[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-dev] src/dst user patch
- To: ossec-dev@xxxxxxxxxxxxxxxx
- Subject: [ossec-dev] src/dst user patch
- From: Sebastien Tricaud <sebastien.tricaud@xxxxxxxxx>
- Date: Thu, 02 Aug 2007 16:28:28 +0200
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:user-agent:mime-version:to:subject:content-type:from; b=qbAMJThrK9e3+46+wS24lytpWfPK9FCinzVtTjB5FGS+t91J1ZYy6TcmhzwYVtMosfWP/42mnWSGbicbqh9aARkOgMs+d9w71bBbatAf2bqWs27sAIDMJweMrt+2379Uk5qJMHRw3hWtmnzqGpnsButS23SeleS6tuFyzmcL8+w=
Hello people,
the following patch makes things clear towards datastructure and
improves usability.
Previously, when defining/receiving rulesets, you'd never know whether
user meant source user or target user.
Even though it is almost always a target user, things were not clear enough.
For example, when doing:
toady@achilles% su root
Password:
su: Authentication failure
Sorry.
The following email will be now sent:
OSSEC HIDS Notification.
2007 Aug 02 16:18:52
Received From: achilles->/var/log/auth.log
Rule: 5302 fired (level 9) -> "User missed the password to change UID to
root."
Portion of the log(s):
Source User: toady
Target User: root
Aug 2 16:18:51 achilles su[29634]: - pts/3 str:root
--END OF NOTIFICATION
As you can see, the source user here is toady, whois is performing a su
into root.
In this patch, rulesets are updated, xml parser and analysis as well.
Feel free to provide any comments,
Thanks,
Sebastien.
diff -Nrudb ossec-snapshot.origin/etc/decoder.xml ossec-snapshot/etc/decoder.xml
--- ossec-snapshot.origin/etc/decoder.xml 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/etc/decoder.xml 2007-08-02 15:37:08.000000000 +0200
@@ -8,8 +8,8 @@
<!--
- Allowed fields:
- location - where the log came from (only on FTS)
- - user - extract the user name
- - dstuser - the destination username (from su)
+ - srcuser - the source username (from su)
+ - dstuser - the destination username
- srcip - source ip
- dstip - dst ip
- srcport - source port
@@ -56,14 +56,14 @@
<parent>pam</parent>
<prematch>rhost=\S+\s+user=\S+</prematch>
<regex>rhost=(\S+)\s+user=(\S+)</regex>
- <order>srcip, user</order>
+ <order>srcip, dstuser</order>
</decoder>
<decoder name="pam-user">
<parent>pam</parent>
<prematch>session opened </prematch>
<regex offset="after_prematch">^for user (\S+) </regex>
- <order>user</order>
+ <order>dstuser</order>
</decoder>
<decoder name="pam-host">
@@ -109,23 +109,23 @@
<parent>sshd</parent>
<prematch>^Accepted</prematch>
<regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex>
- <order>user, srcip</order>
- <fts>name, user, location</fts>
+ <order>dstuser, srcip</order>
+ <fts>name, dstuser, location</fts>
</decoder>
<decoder name="ssh-denied">
<parent>sshd</parent>
<prematch>^User \S+ from </prematch>
<regex offset="after_parent">^User (\S+) from (\S+) </regex>
- <order>user, srcip</order>
+ <order>dstuser, srcip</order>
</decoder>
<decoder name="sshd-success-solaris">
<parent>sshd</parent>
<prematch>^User </prematch>
<regex offset="after_prematch">^(\S+), comming from (\S+), auth</regex>
- <order>user, srcip</order>
- <fts>name, user, location</fts>
+ <order>dstuser, srcip</order>
+ <fts>name, dstuser, location</fts>
</decoder>
<decoder name="ssh-invfailed">
@@ -139,14 +139,14 @@
<parent>sshd</parent>
<prematch>^Failed \S+ </prematch>
<regex offset="after_prematch">^for (\S+) from (\S+) port \d+ \w+$</regex>
- <order>user, srcip</order>
+ <order>dstuser, srcip</order>
</decoder>
<decoder name="ssh-error">
<parent>sshd</parent>
<prematch>^error: PAM: Authentication </prematch>
<regex offset="after_prematch">^failure for (\S+) from (\S+)$</regex>
- <order>user, srcip</order>
+ <order>dstuser, srcip</order>
</decoder>
<decoder name="ssh-reverse-mapping">
@@ -212,7 +212,7 @@
<parent>smbd</parent>
<prematch>User name:</prematch>
<regex offset="after_prematch">^ (\S+).</regex>
- <order>user</order>
+ <order>dstuser</order>
</decoder>
<decoder name="smbd-ip">
@@ -234,8 +234,8 @@
<decoder name="sudo">
<program_name>^sudo</program_name>
<regex>^\s+(\S+)\s:</regex>
- <order>user</order>
- <fts>name,user,location</fts>
+ <order>dstuser</order>
+ <fts>name,dstuser,location</fts>
<ftscomment>First time user executed the sudo command</ftscomment>
</decoder>
@@ -258,15 +258,15 @@
<regex>^BAD SU (\S+) to (\S+) on|</regex>
<regex>^failed: \S+ changing from (\S+) to (\S+)|</regex>
<regex>^\S \S+ (\S+)\p(\S+)$|^(\S+) to (\S+) on </regex>
- <order>user, dstuser</order>
- <fts>name, user, location</fts>
+ <order>srcuser, dstuser</order>
+ <fts>name, dstuser, location</fts>
</decoder>
<decoder name="su">
<prematch>^SU \S+ \S+ </prematch>
<regex offset="after_prematch">^\S \S+ (\S+)-(\S+)$</regex>
- <order>user, dstuser</order>
- <fts>name, user, location</fts>
+ <order>srcuser, dstuser</order>
+ <fts>name, dstuser, location</fts>
</decoder>
@@ -289,8 +289,8 @@
<prematch>: Login successful</prematch>
<regex>^\S+ \(\S+[(\S+)]\)\s*\S \w+ (\S+): </regex>
<regex>Login successful</regex>
- <order>srcip, user</order>
- <fts>name, user, srcip, location</fts>
+ <order>srcip, dstuser</order>
+ <fts>name, dstuser, srcip, location</fts>
</decoder>
<decoder name="proftpd-ip">
@@ -319,14 +319,14 @@
<parent>pure-ftpd</parent>
<prematch>^\S+ [INFO] \S+ is now logged in</prematch>
<regex>^\(?@(\S+)\) [INFO] (\S+) is now logged in</regex>
- <order>srcip, user</order>
- <fts>name, user, srcip, location</fts>
+ <order>srcip, dstuser</order>
+ <fts>name, dstuser, srcip, location</fts>
</decoder>
<decoder name="pure-ftpd-generic">
<parent>pure-ftpd</parent>
<regex>^\((\S+)@(\S+)\) [</regex>
- <order>user,srcip</order>
+ <order>dstuser,srcip</order>
</decoder>
@@ -401,7 +401,7 @@
<decoder name="imapd">
<program_name>^imapd</program_name>
<regex offset="after_prematch">user=(\S+) \.+ [(\d+.\d+.\d+.\d+)]$</regex>
- <order>user,srcip</order>
+ <order>dstuser,srcip</order>
</decoder>
@@ -420,14 +420,14 @@
<parent>vpopmail</parent>
<prematch>^vchkpw-pop3: password fail</prematch>
<regex offset="after_prematch">^ (\S+)@\S+:(\d+.\d+.\d+.\d+)$</regex>
- <order>user, srcip</order>
+ <order>dstuser, srcip</order>
</decoder>
<decoder name="vpopmail-notfound">
<parent>vpopmail</parent>
<prematch>^vchkpw-pop3: vpopmail user not </prematch>
<regex offset="after_prematch">^found (\S+)@\S+:(\d+.\d+.\d+.\d+)$</regex>
- <order>user, srcip</order>
+ <order>dstuser, srcip</order>
</decoder>
@@ -447,7 +447,7 @@
<parent>courier</parent>
<prematch>^LOGIN, </prematch>
<regex offset="after_prematch">^user=(\S+), ip=[(\S+\d)]$</regex>
- <order>user, srcip</order>
+ <order>dstuser, srcip</order>
</decoder>
<decoder name="courier-generic">
@@ -1023,14 +1023,14 @@
<parent>horde_imp</parent>
<prematch offset="after_parent">^Login success </prematch>
<regex offset="after_prematch">^for (\S+) [(\d+.\d+.\d+.\d+)] </regex>
- <order>user, srcip</order>
+ <order>dstuser, srcip</order>
</decoder>
<decoder name="horde_imp_failed">
<parent>horde_imp</parent>
<prematch offset="after_parent">^FAILED LOGIN</prematch>
<regex offset="after_prematch">^ (\d+.\d+.\d+.\d+) to \S+ as (\S+) </regex>
- <order>srcip, user</order>
+ <order>srcip, dstuser</order>
</decoder>
@@ -1164,7 +1164,7 @@
<prematch offset="after_parent">^\d+.\d+.\d+.\d+ \S+ MSFTPSVC</prematch>
<regex offset="after_parent">^(\d+.\d+.\d+.\d+) (\S+) \S+ \S+ \S+ </regex>
<regex>\d+ [\d+](\S+) \S+ \S+ (\d+) </regex>
- <order>srcip,user,action,id</order>
+ <order>srcip,dstuser,action,id</order>
</decoder>
@@ -1251,8 +1251,8 @@
<prematch>^WinEvtLog: </prematch>
<regex offset="after_prematch">^\w+: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
- <order>status, id, extra_data, user, system_name</order>
- <fts>name, location, user, system_name</fts>
+ <order>status, id, extra_data, dstuser, system_name</order>
+ <fts>name, location, dstuser, system_name</fts>
</decoder>
@@ -1301,8 +1301,8 @@
<prematch>^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\w \w\w\w \d\d \d\d</prematch>
<regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+)</regex>
<regex>\t(\.+)\t\.+\t(\.+)\t(\.+)\t</regex>
- <order>id, extra_data, user, status, system_name</order>
- <fts>name, id, location, user, system_name</fts>
+ <order>id, extra_data, dstuser, status, system_name</order>
+ <fts>name, id, location, dstuser, system_name</fts>
</decoder>
diff -Nrudb ossec-snapshot.origin/etc/rules/attack_rules.xml ossec-snapshot/etc/rules/attack_rules.xml
--- ossec-snapshot.origin/etc/rules/attack_rules.xml 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/etc/rules/attack_rules.xml 2007-08-02 16:04:14.000000000 +0200
@@ -21,7 +21,7 @@
<group name="syslog,attacks,">
<rule id="40101" level="12">
<if_group>authentication_success</if_group>
- <user>$SYS_USERS</user>
+ <dstuser>$SYS_USERS</dstuser>
<description>System user sucessfully logged to the system.</description>
<group>invalid_login,</group>
</rule>
diff -Nrudb ossec-snapshot.origin/etc/rules/local_rules.xml ossec-snapshot/etc/rules/local_rules.xml
--- ossec-snapshot.origin/etc/rules/local_rules.xml 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/etc/rules/local_rules.xml 2007-08-02 16:05:03.000000000 +0200
@@ -35,7 +35,7 @@
<!--
<rule id="100020" level="0">
<if_sid>5711</if_sid>
- <user>XYZABC</user>
+ <dstuser>XYZABC</dstuser>
<description>Example of rule that will ignore sshd </description>
<description>failed logins for user XYZABC.</description>
</rule>
diff -Nrudb ossec-snapshot.origin/etc/rules/msauth_rules.xml ossec-snapshot/etc/rules/msauth_rules.xml
--- ossec-snapshot.origin/etc/rules/msauth_rules.xml 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/etc/rules/msauth_rules.xml 2007-08-02 16:04:27.000000000 +0200
@@ -163,7 +163,7 @@
<rule id="18121" level="0">
<if_sid>18119</if_sid>
<id>^528</id>
- <user>^LOCAL SERVICE|^NETWORK SERVICE</user>
+ <dstuser>^LOCAL SERVICE|^NETWORK SERVICE</dstuser>
<match>Logon Type: 5 Logon Process: Advapi</match>
<description>Windows Logon Success (ignored).</description>
</rule>
diff -Nrudb ossec-snapshot.origin/etc/rules/symantec-ws_rules.xml ossec-snapshot/etc/rules/symantec-ws_rules.xml
--- ossec-snapshot.origin/etc/rules/symantec-ws_rules.xml 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/etc/rules/symantec-ws_rules.xml 2007-08-02 16:04:41.000000000 +0200
@@ -42,7 +42,7 @@
<rule id="7420" level="3">
<if_sid>7415</if_sid>
- <user>virtadmin</user>
+ <dstuser>virtadmin</dstuser>
<description>Admin Login success to the web proxy.</description>
<group>authentication_success,</group>
</rule>
diff -Nrudb ossec-snapshot.origin/etc/rules/syslog_rules.xml ossec-snapshot/etc/rules/syslog_rules.xml
--- ossec-snapshot.origin/etc/rules/syslog_rules.xml 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/etc/rules/syslog_rules.xml 2007-08-02 16:03:50.000000000 +0200
@@ -316,7 +316,7 @@
<rule id="5302" level="9">
<if_sid>5301</if_sid>
- <user>^root</user>
+ <dstuser>^root</dstuser>
<description>User missed the password to change UID to root.</description>
<group>authentication_failed,</group>
</rule>
diff -Nrudb ossec-snapshot.origin/src/analysisd/alerts/exec.c ossec-snapshot/src/analysisd/alerts/exec.c
--- ossec-snapshot.origin/src/analysisd/alerts/exec.c 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/src/analysisd/alerts/exec.c 2007-08-02 15:48:14.000000000 +0200
@@ -31,7 +31,7 @@
{
char exec_msg[OS_SIZE_1024 +1];
char *ip;
- char *user;
+ char *dstuser;
/* Cleaning the IP */
@@ -81,13 +81,13 @@
/* Getting username */
- if(lf->user && (ar->ar_cmd->expect & USERNAME))
+ if(lf->dstuser && (ar->ar_cmd->expect & USERNAME))
{
- user = lf->user;
+ dstuser = lf->dstuser;
}
else
{
- user = "-";
+ dstuser = "-";
}
@@ -105,7 +105,7 @@
snprintf(exec_msg, OS_SIZE_1024,
"%s %s %s %d.%ld %d %s",
ar->name,
- user,
+ dstuser,
ip,
lf->time,
ftell(_aflog),
@@ -131,7 +131,7 @@
(ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C,
ar->agent_id != NULL? ar->agent_id: "(null)",
ar->name,
- user,
+ dstuser,
ip,
lf->time,
ftell(_aflog),
diff -Nrudb ossec-snapshot.origin/src/analysisd/alerts/log.c ossec-snapshot/src/analysisd/alerts/log.c
--- ossec-snapshot.origin/src/analysisd/alerts/log.c 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/src/analysisd/alerts/log.c 2007-08-02 15:49:30.000000000 +0200
@@ -56,7 +56,7 @@
fprintf(_aflog,
"** Alert %d.%ld:%s - %s\n"
"%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'\n"
- "Src IP: %s\nUser: %s\n%.1256s\n",
+ "Src IP: %s\nSource User: %s\nTarget User: %s\n%.1256s\n",
lf->time,
ftell(_aflog),
lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
@@ -72,7 +72,8 @@
lf->generated_rule->level,
lf->generated_rule->comment,
lf->srcip == NULL?"(none)":lf->srcip,
- lf->user == NULL?"(none)":lf->user,
+ lf->srcuser == NULL?"(none)":lf->srcuser,
+ lf->dstuser == NULL?"(none)":lf->dstuser,
lf->full_log);
diff -Nrudb ossec-snapshot.origin/src/analysisd/analysisd.c ossec-snapshot/src/analysisd/analysisd.c
--- ossec-snapshot.origin/src/analysisd/analysisd.c 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/src/analysisd/analysisd.c 2007-08-02 16:01:06.000000000 +0200
@@ -852,11 +852,11 @@
do_ar = 1;
if((*rule_ar)->ar_cmd->expect & USERNAME)
{
- if(!lf->user ||
- !OS_PRegex(lf->user,"^[a-zA-Z._0-9@?-]*$"))
+ if(!lf->srcuser ||
+ !OS_PRegex(lf->srcuser,"^[a-zA-Z._0-9@?-]*$"))
{
- if(lf->user)
- merror(CRAFTED_USER, ARGV0, lf->user);
+ if(lf->srcuser)
+ merror(CRAFTED_USER, ARGV0, lf->srcuser);
do_ar = 0;
}
}
@@ -951,7 +951,7 @@
* regex,
* url,
* id,
- * user,
+ * srcuser,
* maxsize,
* protocol,
* srcip,
@@ -1120,21 +1120,31 @@
if(currently_rule->alert_opts & DO_EXTRAINFO)
{
- /* Checking if exist any user to match */
- if(currently_rule->user)
+ /* Checking if exist any srcuser to match */
+ if(currently_rule->srcuser)
{
- if(lf->dstuser)
+ if(lf->srcuser)
{
- if(!OSMatch_Execute(lf->dstuser,
- strlen(lf->dstuser),
- currently_rule->user))
+ if(!OSMatch_Execute(lf->srcuser,
+ strlen(lf->srcuser),
+ currently_rule->srcuser))
return(NULL);
}
- else if(lf->user)
+ else
{
- if(!OSMatch_Execute(lf->user,
- strlen(lf->user),
- currently_rule->user))
+ /* no user set */
+ return(NULL);
+ }
+ }
+
+ /* Checking if exist any dstuser to match */
+ if(currently_rule->dstuser)
+ {
+ if(lf->dstuser)
+ {
+ if(!OSMatch_Execute(lf->dstuser,
+ strlen(lf->dstuser),
+ currently_rule->dstuser))
return(NULL);
}
else
diff -Nrudb ossec-snapshot.origin/src/analysisd/decoders/decoder.c ossec-snapshot/src/analysisd/decoders/decoder.c
--- ossec-snapshot.origin/src/analysisd/decoders/decoder.c 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/src/analysisd/decoders/decoder.c 2007-08-02 15:38:52.000000000 +0200
@@ -268,9 +268,9 @@
lf->dstuser = field;
return(NULL);
}
-void *User_FP(Eventinfo *lf, char *field)
+void *SrcUser_FP(Eventinfo *lf, char *field)
{
- lf->user = field;
+ lf->srcuser = field;
return(NULL);
}
void *SrcIP_FP(Eventinfo *lf, char *field)
diff -Nrudb ossec-snapshot.origin/src/analysisd/decoders/decode-xml.c ossec-snapshot/src/analysisd/decoders/decode-xml.c
--- ossec-snapshot.origin/src/analysisd/decoders/decode-xml.c 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/src/analysisd/decoders/decode-xml.c 2007-08-02 15:40:26.000000000 +0200
@@ -535,9 +535,9 @@
{
pi->order[order_int] = (void *)DstUser_FP;
}
- else if(strstr(*norder, "user") != NULL)
+ else if(strstr(*norder, "srcuser") != NULL)
{
- pi->order[order_int] = (void *)User_FP;
+ pi->order[order_int] = (void *)SrcUser_FP;
}
else if(strstr(*norder, "srcip") != NULL)
{
@@ -625,9 +625,9 @@
{
pi->fts|=FTS_DSTUSER;
}
- else if(strstr(*norder, "user") != NULL)
+ else if(strstr(*norder, "srcuser") != NULL)
{
- pi->fts|=FTS_USER;
+ pi->fts|=FTS_SRCUSER;
}
else if(strstr(*norder, "srcip") != NULL)
{
diff -Nrudb ossec-snapshot.origin/src/analysisd/decoders/plugins/symantecws_decoder.c ossec-snapshot/src/analysisd/decoders/plugins/symantecws_decoder.c
--- ossec-snapshot.origin/src/analysisd/decoders/plugins/symantecws_decoder.c 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/src/analysisd/decoders/plugins/symantecws_decoder.c 2007-08-02 15:51:28.000000000 +0200
@@ -72,9 +72,9 @@
}
buf_str[count] = '\0';
- if(!lf->user)
+ if(!lf->dstuser)
{
- os_strdup(buf_str, lf->user);
+ os_strdup(buf_str, lf->dstuser);
}
}
diff -Nrudb ossec-snapshot.origin/src/analysisd/eventinfo.c ossec-snapshot/src/analysisd/eventinfo.c
--- ossec-snapshot.origin/src/analysisd/eventinfo.c 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/src/analysisd/eventinfo.c 2007-08-02 15:50:33.000000000 +0200
@@ -121,10 +121,10 @@
/* Checking for repetitions on user error */
if(currently_rule->context_opts & SAME_USER)
{
- if((!lf->user)||(!my_lf->user))
+ if((!lf->dstuser)||(!my_lf->dstuser))
continue;
- if(strcmp(lf->user,my_lf->user) != 0)
+ if(strcmp(lf->dstuser,my_lf->dstuser) != 0)
continue;
}
@@ -280,10 +280,10 @@
/* Checking for repetitions on user error */
if(currently_rule->context_opts & SAME_USER)
{
- if((!lf->user)||(!my_lf->user))
+ if((!lf->dstuser)||(!my_lf->dstuser))
continue;
- if(strcmp(lf->user,my_lf->user) != 0)
+ if(strcmp(lf->dstuser,my_lf->dstuser) != 0)
continue;
}
@@ -410,10 +410,10 @@
/* Checking for repetitions on user error */
if(currently_rule->context_opts & SAME_USER)
{
- if((!lf->user)||(!my_lf->user))
+ if((!lf->dstuser)||(!my_lf->dstuser))
continue;
- if(strcmp(lf->user,my_lf->user) != 0)
+ if(strcmp(lf->dstuser,my_lf->dstuser) != 0)
continue;
}
@@ -497,7 +497,7 @@
lf->dstport = NULL;
lf->protocol = NULL;
lf->action = NULL;
- lf->user = NULL;
+ lf->srcuser = NULL;
lf->dstuser = NULL;
lf->id = NULL;
lf->status = NULL;
@@ -547,8 +547,8 @@
free(lf->protocol);
if(lf->action)
free(lf->action);
- if(lf->user)
- free(lf->user);
+ if(lf->srcuser)
+ free(lf->srcuser);
if(lf->status)
free(lf->status);
if(lf->dstuser)
diff -Nrudb ossec-snapshot.origin/src/analysisd/eventinfo.h ossec-snapshot/src/analysisd/eventinfo.h
--- ossec-snapshot.origin/src/analysisd/eventinfo.h 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/src/analysisd/eventinfo.h 2007-08-02 15:41:09.000000000 +0200
@@ -37,7 +37,7 @@
char *dstport;
char *protocol;
char *action;
- char *user;
+ char *srcuser;
char *dstuser;
char *id;
char *status;
@@ -96,7 +96,7 @@
/* FTS allowed values */
#define FTS_NAME 001000
-#define FTS_USER 002000
+#define FTS_SRCUSER 002000
#define FTS_DSTUSER 004000
#define FTS_SRCIP 000100
#define FTS_DSTIP 000200
@@ -130,8 +130,8 @@
/* Pointers to the event decoders */
+void *SrcUser_FP(Eventinfo *lf, char *field);
void *DstUser_FP(Eventinfo *lf, char *field);
-void *User_FP(Eventinfo *lf, char *field);
void *SrcIP_FP(Eventinfo *lf, char *field);
void *DstIP_FP(Eventinfo *lf, char *field);
void *SrcPort_FP(Eventinfo *lf, char *field);
diff -Nrudb ossec-snapshot.origin/src/analysisd/fts.c ossec-snapshot/src/analysisd/fts.c
--- ossec-snapshot.origin/src/analysisd/fts.c 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/src/analysisd/fts.c 2007-08-02 15:59:19.000000000 +0200
@@ -141,11 +141,12 @@
fseek(fp_ignore, 0, SEEK_END);
/* Assigning the values to the FTS */
- fprintf(fp_ignore, "%s %s %s %s %s %s %s %s\n",
+ fprintf(fp_ignore, "%s %s %s %s %s %s %s %s %s\n",
(lf->decoder_info->name && (lf->generated_rule->ignore & FTS_NAME))?
lf->decoder_info->name:"",
(lf->id && (lf->generated_rule->ignore & FTS_ID))?lf->id:"",
- (lf->user && (lf->generated_rule->ignore & FTS_USER))?lf->user:"",
+ (lf->srcuser && (lf->generated_rule->ignore & FTS_SRCUSER))?lf->srcuser:"",
+ (lf->dstuser && (lf->generated_rule->ignore & FTS_DSTUSER))?lf->dstuser:"",
(lf->srcip && (lf->generated_rule->ignore & FTS_SRCIP))?
lf->srcip:"",
(lf->dstip && (lf->generated_rule->ignore & FTS_DSTIP))?
@@ -175,12 +176,14 @@
/* Assigning the values to the FTS */
- snprintf(_line,OS_FLSIZE, "%s %s %s %s %s %s %s %s\n",
+ snprintf(_line,OS_FLSIZE, "%s %s %s %s %s %s %s %s %s\n",
(lf->decoder_info->name && (lf->generated_rule->ckignore & FTS_NAME))?
lf->decoder_info->name:"",
(lf->id && (lf->generated_rule->ckignore & FTS_ID))?lf->id:"",
- (lf->user && (lf->generated_rule->ckignore & FTS_USER))?
- lf->user:"",
+ (lf->srcuser && (lf->generated_rule->ckignore & FTS_SRCUSER))?
+ lf->srcuser:"",
+ (lf->dstuser && (lf->generated_rule->ckignore & FTS_DSTUSER))?
+ lf->dstuser:"",
(lf->srcip && (lf->generated_rule->ckignore & FTS_SRCIP))?
lf->srcip:"",
(lf->dstip && (lf->generated_rule->ckignore & FTS_DSTIP))?
@@ -231,7 +234,7 @@
snprintf(_line, OS_FLSIZE, "%s %s %s %s %s %s %s %s %s",
lf->decoder_info->name,
(lf->id && (lf->decoder_info->fts & FTS_ID))?lf->id:"",
- (lf->user && (lf->decoder_info->fts & FTS_USER))?lf->user:"",
+ (lf->srcuser && (lf->decoder_info->fts & FTS_SRCUSER))?lf->srcuser:"",
(lf->dstuser && (lf->decoder_info->fts & FTS_DSTUSER))?lf->dstuser:"",
(lf->srcip && (lf->decoder_info->fts & FTS_SRCIP))?lf->srcip:"",
(lf->dstip && (lf->decoder_info->fts & FTS_DSTIP))?lf->dstip:"",
diff -Nrudb ossec-snapshot.origin/src/analysisd/rules.c ossec-snapshot/src/analysisd/rules.c
--- ossec-snapshot.origin/src/analysisd/rules.c 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/src/analysisd/rules.c 2007-08-02 15:58:16.000000000 +0200
@@ -81,7 +81,8 @@
char *xml_srcport = "srcport";
char *xml_dstip = "dstip";
char *xml_dstport = "dstport";
- char *xml_user = "user";
+ char *xml_srcuser = "srcuser";
+ char *xml_dstuser = "dstuser";
char *xml_url = "url";
char *xml_id = "id";
char *xml_data = "extra_data";
@@ -327,7 +328,8 @@
char *url = NULL;
char *if_matched_regex = NULL;
char *if_matched_group = NULL;
- char *user = NULL;
+ char *srcuser = NULL;
+ char *dstuser = NULL;
char *id = NULL;
char *srcport = NULL;
char *dstport = NULL;
@@ -497,10 +499,19 @@
if(!(config_ruleinfo->alert_opts & DO_PACKETINFO))
config_ruleinfo->alert_opts |= DO_PACKETINFO;
}
- else if(strcasecmp(rule_opt[k]->element,xml_user)==0)
+ else if(strcasecmp(rule_opt[k]->element,xml_srcuser)==0)
{
- user =
- loadmemory(user,
+ srcuser =
+ loadmemory(srcuser,
+ rule_opt[k]->content);
+
+ if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
+ config_ruleinfo->alert_opts |= DO_EXTRAINFO;
+ }
+ else if(strcasecmp(rule_opt[k]->element,xml_dstuser)==0)
+ {
+ dstuser =
+ loadmemory(dstuser,
rule_opt[k]->content);
if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
@@ -791,9 +802,9 @@
else if(strcasecmp(rule_opt[k]->element,
xml_ignore) == 0)
{
- if(strstr(rule_opt[k]->content, "user") != NULL)
+ if(strstr(rule_opt[k]->content, "srcuser") != NULL)
{
- config_ruleinfo->ignore|=FTS_USER;
+ config_ruleinfo->ignore|=FTS_SRCUSER;
}
if(strstr(rule_opt[k]->content, "srcip") != NULL)
{
@@ -831,9 +842,9 @@
else if(strcasecmp(rule_opt[k]->element,
xml_check_if_ignored) == 0)
{
- if(strstr(rule_opt[k]->content, "user") != NULL)
+ if(strstr(rule_opt[k]->content, "srcuser") != NULL)
{
- config_ruleinfo->ckignore|=FTS_USER;
+ config_ruleinfo->ckignore|=FTS_SRCUSER;
}
if(strstr(rule_opt[k]->content, "srcip") != NULL)
{
@@ -1041,18 +1052,32 @@
program_name = NULL;
}
- /* Adding in user */
- if(user)
+ /* Adding in srcuser */
+ if(srcuser)
{
- os_calloc(1, sizeof(OSMatch), config_ruleinfo->user);
- if(!OSMatch_Compile(user, config_ruleinfo->user, 0))
+ os_calloc(1, sizeof(OSMatch), config_ruleinfo->srcuser);
+ if(!OSMatch_Compile(srcuser, config_ruleinfo->srcuser, 0))
{
- merror(REGEX_COMPILE, ARGV0, user,
- config_ruleinfo->user->error);
+ merror(REGEX_COMPILE, ARGV0, srcuser,
+ config_ruleinfo->srcuser->error);
return(-1);
}
- free(user);
- user = NULL;
+ free(srcuser);
+ srcuser = NULL;
+ }
+
+ /* Adding in dstuser */
+ if(dstuser)
+ {
+ os_calloc(1, sizeof(OSMatch), config_ruleinfo->dstuser);
+ if(!OSMatch_Compile(dstuser, config_ruleinfo->dstuser, 0))
+ {
+ merror(REGEX_COMPILE, ARGV0, dstuser,
+ config_ruleinfo->dstuser->error);
+ return(-1);
+ }
+ free(dstuser);
+ dstuser = NULL;
}
/* Adding in url */
@@ -1361,7 +1386,8 @@
ruleinfo_pt->if_matched_group = NULL;
ruleinfo_pt->if_matched_sid = 0;
- ruleinfo_pt->user = NULL;
+ ruleinfo_pt->srcuser = NULL;
+ ruleinfo_pt->dstuser = NULL;
ruleinfo_pt->srcip = NULL;
ruleinfo_pt->srcport = NULL;
ruleinfo_pt->dstip = NULL;
diff -Nrudb ossec-snapshot.origin/src/analysisd/rules.h ossec-snapshot/src/analysisd/rules.h
--- ossec-snapshot.origin/src/analysisd/rules.h 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/src/analysisd/rules.h 2007-08-02 15:43:59.000000000 +0200
@@ -108,7 +108,8 @@
os_ip **dstip;
OSMatch *srcport;
OSMatch *dstport;
- OSMatch *user;
+ OSMatch *srcuser;
+ OSMatch *dstuser;
OSMatch *url;
OSMatch *id;
OSMatch *status;
diff -Nrudb ossec-snapshot.origin/src/analysisd/rules_list.c ossec-snapshot/src/analysisd/rules_list.c
--- ossec-snapshot.origin/src/analysisd/rules_list.c 2007-08-02 15:18:39.000000000 +0200
+++ ossec-snapshot/src/analysisd/rules_list.c 2007-08-02 15:58:57.000000000 +0200
@@ -354,7 +354,8 @@
r_node->ruleinfo->dstip = newrule->dstip;
r_node->ruleinfo->srcport = newrule->srcport;
r_node->ruleinfo->dstport = newrule->dstport;
- r_node->ruleinfo->user = newrule->user;
+ r_node->ruleinfo->srcuser = newrule->srcuser;
+ r_node->ruleinfo->dstuser = newrule->dstuser;
r_node->ruleinfo->url = newrule->url;
r_node->ruleinfo->id = newrule->id;
r_node->ruleinfo->status = newrule->status;
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.