[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] Re: Understanding EventInfo datastructure

To: ossec-dev@xxxxxxxxxxxxxxxx
Subject: [ossec-dev] Re: Understanding EventInfo datastructure
From: Sebastien Tricaud <sebastien.tricaud@xxxxxxxxx>
Date: Thu, 26 Jul 2007 17:42:27 +0200
Content-transfer-encoding: 7bit

Daniel Cid wrote:
>
> Hi Sebastien,
>
> First of all, thanks for the work porting ossec to Prelude. It seems a
> nice fit
> for both projects :) Rest of the reply inline...

Ideed! that's why I started working on it ;-) Rest of the reply inline
yours:

>
> You may want to use the latest version (based on the v1.3 beta) that
> is available
> at http://www.ossec.net/files/snapshots/ossec-hids-070722.tar.gz if
> you prefer
> (or I can give you CVS access too). However, I don't think that the
> changes to 1.3
> were that big that would make it incompatible...

I am willing to do it, before doing it I should finish with 1.2 and then
move on


>> Few things I don't understand:
>> * user and dstuser confuse me. In the documentation user means the
>> decoded user. So why dstuser ? why not having "toady" as dstuser and
>> nothing in user since this cannot be extracted in the log ? what is the
>> purpose of dstuser ?
>
>
> It confuses me too :) I created the dstuser to be used by logs from
> su, sudo or
> any other where you have one user attempting to become another one.
> Most of the
> times we only use user (not dstuser).

However sometime you can get the source user. Which means there is a
need for srcuser and dstuser. In that case user means dst, which will
confuse anyone reading the datastructure unless you know it ;-) are you
ok to get patches for this ?

>
>
>
>> * why not fill srcport ?
>
>
> We could and in some logs we do (like snort or firewall logs).
> However, for some reason
> we didn't wrote the regex to grab that.
>
> This is the decoder that gets the user/srcip (we could easily change
> to get the port too):
> <decoder name="sshd-success">
>  <parent>sshd</parent>
>  <prematch>^Accepted</prematch>
>  <regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex>
>  <order>user, srcip</order>
> </decoder>
>

Good! it is fixed now right ? in 1.3 only ? why not releasing a last 1.2
with prelude support and this fixed ?

>
>
>> * why not extract the program sshd which can only be a ssh protocol
>> usage and fill the protocol section ?
>
> We already extract the program_name and if you print lf->program_name
> you will
> see it (generally it is extracted via the pre-decoder for all syslog
> messages).

I know, however I am talking about the protocol. Because it is sshd, the
protocol used can only be ssh right ? then we can add this information
in the protocol section

>
>
>
> Thanks for getting involved and taking the time to learn the project.
> Any other question,
> let me know. Hope it helped...

Yes it helped, thank you very much for you effort in this project which
considers also the windows platform and gives a good tool for anyone
running a regular computer ;)


Sebastien.

Follow-Ups:
- [ossec-dev] Re: Understanding EventInfo datastructure
  - From: Daniel Cid

References:
- [ossec-dev] Understanding EventInfo datastructure
  - From: Sebastien Tricaud
- [ossec-dev] Re: Understanding EventInfo datastructure
  - From: Daniel Cid

Prev by Date: [ossec-dev] Re: Error message and core dump for ossec-analysisd
Next by Date: [ossec-dev] Windows policy monitoring
Previous by thread: [ossec-dev] Re: Understanding EventInfo datastructure
Next by thread: [ossec-dev] Re: Understanding EventInfo datastructure
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.