important questions on CDB lists
227 views
Skip to first unread message
theresa mic-snare
Mar 18, 2016, 3:42:50 PM3/18/16
to ossec-list
ehlo *,
I have an important question about CDB lists, as I'm just researching for my thesis on OSSEC.
yes, i've read the documentation on readthedocs, maybe i'm too daft to understand it.
what I have done so far:
I've created a file called "baddomains" in /var/ossec/lists/
content is from zeustracker (https://zeustracker.abuse.ch/blocklist.php?download=baddomains)
I've added the list in the <rules></rules> section
<list>lists/baddomains</list>
i've run
# bin/ossec-makelists
i'm not quite sure what the purpose of the CDB lists is.... should a rule fire as soon as one of those domains (content of baddomains) is attacking me?!
I don't think i've yet understood the positive/negative key match of it
can someone please explain it to me with a real-life example?
also what does CDB stand for? I haven't found that in the OSSEC Docs either....
common database? central database?!
thanks,
theresa
Eero Volotinen
Mar 18, 2016, 3:45:31 PM3/18/16
to ossec-list
Err. You must be joking? Try googling with 'CDB'.
Eero
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
theresa mic-snare
Mar 18, 2016, 3:59:32 PM3/18/16
to ossec-list, eero.vo...@iki.fi
Ahh, I think I've now got it :)
also found a very good example that showcases it better.
silly me ;)
dan (ddp)
Mar 22, 2016, 7:47:23 AM3/22/16
to ossec...@googlegroups.com
On Fri, Mar 18, 2016 at 3:42 PM, theresa mic-snare
<rockpr...@gmail.com> wrote:
> ehlo *,
>
> I have an important question about CDB lists, as I'm just researching for my
> thesis on OSSEC.
> yes, i've read the documentation on readthedocs, maybe i'm too daft to
> understand it.
>
> what I have done so far:
>
> I've created a file called "baddomains" in /var/ossec/lists/
> content is from zeustracker
> (https://zeustracker.abuse.ch/blocklist.php?download=baddomains)
>
> I've added the list in the <rules></rules> section
> <list>lists/baddomains</list>
>
> i've run
> # bin/ossec-makelists
>
>
> i'm not quite sure what the purpose of the CDB lists is.... should a rule
> fire as soon as one of those domains (content of baddomains) is attacking
> me?!
> I don't think i've yet understood the positive/negative key match of it
>
> can someone please explain it to me with a real-life example?
>
I have a list with bad domains:
<rockpr...@gmail.com> wrote:
> ehlo *,
>
> I have an important question about CDB lists, as I'm just researching for my
> thesis on OSSEC.
> yes, i've read the documentation on readthedocs, maybe i'm too daft to
> understand it.
>
> what I have done so far:
>
> I've created a file called "baddomains" in /var/ossec/lists/
> content is from zeustracker
> (https://zeustracker.abuse.ch/blocklist.php?download=baddomains)
>
> I've added the list in the <rules></rules> section
> <list>lists/baddomains</list>
>
> i've run
> # bin/ossec-makelists
>
>
> i'm not quite sure what the purpose of the CDB lists is.... should a rule
> fire as soon as one of those domains (content of baddomains) is attacking
> me?!
> I don't think i've yet understood the positive/negative key match of it
>
> can someone please explain it to me with a real-life example?
>
<list>rules/lists/ossec.block</list>
I get them from the same place you do, and more. The format is:
DOMAIN:bad domain
I have rules that watch my dns server logs for queries, and compare
the domains with the cdb list:
<rule id="500701" level="15">
<if_sid>500101</if_sid> <!-- DNS A request -->
<list field="url" lookup="match_key">lists/ossec.block</list>
<description>Bad domain.</description>
</rule>
It should compare the value of the url field to the cdb and alert on
any DOMAIN found. I stuck undeadly.org in my block list for testing.
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Mar 22 07:21:25 ix unbound: [5756:0] info:
127.0.0.1 undeadly.org. A IN'
hostname: 'ix'
program_name: 'unbound'
log: '[5756:0] info: 127.0.0.1 undeadly.org. A IN'
**Phase 2: Completed decoding.
decoder: 'unbound'
srcip: '127.0.0.1'
url: 'undeadly.org'
**Phase 3: Completed filtering (rules).
Rule id: '500101'
Level: '0'
Description: 'DNS A request.'
Oops. So obviously I'm doing something wrong, but I haven't tried to
track it down yet. That's how it's supposed to work though.
> also what does CDB stand for? I haven't found that in the OSSEC Docs
> either....
> common database? central database?!
>
> thanks,
> theresa
>
theresa mic-snare
Mar 25, 2016, 3:53:03 PM3/25/16
to ossec-list
excellent explanation, Dan! as always, thanks a lot :)
Omar M
Dec 7, 2016, 12:47:09 PM12/7/16
to ossec-list
Did anyone find a solution to this problem?
I've compiled the CDB and created the rules but cannot seem to get the lookup to work
The information contained in or attached to this email is strictly confidential. If you are not the intended recipient, please notify us immediately by telephone and return the message to us.
dan (ddp)
Dec 7, 2016, 12:57:11 PM12/7/16
to ossec...@googlegroups.com
On Wed, Dec 7, 2016 at 12:39 PM, Omar M <omar.m...@ullink.com> wrote:
> Did anyone find a solution to this problem?
>
> I've compiled the CDB and created the rules but cannot seem to get the
> lookup to work
>
I'd really need more information than this to help you.
> Did anyone find a solution to this problem?
>
> I've compiled the CDB and created the rules but cannot seem to get the
> lookup to work
>
Omar M
Dec 7, 2016, 3:01:18 PM12/7/16
to ossec-list
Hi Dan,
Thanks for the quick response.
- Created a custom decoder for Yum. This works fine. The logs are decoded properly and the name of the package that is installed is decoded and stored in "id"
- Created a cdb file; placed the cdb file in /var/ossec/rules/; and updated ossec.conf to include <list>cdb-list</list> under the rules section. The cdb file compiles as expected
- Created a custom rule (see below)
- Run ossec-logtest (the output of logtest is below).
The rule is getting called but the alert never fires, see the output below.
======RULES================
<group name="syslog,yum,">
<rule id="110000" level="0">
<decoded_as>yum</decoded_as>
<description>Yum custom group.</description>
</rule>
<rule id="110001" level="10">
<if_sid>110000</if_sid>
<list field="id" lookup="match_key" >cdb-list</list> -->
<description>illegal package installed via Yum!!!</description>
</rule>
</group>
===============================
========Logtest Output==================
# ./ossec-logtest -vvv
2016/12/07 13:14:07 ossec-testrule: INFO: Reading local decoder file.
2016/12/07 13:14:07 ossec-testrule: INFO: Reading the lists file: 'cdb-list'
2016/12/07 13:14:07 ossec-testrule: INFO: Started (pid: 8075).
ossec-testrule: Type one log per line.
Dec 7 07:05:06 ax yum: Installed: libX11-devel - 1.0.3-9.el5.i386
**Phase 1: Completed pre-decoding.
full event: 'Dec 7 07:05:06 ax yum: Installed: libX11-devel - 1.0.3-9.el5.i386'
hostname: 'ax'
program_name: 'yum'
log: 'Installed: libX11-devel - 1.0.3-9.el5.i386'
**Phase 2: Completed decoding.
decoder: 'yum'
id: 'libX11-devel'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 600 - Active Response Messages Grouped
Trying rule: 110000 - Yum custom group.
*Rule 110000 matched.
*Trying child rules.
Trying rule: 110001 - illegal package installed via Yum!!!
**Phase 3: Completed filtering (rules).
Rule id: '110000'
Level: '0'
Description: 'Yum custom group.'
==============================================
Jesus Linares
Dec 9, 2016, 6:39:48 AM12/9/16
to ossec-list
Hi Omar,
if you don't mind, please share your decoders, rules and CDB list and I can test it in my lab.
Thanks.
Reply all
Reply to author
Forward
0 new messages