..forgot to mention that the ruleset example from my previous e-mail
assumes the use of --intcontexts command line option ('cevent' action
needs this).
regards,
risto
2016-11-19 1:24 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
> hi Nikolay,
>
> hopefully my e-mail is not too confusing, but I've played a little bit
> with linux auditd logs today and checked their format. At least on my
> laptop, it appears that the messages are always consecutive. In other
> words, the messages with the same timestamp and eventID (the value
> that is present in the msg=audit(...) field) are not interleaved with
> messages that have different timestamps and eventIDs. I'm not sure you
> have the same situation, but if your auditd logs share the same
> property I have observed, I would not write event correlation rules
> for joining lines together, but would do it with multiline patterns.
>
> One possible strategy is the following: 1) normalize multiline auditd
> messages into single-line messages, so that for each (timestamp,
> eventID) tuple there is only one line, 2) write the rest of your rules
> for the single line format
>
> Let me illustrate this strategy with the following simple rules:
>
> # normalize multiline auditd events
> # join two last lines in the input buffer if their timestamps and
> event ID's are identical
> # (note that this rule will keep joining lines in sec input buffer
> until a line appears
> # that has different timestamp and/or event ID)
> # Please note that the backreference construct \2 refers to data
> previously matched
> # by ([\d:.]+)
>
> type=Single
> ptype=RegExp2
> pattern=^(type=\w+ msg=audit\(([\d:.]+)\):.*)\n(type=\w+ msg=audit\(\2\).*)
> context=!AUDIT
> desc=join two last lines if input buffer if their ID's are identical
> action=rewrite 2 $1 $3
>
> # normalize multiline auditd events
> # after we have seen a line that has different timestamp and/or event ID,
> # generate a synthetic event from all lines that have been joined previously
>
> type=Single
> ptype=RegExp2
> pattern=^(type=\w+ msg=audit\([\d:.]+\):.+)\n
> context=!AUDIT
> desc=generate a synthetic event for normalized auditd message
> action=cevent AUDIT 0 $1
>
> # a simplistic example rule for processing normalized auditd events
>
> type=Single
> ptype=RegExp
> pattern=^type=SYSCALL .* syscall=(?<syscall>\d+) .* type=CWD .*
> cwd="(?<cwd>.+?)" type=PATH .* name="(?<name>.+?)" (?:inode|objtype)=
> context=AUDIT
> desc=process the normalized audit event
> action=write test.log $+{syscall} $+{cwd} $+{name}
>
>
> Apart from the above strategy, you could just write couple of Regexp4
> and RegExp5 rules for handling all combinations of event sequences,
> provided that the number of such combinations is reasonable. Please
> make sure you are using backreferences to match the repeated
> occurrence of the same timestamp and event ID, in order to match
> multiple lines that indeed belong together. If you are worried about
> performance, I would suggest to benchmark both approaches against your
> input data (let sec run for a while and check its CPU consumption with
> the SIGUSR1 signal).
>
> Last note -- if messages that represent the same auditd event are
> *not* consecutive and other lines can randomly appear in between these
> messages, the above techniques will not work, and augmenting my
> previous suggestion with one PairWithWindow rule might be a better
> option.
>
> kind regards,
> risto
>
> 2016-11-18 22:53 GMT+02:00 Nikolay Srebniuk
> <nikolay.srebn...@tonicforhealth.com>:
>> Hi Risto,
>>
>> thank you for previous help and my apologize for disturbing you.
>>
>> I had thought I understand how to build new correlation for EXECVE messages.
>> But I have faced again with next problem.
>>
>> I'm receiving these messages in order: SYSCALL, EXECVE, CWD and PATH.
>>
>> Depends on activity these message can arrive in such tuples:
>>
>> 1. SYSCALL, EXECVE, CWD and PATH.
>>
>> For example:
>>
>> type=SYSCALL msg=audit(1479314721.962:46624): arch=c000003e syscall=59
>> success=yes exit=0 a0=1d69a20 a1=1d69eb0 a2=1d71f00 a3=7fffe789d4a0 items=2
>> ppid=25160 pid=25161 auid=1003 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> sgid=0 fsgid=0 tty=pts1 ses=12 comm="file" exe="/usr/bin/file" key=(null)
>> type=EXECVE msg=audit(1479314721.962:46624): argc=3 a0="file" a1="-b"
>> a2="audit/audit.log"
>> type=CWD msg=audit(1479314721.962:46624): cwd="/var/log"
>> type=PATH msg=audit(1479314721.962:46624): item=0 name="/bin/file"
>> inode=25305623 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
>> objtype=NORMAL
>> type=PATH msg=audit(1479314721.962:46624): item=1
>> name="/lib64/ld-linux-x86-64.so.2" inode=1813292 dev=ca:01 mode=0100755
>> ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
>>
>> From message type=EXECVE need to extract field argc and all fields which
>> start with A.
>> Field argc indicate how mach arguments are described next
>> FieldŃ– a[0-9]{1,} has arguments quoted in "".
>>
>> 2. SYSCALL, CWD and PATH (PATH with field item=1 is preferred) .
>>
>> For example:
>>
>> type=SYSCALL msg=audit(1479314815.075:46733): arch=c000003e syscall=2
>> success=yes exit=4 a0=1e804e0 a1=200c2 a2=180 a3=3 items=2 ppid=16576
>> pid=25277 auid=1003 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>> tty=pts3 ses=16 comm="vi" exe="/usr/bin/vi" key=(null)
>> type=CWD msg=audit(1479314815.075:46733): cwd="/etc/default"
>> type=PATH msg=audit(1479314815.075:46733): item=0 name="/etc/sec/"
>> inode=37805 dev=ca:01 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT
>> type=PATH msg=audit(1479314815.075:46733): item=1
>> name="/etc/sec/.auditd-sec.conf.swp" inode=37853 dev=ca:01 mode=0100600
>> ouid=0 ogid=0 rdev=00:00 objtype=CREATE
>>
>> So I can't find way to make my config working in this way. The way I think
>> to resolve this task:
>>
>> 1. Wait for 2 messages: SYSCALL and EXECVE. If it matches then produce new
>> event SYSCALL + EXECVE. If not then it produces only SYSCALL
>>
>> 2. Correlate ( SYSCALL+EXECVE or single SYSCALL ) with CWD event and produce
>> event
>>
>> 3. Correlate ( SYSCALL+EXECVE + CWD | SYSCALL + CWD) with PATH event and
>> send to socket.
>>
>>
>> I have tried these rule types: PAIR, SINGLE, but no luck
>>
>> P.S. My previous EventGroup works well but makes some CPU load. Thats why I
>> want to compare workload for Pair rule types without Contexts and with
>> minimum varmaps
>>
>> Wbr,
>> Nikolay
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
