit(1479314815.075:46733): item=1
name="/etc/sec/.auditd-sec.conf.swp" inode=37853 dev=ca:01 mode=0100600
ouid=0 ogid=0 rdev=00:00 objtype=CREATE
So I can't find way to make my config working in this way. The way I think
to resolve this task:
1. Wait for 2 messages: SYSCALL and EXECVE. If it matches then produce new
event SYSCALL + EXECVE. If not then it produces only SYSCALL
2. Correlate ( SYSCALL+EXECVE or single SYSCALL ) with CWD event and
produce event
3. Correlate ( SYSCALL+EXECVE + CWD | SYSCALL + CWD) with PATH event and
send to socket.
I have tried these rule types: PAIR, SINGLE, but no luck
P.S. My previous EventGroup works well but makes some CPU load. Thats why I
want to compare workload for Pair rule types without Contexts and with
minimum varmaps
Wbr,
Nikolay
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
