[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-dev] src / dst patch
Hello people,
just as stated in my last email [1], I updated the patch upon cvs head.
For a quick summary: user and dstuser were ambiguous. user was always
the destination user, unless we had a source user, such as with su,
where the source user would be in user and the destination user in dstuser.
Rulesets are updated along with the patch.
Please now consider the following:
* You don't always need to fill srcuser and/or dstuser
* If you have both information, then think "Where does this event come
from ?" to discover the source user and "Who is the target ?" to
discover the destination user
* If you don't know, then just fill dstuser
Thanks, patch attached,
Sebastien.
[1]
http://groups.google.com/group/ossec-dev/browse_thread/thread/b28ffd95f758fa5d/a71f3206d4eb1b01
? bin
? ossec-src_dst.0.patch
? src/Config.OS
? src/addagent/manage_agents
? src/analysisd/ossec-analysisd
? src/client-agent/ossec-agentd
? src/headers/zconf.h
? src/headers/zlib.h
? src/logcollector/ossec-logcollector
? src/monitord/ossec-monitord
? src/os_dbd/ossec-dbd
? src/os_execd/ossec-execd
? src/os_maild/ossec-maild
? src/remoted/ossec-remoted
? src/syscheckd/ossec-syscheckd
? src/util/clear_stats
? src/util/list_agents
? src/util/syscheck_update
Index: etc/decoder.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/decoder.xml,v
retrieving revision 1.122
diff -r1.122 decoder.xml
11,12c11,12
< - user - extract the user name
< - dstuser - the destination username (from su)
---
> - srcuser - extract the source username
> - dstuser - extract the destination username
59c59
< <order>srcip, user</order>
---
> <order>srcip, dstuser</order>
66c66
< <order>user</order>
---
> <order>dstuser</order>
114,115c114,115
< <order>user, srcip</order>
< <fts>name, user, location</fts>
---
> <order>dstuser, srcip</order>
> <fts>name, dstuser, location</fts>
122c122
< <order>user, srcip</order>
---
> <order>dstuser, srcip</order>
129,130c129,130
< <order>user, srcip</order>
< <fts>name, user, location</fts>
---
> <order>dstuser, srcip</order>
> <fts>name, dstuser, location</fts>
144c144
< <order>user, srcip</order>
---
> <order>dstuser, srcip</order>
151c151
< <order>user, srcip</order>
---
> <order>dstuser, srcip</order>
219c219
< <order>user</order>
---
> <order>dstuser</order>
241,242c241,242
< <order>user</order>
< <fts>name,user,location</fts>
---
> <order>dstuser</order>
> <fts>name,dstuser,location</fts>
265,266c265,266
< <order>user, dstuser</order>
< <fts>name, user, location</fts>
---
> <order>srcuser, dstuser</order>
> <fts>name, dstuser, location</fts>
272,273c272,273
< <order>user, dstuser</order>
< <fts>name, user, location</fts>
---
> <order>srcuser, dstuser</order>
> <fts>name, dstuser, location</fts>
296,297c296,297
< <order>srcip, user</order>
< <fts>name, user, srcip, location</fts>
---
> <order>srcip, dstuser</order>
> <fts>name, dstuser, srcip, location</fts>
326,327c326,327
< <order>srcip, user</order>
< <fts>name, user, srcip, location</fts>
---
> <order>srcip, dstuser</order>
> <fts>name, dstuser, srcip, location</fts>
333c333
< <order>user,srcip</order>
---
> <order>dstuser,srcip</order>
421c421
< <order>user,srcip</order>
---
> <order>dstuser,srcip</order>
441c441
< <order>user, srcip</order>
---
> <order>dstuser, srcip</order>
448c448
< <order>user, srcip</order>
---
> <order>dstuser, srcip</order>
468c468
< <order>user, srcip</order>
---
> <order>dstuser, srcip</order>
1046c1046
< <order>user, srcip</order>
---
> <order>dstuser, srcip</order>
1053c1053
< <order>srcip, user</order>
---
> <order>srcip, dstuser</order>
1187c1187
< <order>srcip,user,action,id</order>
---
> <order>srcip,dstuser,action,id</order>
1274,1275c1274,1275
< <order>status, id, extra_data, user, system_name</order>
< <fts>name, location, user, system_name</fts>
---
> <order>status, id, extra_data, dstuser, system_name</order>
> <fts>name, location, dstuser, system_name</fts>
1324,1325c1324,1325
< <order>id, extra_data, user, status, system_name</order>
< <fts>name, id, location, user, system_name</fts>
---
> <order>id, extra_data, dstuser, status, system_name</order>
> <fts>name, id, location, dstuser, system_name</fts>
Index: etc/rules/attack_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/attack_rules.xml,v
retrieving revision 1.14
diff -r1.14 attack_rules.xml
24c24
< <user>$SYS_USERS</user>
---
> <dstuser>$SYS_USERS</dstuser>
Index: etc/rules/local_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/local_rules.xml,v
retrieving revision 1.4
diff -r1.4 local_rules.xml
38c38
< <user>XYZABC</user>
---
> <dstuser>XYZABC</dstuser>
Index: etc/rules/msauth_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/msauth_rules.xml,v
retrieving revision 1.25
diff -r1.25 msauth_rules.xml
166c166
< <user>^LOCAL SERVICE|^NETWORK SERVICE</user>
---
> <dstuser>^LOCAL SERVICE|^NETWORK SERVICE</dstuser>
Index: etc/rules/symantec-ws_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/symantec-ws_rules.xml,v
retrieving revision 1.1
diff -r1.1 symantec-ws_rules.xml
45c45
< <user>virtadmin</user>
---
> <dstuser>virtadmin</dstuser>
Index: etc/rules/syslog_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/syslog_rules.xml,v
retrieving revision 1.71
diff -r1.71 syslog_rules.xml
320c320
< <user>^root</user>
---
> <dstuser>^root</dstuser>
Index: src/LOCATION
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/LOCATION,v
retrieving revision 1.2
diff -r1.2 LOCATION
1c1
< DIR="/var/ossec"
---
> DIR="/opt/ossec"
Index: src/analysisd/analysisd.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/analysisd.c,v
retrieving revision 1.120
diff -r1.120 analysisd.c
856,857c856,857
< if(!lf->user ||
< !OS_PRegex(lf->user,"^[a-zA-Z._0-9@?-]*$"))
---
> if(!lf->srcuser ||
> !OS_PRegex(lf->srcuser,"^[a-zA-Z._0-9@?-]*$"))
859,860c859,860
< if(lf->user)
< merror(CRAFTED_USER, ARGV0, lf->user);
---
> if(lf->srcuser)
> merror(CRAFTED_USER, ARGV0, lf->srcuser);
955c955
< * user,
---
> * srcuser,
1124,1125c1124,1125
< /* Checking if exist any user to match */
< if(currently_rule->user)
---
> /* Checking if exist any srcuser to match */
> if(currently_rule->srcuser)
1127c1127
< if(lf->dstuser)
---
> if(lf->srcuser)
1129,1138c1129,1131
< if(!OSMatch_Execute(lf->dstuser,
< strlen(lf->dstuser),
< currently_rule->user))
< return(NULL);
< }
< else if(lf->user)
< {
< if(!OSMatch_Execute(lf->user,
< strlen(lf->user),
< currently_rule->user))
---
> if(!OSMatch_Execute(lf->srcuser,
> strlen(lf->srcuser),
> currently_rule->srcuser))
1147a1141,1157
>
> /* Checking if exist any dstuser to match */
> if(currently_rule->dstuser)
> {
> if(lf->dstuser)
> {
> if(!OSMatch_Execute(lf->dstuser,
> strlen(lf->dstuser),
> currently_rule->dstuser))
> return(NULL);
> }
> else
> {
> /* no user set */
> return(NULL);
> }
> }
Index: src/analysisd/eventinfo.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/eventinfo.c,v
retrieving revision 1.38
diff -r1.38 eventinfo.c
124c124
< if((!lf->user)||(!my_lf->user))
---
> if((!lf->dstuser)||(!my_lf->dstuser))
127c127
< if(strcmp(lf->user,my_lf->user) != 0)
---
> if(strcmp(lf->dstuser,my_lf->dstuser) != 0)
283c283
< if((!lf->user)||(!my_lf->user))
---
> if((!lf->dstuser)||(!my_lf->dstuser))
286c286
< if(strcmp(lf->user,my_lf->user) != 0)
---
> if(strcmp(lf->dstuser,my_lf->dstuser) != 0)
413c413
< if((!lf->user)||(!my_lf->user))
---
> if((!lf->dstuser)||(!my_lf->dstuser))
416c416
< if(strcmp(lf->user,my_lf->user) != 0)
---
> if(strcmp(lf->dstuser,my_lf->dstuser) != 0)
500c500
< lf->user = NULL;
---
> lf->srcuser = NULL;
550,553c550,551
< if(lf->user)
< free(lf->user);
< if(lf->status)
< free(lf->status);
---
> if(lf->srcuser)
> free(lf->srcuser);
555a554,555
> if(lf->status)
> free(lf->status);
Index: src/analysisd/eventinfo.h
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/eventinfo.h,v
retrieving revision 1.31
diff -r1.31 eventinfo.h
40c40
< char *user;
---
> char *srcuser;
99c99
< #define FTS_USER 002000
---
> #define FTS_SRCUSER 002000
134c134
< void *User_FP(Eventinfo *lf, char *field);
---
> void *SrcUser_FP(Eventinfo *lf, char *field);
Index: src/analysisd/fts.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/fts.c,v
retrieving revision 1.30
diff -r1.30 fts.c
144c144
< fprintf(fp_ignore, "%s %s %s %s %s %s %s %s\n",
---
> fprintf(fp_ignore, "%s %s %s %s %s %s %s %s %s\n",
148c148,149
< (lf->user && (lf->generated_rule->ignore & FTS_USER))?lf->user:"",
---
> (lf->srcuser && (lf->generated_rule->ignore & FTS_SRCUSER))?lf->srcuser:"",
> (lf->dstuser && (lf->generated_rule->ignore & FTS_DSTUSER))?lf->dstuser:"",
178c179
< snprintf(_line,OS_FLSIZE, "%s %s %s %s %s %s %s %s\n",
---
> snprintf(_line,OS_FLSIZE, "%s %s %s %s %s %s %s %s %s\n",
182,183c183,186
< (lf->user && (lf->generated_rule->ckignore & FTS_USER))?
< lf->user:"",
---
> (lf->srcuser && (lf->generated_rule->ckignore & FTS_SRCUSER))?
> lf->srcuser:"",
> (lf->dstuser && (lf->generated_rule->ckignore & FTS_DSTUSER))?
> lf->dstuser:"",
234c237
< (lf->user && (lf->decoder_info->fts & FTS_USER))?lf->user:"",
---
> (lf->srcuser && (lf->decoder_info->fts & FTS_SRCUSER))?lf->srcuser:"",
Index: src/analysisd/rules.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/rules.c,v
retrieving revision 1.68
diff -r1.68 rules.c
84c84,85
< char *xml_user = "user";
---
> char *xml_srcuser = "srcuser";
> char *xml_dstuser = "dstuser";
330c331,332
< char *user = NULL;
---
> char *srcuser = NULL;
> char *dstuser = NULL;
500c502
< else if(strcasecmp(rule_opt[k]->element,xml_user)==0)
---
> else if(strcasecmp(rule_opt[k]->element,xml_srcuser)==0)
502,503c504,514
< user =
< loadmemory(user,
---
> srcuser =
> loadmemory(srcuser,
> rule_opt[k]->content);
>
> if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
> config_ruleinfo->alert_opts |= DO_EXTRAINFO;
> }
> else if(strcasecmp(rule_opt[k]->element,xml_dstuser)==0)
> {
> dstuser =
> loadmemory(dstuser,
794c805,809
< if(strstr(rule_opt[k]->content, "user") != NULL)
---
> if(strstr(rule_opt[k]->content, "srcuser") != NULL)
> {
> config_ruleinfo->ignore|=FTS_SRCUSER;
> }
> if(strstr(rule_opt[k]->content, "dstuser") != NULL)
796c811
< config_ruleinfo->ignore|=FTS_USER;
---
> config_ruleinfo->ignore|=FTS_DSTUSER;
834c849
< if(strstr(rule_opt[k]->content, "user") != NULL)
---
> if(strstr(rule_opt[k]->content, "srcuser") != NULL)
836c851,855
< config_ruleinfo->ckignore|=FTS_USER;
---
> config_ruleinfo->ckignore|=FTS_SRCUSER;
> }
> if(strstr(rule_opt[k]->content, "dstuser") != NULL)
> {
> config_ruleinfo->ckignore|=FTS_DSTUSER;
1044,1045c1063,1078
< /* Adding in user */
< if(user)
---
> /* Adding in srcuser */
> if(srcuser)
> {
> os_calloc(1, sizeof(OSMatch), config_ruleinfo->srcuser);
> if(!OSMatch_Compile(srcuser, config_ruleinfo->srcuser, 0))
> {
> merror(REGEX_COMPILE, ARGV0, srcuser,
> config_ruleinfo->srcuser->error);
> return(-1);
> }
> free(srcuser);
> srcuser = NULL;
> }
>
> /* Adding in dstuser */
> if(dstuser)
1047,1048c1080,1081
< os_calloc(1, sizeof(OSMatch), config_ruleinfo->user);
< if(!OSMatch_Compile(user, config_ruleinfo->user, 0))
---
> os_calloc(1, sizeof(OSMatch), config_ruleinfo->dstuser);
> if(!OSMatch_Compile(dstuser, config_ruleinfo->dstuser, 0))
1050,1051c1083,1084
< merror(REGEX_COMPILE, ARGV0, user,
< config_ruleinfo->user->error);
---
> merror(REGEX_COMPILE, ARGV0, dstuser,
> config_ruleinfo->dstuser->error);
1054,1055c1087,1088
< free(user);
< user = NULL;
---
> free(dstuser);
> dstuser = NULL;
1364c1397,1398
< ruleinfo_pt->user = NULL;
---
> ruleinfo_pt->srcuser = NULL;
> ruleinfo_pt->dstuser = NULL;
Index: src/analysisd/rules.h
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/rules.h,v
retrieving revision 1.37
diff -r1.37 rules.h
111c111,112
< OSMatch *user;
---
> OSMatch *srcuser;
> OSMatch *dstuser;
Index: src/analysisd/rules_list.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/rules_list.c,v
retrieving revision 1.22
diff -r1.22 rules_list.c
357c357,358
< r_node->ruleinfo->user = newrule->user;
---
> r_node->ruleinfo->srcuser = newrule->srcuser;
> r_node->ruleinfo->dstuser = newrule->dstuser;
Index: src/analysisd/alerts/exec.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/alerts/exec.c,v
retrieving revision 1.34
diff -r1.34 exec.c
34c34
< char *user;
---
> char *dstuser;
84c84
< if(lf->user && (ar->ar_cmd->expect & USERNAME))
---
> if(lf->dstuser && (ar->ar_cmd->expect & USERNAME))
86c86
< user = lf->user;
---
> dstuser = lf->dstuser;
90c90
< user = "-";
---
> dstuser = "-";
108c108
< user,
---
> dstuser,
134c134
< user,
---
> dstuser,
Index: src/analysisd/alerts/log.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/alerts/log.c,v
retrieving revision 1.28
diff -r1.28 log.c
59c59
< "Src IP: %s\nUser: %s\n%.1256s\n",
---
> "Src IP: %s\nSource User: %s\nTarget User: %s\n%.1256s\n",
75c75,76
< lf->user == NULL?"(none)":lf->user,
---
> lf->srcuser == NULL?"(none)":lf->srcuser,
> lf->dstuser == NULL?"(none)":lf->dstuser,
Index: src/analysisd/decoders/decode-xml.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/decoders/decode-xml.c,v
retrieving revision 1.41
diff -r1.41 decode-xml.c
538c538
< else if(strstr(*norder, "user") != NULL)
---
> else if(strstr(*norder, "srcuser") != NULL)
540c540
< pi->order[order_int] = (void *)User_FP;
---
> pi->order[order_int] = (void *)SrcUser_FP;
628c628
< else if(strstr(*norder, "user") != NULL)
---
> else if(strstr(*norder, "srcuser") != NULL)
630c630
< pi->fts|=FTS_USER;
---
> pi->fts|=FTS_SRCUSER;
Index: src/analysisd/decoders/decoder.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/decoders/decoder.c,v
retrieving revision 1.37
diff -r1.37 decoder.c
271c271
< void *User_FP(Eventinfo *lf, char *field)
---
> void *SrcUser_FP(Eventinfo *lf, char *field)
273c273
< lf->user = field;
---
> lf->srcuser = field;
Index: src/analysisd/decoders/plugins/symantecws_decoder.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/decoders/plugins/symantecws_decoder.c,v
retrieving revision 1.1
diff -r1.1 symantecws_decoder.c
75c75
< if(!lf->user)
---
> if(!lf->dstuser)
77c77
< os_strdup(buf_str, lf->user);
---
> os_strdup(buf_str, lf->dstuser);
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.