Allow for CDB lookups from within rules in OSSEC (ossec-analysisd) of all possible fields.
Anything that has a large number of items. Some examples:
named with recursive logs checking the www.malwaredomains.com list for suspicious domains
lists of approved users by server
mstark (on irc) originally came up with suggestion for approved software based on a md5 list
IP address lookups - there are a large number of lists of suspicious or known bad IP addresses to match inside of ossec rules
A rule would use the following syntax to look up a key within a CDB database.
This example is a search for the key within the rules/cdb_record_file
and will match
if they key is present:
<list field="program_name" lookup="match_key">rules/records</list>
The lookup="match_key"
is the default and can be left out as in this example:
<list field="program_name">rules/records</list>
This example is a search for the key stored in field attribute and will match if it IS NOT present in the database:
<list field="program_name" lookup="not_match_key">rules/records</list>
This example is a search for a key stored in the field attribute, and on a positive match the returned value of the key will be processed using the regex in the check_value attribute:
<list field="program_name" lookup="match_key_value" check_value="^reject">rules/records</list>
This example is a search for the IP address stored in the field attribute and will match if it IS present in the database.
<list field="srcip" lookup="address_match_key">rules/records</list>
This example is a search for the IP address stored in the field attribute and will match if it IS NOT present in the database.
<list field="srcip" lookup="not_address_match_key">rules/records</list>
This example is a search for a key stored in the field attribute, and on a positive match the returned value of the key will be processed using the regex in the check_value attribute:
<list field="srcip" lookup="address_match_key_value" check_value="^reject">rules/records</list>
Each list will need to be defined and told to be available using the ossec.conf file. Using the following syntax:
<ossec_config>
<rules>
<list>rules/records</list>
CDB files must be compiled before they can be used. ossec-makelists is used to compile lists.
The command ossec-makelists will process and compile all lists if the master text rules have been changed. Basically logic is as follows:
Read ossec.conf for all lists
Check the mtime of each list and compare it to the mtime of the compiled .cdb file
if mtime is newer create new database file ending in .tmp
use atomic rename to change the .tmp to .cdb. This will invalidate all mmap pages currently in use by ossec-analysisd and will cause them to be reloaded with the new data as needed
Creating cdb lists the following file format is specified:
key1:value
key2:value
key3:diff value
Each key must be unique and is terminated with a colon :
.
For IP addresses the dot notation is used for subnet matches
key CIDR Possible matches
10.1.1.1 10.1.1.1/32 10.1.1.1
192.168. 192.168.0.0/16 192.168.0.0 - 192.168.255.255
172.16.19. 172.16.19.0/24 172.16.19.0 - 172.16.19.255
Due to address lookups being based on the class boundary extra scripts are suggested for creating lists that need fine control. Example of IP address list file:
192.168.: RFC 1918 Address space
172.16.:RFC 1918 Address space
172.17.:RFC 1918 Address space
172.18.:RFC 1918 Address space
172.19.:RFC 1918 Address space
172.20.:RFC 1918 Address space
172.21.:RFC 1918 Address space
172.22.:RFC 1918 Address space
172.23.:RFC 1918 Address space
172.24.:RFC 1918 Address space
172.25.:RFC 1918 Address space
172.26.:RFC 1918 Address space
172.27.:RFC 1918 Address space
172.28.:RFC 1918 Address space
172.29.:RFC 1918 Address space
172.30.:RFC 1918 Address space
172.31.:RFC 1918 Address space
10.:RFC 1918 Address space