Create decoder and alert for bash_history data
474 views
Skip to first unread message
Pieter
Jan 18, 2022, 9:11:39 PM1/18/22
to Wazuh mailing list
Hi,
What I need to do is create an alert for every new line in the bash_history file (no matter what the command is). Might sound weird but this is the way it has to work.
I tried some things with regex but couldn't get it to work.
The group config looks like this:
<localfile>
<location>~/.bash_history</location>
<log_format>syslog</log_format>
</localfile>
<location>~/.bash_history</location>
<log_format>syslog</log_format>
</localfile>
Wasn''t too sure what to use for the log_format so please let me know if there's a better option. Hopefuly someone can tell me how to create the alert/decoder.
Thanks!
elw...@wazuh.com
Jan 19, 2022, 4:33:31 AM1/19/22
to Wazuh mailing list
Hello Pieter,
You can use out_format https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#out-format to adapt the output and create a corresponding decoder/rule. As the following:
Please note that bash maintains the commands running on memory while it is running and if you want to force it to be written out, you can use `history -a` or make it as a prompt command https://unix.stackexchange.com/questions/145250/where-is-bashs-history-stored.
Hope it helps.
Regards,
Wali
You can use out_format https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#out-format to adapt the output and create a corresponding decoder/rule. As the following:
- Configuration:
<localfile> <location>~/.bash_history</location> <log_format>syslog</log_format> <out_format>$(timestamp) $(hostname) history: $(log)</out_format> </localfile> - Decoder:
<decoder name="history">
<program_name>history</program_name>
</decoder> - Rule:
<group name="history,">
<rule id="100010" level="3">
<decoded_as>history</decoded_as>
<description>history command</description>
</rule>
</group> - Result:
**Phase 1: Completed pre-decoding.
full event: 'Jan 19 09:18:37 eLKRBAC history: history -a'
timestamp: 'Jan 19 09:18:37'
hostname: 'eLKRBAC'
program_name: 'history'
log: 'history -a'
**Phase 2: Completed decoding.
decoder: 'history'
**Phase 3: Completed filtering (rules).
Rule id: '100010'
Level: '3'
Description: 'history command'
**Alert to be generated.
Please note that bash maintains the commands running on memory while it is running and if you want to force it to be written out, you can use `history -a` or make it as a prompt command https://unix.stackexchange.com/questions/145250/where-is-bashs-history-stored.
Hope it helps.
Regards,
Wali
Reply all
Reply to author
Forward
0 new messages