[ossec-dev] Re: Understanding EventInfo datastructure

["Daniel Cid" <dcid@xxxxxxxxx>]

Hi Sebastien,

First of all, thanks for the work porting ossec to Prelude. It seems a nice fit
for both projects :) Rest of the reply inline...



On 7/23/07, Sebastien Tricaud <sebastien.tricaud@xxxxxxxxx> wrote:
> Hi folks,
>
> I am working on an Ossec port to Prelude. This is based on the 1.2 release.

You may want to use the latest version (based on the v1.3 beta) that
is available
at http://www.ossec.net/files/snapshots/ossec-hids-070722.tar.gz if you prefer
(or I can give you CVS access too). However, I don't think that the
changes to 1.3
were that big that would make it incompatible...



> Prelude is a hybrid intrusion detection system which give an
> infrastructure to have analyzers (samhain, snort, ..., now ossec)
> centralizing data.

Yes, I know Prelude :) Very fine project.



> When I attempt to perform a ssh authentication failure from a remote
> machine (192.168.4.1) to mine (192.168.4.61), typing "ssh
> toady@xxxxxxxxxxxx", I get only those informations:
>
> _EventInfo datastructure:
>
> log = Failed password for toady from 192.168.4.1 port 37942 ssh2
> full_log = Jul 18 17:02:23 localhost sshd[12002]: Failed password for toady from 192.168.4.1 port 37942 ssh2
> location = /var/log/auth.log
> hostname = localhost
> program_name = sshd
> srcip = 192.168.4.1
> dstip =
> srcport =
> dstport =
> protocol =
> action =
> user = toady
> dstuser =
> id =
> status =
> command =
> url =
> data =
> systemname =
>
>
> _RuleInfo datastructure:
>
> sigid = 5716
> level = 5
> comment = SSHD authentication failed.
> info =
> cve =

Basically, ossec "analysis" is divided in three steps: pre-decoding,
decoding and rule
matching. Our pre-decoding sets some basic information, like program name, time,
location, etc. The decoder are composed of multiple regular expressions that set
the srcip, username, etc based of the regexes. A document that explains it a bit
is the following (my presentation at AusCERT):

http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf




> Few things I don't understand:
> * user and dstuser confuse me. In the documentation user means the
> decoded user. So why dstuser ? why not having "toady" as dstuser and
> nothing in user since this cannot be extracted in the log ? what is the
> purpose of dstuser ?


It confuses me too :) I created the dstuser to be used by logs from su, sudo or
any other where you have one user attempting to become another one. Most of the
times we only use user (not dstuser).



> * why not fill srcport ?


We could and in some logs we do (like snort or firewall logs).
However, for some reason
we didn't wrote the regex to grab that.

This is the decoder that gets the user/srcip (we could easily change
to get the port too):
<decoder name="sshd-success">
 <parent>sshd</parent>
 <prematch>^Accepted</prematch>
 <regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex>
 <order>user, srcip</order>
</decoder>



> * why not extract the program sshd which can only be a ssh protocol
> usage and fill the protocol section ?

We already extract the program_name and if you print lf->program_name you will
see it (generally it is extracted via the pre-decoder for all syslog messages).



> Thanks for your lightnings,
> Sebastien.


Thanks for getting involved and taking the time to learn the project.
Any other question,
let me know. Hope it helped...


--
Daniel B. Cid
dcid ( at ) ossec.net