22. Predecoding
• Feb 24 10:12:23 beijing appdaemon:user john
logged in from 10.10.10.10
• <decoder name="appdaemon">
<program_name>appdaemon</program_name>
</decoder>
time/date
: Feb 24 10:12:23
Hostname
: beijing
Program_name :appdaemon
Log : user john logged in from 10.10.10.10
24. Decoding
• Feb 24 10:12:23 beijing appdaemon:user john logged in from
10.10.10.10
• <decoder name="appdaemon-login">
<parent>appdaemon</parent>
<prematch>^user$</prematch>
<after_prematch>(S+)logged in from (S+)</after_prematch>
<order>user,srcip</order>
</decoder>
time/date
: Feb 24 10:12:23
Hostname
: beijing
Program_name :appdaemon
user : John
srcip : 10.10.10.10
Log : user john logged in from 10.10.10.10
25. Analysis
• Feb 24 10:12:23 beijing appdaemon:user john logged in from
10.10.10.10
• <rule id="10001" level=”3”>
<decoded_as>appdaemon</decoded_as>
<match>logged in</match>
<description>Successful login</after_prematch>
</rule>
• <rule id=”10002” level=”7”>
<if_sid>10001</if_sid>
<user>!John</user>
<description>Ok, this was not John !!</description>
</rule>
• <rule id=”10003” level=”7”>
<if_sid>10001</if_sid>
<srcip>!10.10.10.0/24</srcip>
<description>login from unauthorized network!!</description>
</rule>
26. Analysis : The Rule Tree
10001
10002 10005
10003 10004 10006
10007 10008
N
T IO
AC
27. Advanced rule building
os_regex library (fast, not full regex)
w -> A-Z, a-z, 0-9 characters
d -> 0-9 characters
s -> For spaces " "
t -> For tabs.
p -> ()*+,-.:;<=>?[] (punctuation characters)
W -> For anything not w
D -> For anything not d
S -> For anything not s
. -> For anything
+ -> To match one or more times (eg w+ or d+)
* -> To match zero or more times (eg w* or p*)
^ -> To specify the beginning of the text.
$ -> To specify the end of the text.
| -> To create an "OR" between multiple patterns.
<regex> </regex> (in rules)
<regex> </regex> (in decoders)
<prematch> </prematch> (in decoders)
<if_matched_regex> </if_matched_regex> (in rules)
28. Advanced rule building
os_match library (more limited, faster)
^ -> To specify the beginning of the text.
$ -> To specify the end of the text.
| -> To create an "OR" between multiple patterns.
(rules only !)
<match> </match>
<user> </user>
<url> </url>
<id> </id>
<status> </status>
<hostname> </hostname>
<program_name> </program_name>
<srcport> </srcport>
<dstport> </dstport>
use this whenever possible !
it beats the <regex> tag
30. ossec.conf
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime=”yes” check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<syscheck>
36. Conclusion
nobody knows your system/
application as well as you
OSSEC is a mature starting
point for your log management
needs
Tuning rules never stops !
Questions ?
http://www.ossec.net