Hi Risto, thanks for great ideas. I'll work with different scenarios and will give feedback with my working examples.
Regards, Nikolay On Sat, Nov 19, 2016 at 1:34 AM, Risto Vaarandi <[email protected]> wrote: > ..forgot to mention that the ruleset example from my previous e-mail > assumes the use of --intcontexts command line option ('cevent' action > needs this). > regards, > risto > > 2016-11-19 1:24 GMT+02:00 Risto Vaarandi <[email protected]>: > > hi Nikolay, > > > > hopefully my e-mail is not too confusing, but I've played a little bit > > with linux auditd logs today and checked their format. At least on my > > laptop, it appears that the messages are always consecutive. In other > > words, the messages with the same timestamp and eventID (the value > > that is present in the msg=audit(...) field) are not interleaved with > > messages that have different timestamps and eventIDs. I'm not sure you > > have the same situation, but if your auditd logs share the same > > property I have observed, I would not write event correlation rules > > for joining lines together, but would do it with multiline patterns. > > > > One possible strategy is the following: 1) normalize multiline auditd > > messages into single-line messages, so that for each (timestamp, > > eventID) tuple there is only one line, 2) write the rest of your rules > > for the single line format > > > > Let me illustrate this strategy with the following simple rules: > > > > # normalize multiline auditd events > > # join two last lines in the input buffer if their timestamps and > > event ID's are identical > > # (note that this rule will keep joining lines in sec input buffer > > until a line appears > > # that has different timestamp and/or event ID) > > # Please note that the backreference construct \2 refers to data > > previously matched > > # by ([\d:.]+) > > > > type=Single > > ptype=RegExp2 > > pattern=^(type=\w+ msg=audit\(([\d:.]+)\):.*)\n(type=\w+ > msg=audit\(\2\).*) > > context=!AUDIT > > desc=join two last lines if input buffer if their ID's are identical > > action=rewrite 2 $1 $3 > > > > # normalize multiline auditd events > > # after we have seen a line that has different timestamp and/or event ID, > > # generate a synthetic event from all lines that have been joined > previously > > > > type=Single > > ptype=RegExp2 > > pattern=^(type=\w+ msg=audit\([\d:.]+\):.+)\n > > context=!AUDIT > > desc=generate a synthetic event for normalized auditd message > > action=cevent AUDIT 0 $1 > > > > # a simplistic example rule for processing normalized auditd events > > > > type=Single > > ptype=RegExp > > pattern=^type=SYSCALL .* syscall=(?<syscall>\d+) .* type=CWD .* > > cwd="(?<cwd>.+?)" type=PATH .* name="(?<name>.+?)" (?:inode|objtype)= > > context=AUDIT > > desc=process the normalized audit event > > action=write test.log $+{syscall} $+{cwd} $+{name} > > > > > > Apart from the above strategy, you could just write couple of Regexp4 > > and RegExp5 rules for handling all combinations of event sequences, > > provided that the number of such combinations is reasonable. Please > > make sure you are using backreferences to match the repeated > > occurrence of the same timestamp and event ID, in order to match > > multiple lines that indeed belong together. If you are worried about > > performance, I would suggest to benchmark both approaches against your > > input data (let sec run for a while and check its CPU consumption with > > the SIGUSR1 signal). > > > > Last note -- if messages that represent the same auditd event are > > *not* consecutive and other lines can randomly appear in between these > > messages, the above techniques will not work, and augmenting my > > previous suggestion with one PairWithWindow rule might be a better > > option. > > > > kind regards, > > risto > > > > 2016-11-18 22:53 GMT+02:00 Nikolay Srebniuk > > <[email protected]>: > >> Hi Risto, > >> > >> thank you for previous help and my apologize for disturbing you. > >> > >> I had thought I understand how to build new correlation for EXECVE > messages. > >> But I have faced again with next problem. > >> > >> I'm receiving these messages in order: SYSCALL, EXECVE, CWD and PATH. > >> > >> Depends on activity these message can arrive in such tuples: > >> > >> 1. SYSCALL, EXECVE, CWD and PATH. > >> > >> For example: > >> > >> type=SYSCALL msg=audit(1479314721.962:46624): arch=c000003e syscall=59 > >> success=yes exit=0 a0=1d69a20 a1=1d69eb0 a2=1d71f00 a3=7fffe789d4a0 > items=2 > >> ppid=25160 pid=25161 auid=1003 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > >> sgid=0 fsgid=0 tty=pts1 ses=12 comm="file" exe="/usr/bin/file" > key=(null) > >> type=EXECVE msg=audit(1479314721.962:46624): argc=3 a0="file" a1="-b" > >> a2="audit/audit.log" > >> type=CWD msg=audit(1479314721.962:46624): cwd="/var/log" > >> type=PATH msg=audit(1479314721.962:46624): item=0 name="/bin/file" > >> inode=25305623 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > >> objtype=NORMAL > >> type=PATH msg=audit(1479314721.962:46624): item=1 > >> name="/lib64/ld-linux-x86-64.so.2" inode=1813292 dev=ca:01 mode=0100755 > >> ouid=0 ogid=0 rdev=00:00 objtype=NORMAL > >> > >> From message type=EXECVE need to extract field argc and all fields which > >> start with A. > >> Field argc indicate how mach arguments are described next > >> FieldŃ– a[0-9]{1,} has arguments quoted in "". > >> > >> 2. SYSCALL, CWD and PATH (PATH with field item=1 is preferred) . > >> > >> For example: > >> > >> type=SYSCALL msg=audit(1479314815.075:46733): arch=c000003e syscall=2 > >> success=yes exit=4 a0=1e804e0 a1=200c2 a2=180 a3=3 items=2 ppid=16576 > >> pid=25277 auid=1003 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 > >> tty=pts3 ses=16 comm="vi" exe="/usr/bin/vi" key=(null) > >> type=CWD msg=audit(1479314815.075:46733): cwd="/etc/default" > >> type=PATH msg=audit(1479314815.075:46733): item=0 name="/etc/sec/" > >> inode=37805 dev=ca:01 mode=040755 ouid=0 ogid=0 rdev=00:00 > objtype=PARENT > >> type=PATH msg=audit(1479314815.075:46733): item=1 > >> name="/etc/sec/.auditd-sec.conf.swp" inode=37853 dev=ca:01 mode=0100600 > >> ouid=0 ogid=0 rdev=00:00 objtype=CREATE > >> > >> So I can't find way to make my config working in this way. The way I > think > >> to resolve this task: > >> > >> 1. Wait for 2 messages: SYSCALL and EXECVE. If it matches then produce > new > >> event SYSCALL + EXECVE. If not then it produces only SYSCALL > >> > >> 2. Correlate ( SYSCALL+EXECVE or single SYSCALL ) with CWD event and > produce > >> event > >> > >> 3. Correlate ( SYSCALL+EXECVE + CWD | SYSCALL + CWD) with PATH event and > >> send to socket. > >> > >> > >> I have tried these rule types: PAIR, SINGLE, but no luck > >> > >> P.S. My previous EventGroup works well but makes some CPU load. Thats > why I > >> want to compare workload for Pair rule types without Contexts and with > >> minimum varmaps > >> > >> Wbr, > >> Nikolay > >> > >> ------------------------------------------------------------ > ------------------ > >> > >> _______________________________________________ > >> Simple-evcorr-users mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > >> >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
