[ossec-dev] Understanding EventInfo datastructure

[Sebastien Tricaud <sebastien.tricaud@xxxxxxxxx>]

Hi folks,


I am working on an Ossec port to Prelude. This is based on the 1.2 release.

Prelude is a hybrid intrusion detection system which give an
infrastructure to have analyzers (samhain, snort, ..., now ossec)
centralizing data.

My port works by sending the _EventInfo and _RuleInfo datastructures to
the program building an IDMEF (see rfc 4765) messages which is then sent
to the Prelude manager.

I wrote a simple debug function that shows every information of
datastructures to understand it better according to known scenarios.
While doing this I faced the following problem:

When I attempt to perform a ssh authentication failure from a remote
machine (192.168.4.1) to mine (192.168.4.61), typing "ssh
toady@xxxxxxxxxxxx", I get only those informations:

_EventInfo datastructure:

log = Failed password for toady from 192.168.4.1 port 37942 ssh2
full_log = Jul 18 17:02:23 localhost sshd[12002]: Failed password for toady from 192.168.4.1 port 37942 ssh2
location = /var/log/auth.log
hostname = localhost
program_name = sshd
srcip = 192.168.4.1
dstip =
srcport =
dstport =
protocol =
action =
user = toady
dstuser =
id =
status =
command =
url =
data =
systemname =


_RuleInfo datastructure:

sigid = 5716
level = 5
comment = SSHD authentication failed.
info =
cve =


Few things I don't understand:
* user and dstuser confuse me. In the documentation user means the
decoded user. So why dstuser ? why not having "toady" as dstuser and
nothing in user since this cannot be extracted in the log ? what is the
purpose of dstuser ?
* why not fill srcport ?
* why not extract the program sshd which can only be a ssh protocol
usage and fill the protocol section ?


Thanks for your lightnings,
Sebastien.