Prelude details & Reference URL, Oh my :)
4 views
Skip to first unread message
Jeremy Rossi
Nov 17, 2009, 12:27:12 PM11/17/09
to osse...@googlegroups.com
### prelude logging details:
I have been digging into the analysisd code to fill out the prelude idmef
details more completely, and I noticed that for rootcheck,syscheck, and
hostinfo the code branches before it ever gets to OS_PreludeLog. Due to
this their is very little way for OS_PreludeLog to get access to the
details without re-parsing the eventinfo->log.
I have been thinking about if prelude support is compiled in. Then passing
around a pointer to an IDEMF event in the eventinfo struct so that each one
of the branches could added the data themselves. But this would litter the
code with `#ifdef PRELUDE`. So I look for another suggestion or idea for
this before I finishing coding up the change.
### Prelude vendor-specific details for OSSEC:
I have created a patch (attached & http://j.mp/1WL6QG) that adds
vendor-specific details from the ossec event before being forwarded to the
prelude server. This patch splits up the `lf->generated_rule->group` using
, as the delimiter and for each section adds a URL pointing to the OSSEC
wiki. Example is that all syscheck events would have a url pointing to
http://www.ossec.net/wiki/Group:syscheck. Rules ID's are also handled so
they would get a link to http://www.ossec.net/wiki/Rule:5201.
While this method works for rules that come with OSSEC it is does not help
for rules that are created in house or shared between outside groups. So I
would like to propose a new field for rules `reference_url`. Any number of
urls could be included in the rules definition and then be made available
to for reporting.
<rule id="5701" level="8">
<if_sid>5700</if_sid>
<match>Bad protocol version identification</match>
<description>Possible attack on the ssh server </description>
<description>(or version gathering).</description>
<reference_url>http://www.ossec.net/wiki/Rule:5201</reference_url>
<reference_url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924</reference_url>
</rule>
-Jeremy Rossi
http://praetorianprefect.com/archives/tag/ossec/
I have been digging into the analysisd code to fill out the prelude idmef
details more completely, and I noticed that for rootcheck,syscheck, and
hostinfo the code branches before it ever gets to OS_PreludeLog. Due to
this their is very little way for OS_PreludeLog to get access to the
details without re-parsing the eventinfo->log.
I have been thinking about if prelude support is compiled in. Then passing
around a pointer to an IDEMF event in the eventinfo struct so that each one
of the branches could added the data themselves. But this would litter the
code with `#ifdef PRELUDE`. So I look for another suggestion or idea for
this before I finishing coding up the change.
### Prelude vendor-specific details for OSSEC:
I have created a patch (attached & http://j.mp/1WL6QG) that adds
vendor-specific details from the ossec event before being forwarded to the
prelude server. This patch splits up the `lf->generated_rule->group` using
, as the delimiter and for each section adds a URL pointing to the OSSEC
wiki. Example is that all syscheck events would have a url pointing to
http://www.ossec.net/wiki/Group:syscheck. Rules ID's are also handled so
they would get a link to http://www.ossec.net/wiki/Rule:5201.
While this method works for rules that come with OSSEC it is does not help
for rules that are created in house or shared between outside groups. So I
would like to propose a new field for rules `reference_url`. Any number of
urls could be included in the rules definition and then be made available
to for reporting.
<rule id="5701" level="8">
<if_sid>5700</if_sid>
<match>Bad protocol version identification</match>
<description>Possible attack on the ssh server </description>
<description>(or version gathering).</description>
<reference_url>http://www.ossec.net/wiki/Rule:5201</reference_url>
<reference_url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924</reference_url>
</rule>
-Jeremy Rossi
http://praetorianprefect.com/archives/tag/ossec/
Sebastien Tricaud
Nov 18, 2009, 2:52:36 PM11/18/09
to osse...@googlegroups.com
Thank you Jeremy for your patch. I will have a look at it shortly. If
you have no answer by Sunday, please ping me ;)
Cheers,
Sebastien.
you have no answer by Sunday, please ping me ;)
Cheers,
Sebastien.
Jeremy Rossi
Nov 19, 2009, 3:19:51 PM11/19/09
to osse...@googlegroups.com
Here is the updated patch that fills in the details from syscheck events.
I did not
pass around the pointer to the IDMEF alert at the suggestion of dcid on
IRC. I am not a
huge fan of modifying the eventinfo struct to allow the details of what
changed visible
to OS_PreludeLog, but I don't know of another way.
-Jeremy Rossi
http://praetorianprefect.com/archives/tag/ossec/
--On November 19, 2009 11:05:24 AM -0500 Jeremy Rossi
<jer...@jeremyrossi.com> wrote:
> I have a far more complete patch that better intergrates with syscheck
and fills out
> all the target().file().* info, but just have to clean it up some before
forwarding
> to the list.
>
> On Nov 18, 2009, at 2:52 PM, Sebastien Tricaud
>>> 924 </reference_url>
I did not
pass around the pointer to the IDMEF alert at the suggestion of dcid on
IRC. I am not a
huge fan of modifying the eventinfo struct to allow the details of what
changed visible
to OS_PreludeLog, but I don't know of another way.
-Jeremy Rossi
http://praetorianprefect.com/archives/tag/ossec/
--On November 19, 2009 11:05:24 AM -0500 Jeremy Rossi
<jer...@jeremyrossi.com> wrote:
> I have a far more complete patch that better intergrates with syscheck
and fills out
> all the target().file().* info, but just have to clean it up some before
forwarding
> to the list.
>
> On Nov 18, 2009, at 2:52 PM, Sebastien Tricaud
Jeremy Rossi
Nov 19, 2009, 11:05:24 AM11/19/09
to osse...@googlegroups.com
I have a far more complete patch that better intergrates with syscheck
and fills out all the target().file().* info, but just have to clean
it up some before forwarding to the list.
--
and fills out all the target().file().* info, but just have to clean
it up some before forwarding to the list.
On the move
Jeremy Rossi
Dec 1, 2009, 12:22:03 PM12/1/09
to Jeremy Rossi, osse...@googlegroups.com
Sebastien,
You asked me to follow up with you on this last week, but I was sick and then in Paris for a few days so was out of touch. Do you have any input on this patch?
Daniel,
Is there anything else you would like to see for this patch? I am not very happy with the method of adding fields to the Eventinfo struct (diff view http://j.mp/8Nz5su). Just does not seam like a very clean way of going about things.
-Jeremy Rossi
http://praetorianprefect.com/archives/tag/ossec/
> <prelude-details-v2.patch>
You asked me to follow up with you on this last week, but I was sick and then in Paris for a few days so was out of touch. Do you have any input on this patch?
Daniel,
Is there anything else you would like to see for this patch? I am not very happy with the method of adding fields to the Eventinfo struct (diff view http://j.mp/8Nz5su). Just does not seam like a very clean way of going about things.
-Jeremy Rossi
http://praetorianprefect.com/archives/tag/ossec/
Reply all
Reply to author
Forward
0 new messages