From 8e96b1bbdb0973c8c6ec009c005f5ec9ae1d2c8f Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Sun, 24 Jun 2018 08:56:42 -0400 Subject: [PATCH 1/3] Fix dpkg grouping rule. From issue #1433 reported by iasdeoupxe. Added tests for dpkg logs provided in the wazuh ticket about this. --- contrib/ossec-testing/tests/doas.ini | 8 ++++---- contrib/ossec-testing/tests/dpkg.ini | 8 ++++++++ etc/rules/syslog_rules.xml | 10 +++++++++- 3 files changed, 21 insertions(+), 5 deletions(-) create mode 100644 contrib/ossec-testing/tests/dpkg.ini diff --git a/contrib/ossec-testing/tests/doas.ini b/contrib/ossec-testing/tests/doas.ini index db1d04a0a..5033d3963 100644 --- a/contrib/ossec-testing/tests/doas.ini +++ b/contrib/ossec-testing/tests/doas.ini @@ -1,26 +1,26 @@ [failed command] -log 1 fail = Apr 13 08:49:20 ix doas: failed command for ddp2: ls +log 1 pass = Apr 13 08:49:20 ix doas: failed command for ddp2: ls rule = 51554 alert = 5 decoder = doas [command run as root] -log 1 fail = Mar 22 07:21:58 ix doas: ddp ran command /bin/ksh as root from /data/ddp/projects/git/sysconf/ossec/rules +log 1 pass = Mar 22 07:21:58 ix doas: ddp ran command /bin/ksh as root from /data/ddp/projects/git/sysconf/ossec/rules rule = 51556 alert = 2 decoder = doas [failed auth] -log 1 fail = Feb 29 14:58:39 ix doas: failed auth for ddp +log 1 pass = Feb 29 14:58:39 ix doas: failed auth for ddp rule = 51557 alert = 5 decoder = doas [doas command run] -log 1 fail = Aug 13 15:16:40 ix doas: ddp ran command as ddpnfs: ls +log 1 pass = Aug 13 15:16:40 ix doas: ddp ran command as ddpnfs: ls rule = 51555 alert = 1 diff --git a/contrib/ossec-testing/tests/dpkg.ini b/contrib/ossec-testing/tests/dpkg.ini new file mode 100644 index 000000000..61890b66f --- /dev/null +++ b/contrib/ossec-testing/tests/dpkg.ini @@ -0,0 +1,8 @@ +[dpkg log] +log 1 pass = 2018-05-31 12:09:56 upgrade vlc-plugin-visualization:amd64 3.0.2-1+b1 3.0.3-1 +log 2 pass = 2018-05-11 09:41:49 conffile /etc/redis/redis.conf keep + +rule = 2900 +alert = 0 +decoder = windows-date-format + diff --git a/etc/rules/syslog_rules.xml b/etc/rules/syslog_rules.xml index 29f1b75a5..1d9f251c0 100644 --- a/etc/rules/syslog_rules.xml +++ b/etc/rules/syslog_rules.xml @@ -585,7 +585,15 @@ windows-date-format - ^startup |^status |^remove |^configure |^install |^purge |^trigproc + ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d startup | + ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d status | + ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d remove | + ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d configure | + ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d install | + ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d purge | + ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d trigproc | + ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d conffile | + ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d upgrade Dpkg (Debian Package) log. From 0892d382388f2c508edebbed54f391dcee27f539 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Sun, 24 Jun 2018 17:24:57 -0400 Subject: [PATCH 2/3] Close a tag. I blame the keybosard on this xps 13. --- etc/rules/syslog_rules.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/rules/syslog_rules.xml b/etc/rules/syslog_rules.xml index 1d9f251c0..24b0b5fab 100644 --- a/etc/rules/syslog_rules.xml +++ b/etc/rules/syslog_rules.xml @@ -593,7 +593,7 @@ ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d purge | ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d trigproc | ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d conffile | - ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d upgrade ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d upgrade Dpkg (Debian Package) log. From 1cceca4873ca473b58bb2ee4bb56a3c670d4b735 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Sun, 24 Jun 2018 18:13:14 -0400 Subject: [PATCH 3/3] I figured these would fail in travis, but they succeed on my system. I'll have to track down whatever changes I made to make them work. --- contrib/ossec-testing/tests/doas.ini | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/contrib/ossec-testing/tests/doas.ini b/contrib/ossec-testing/tests/doas.ini index 5033d3963..db1d04a0a 100644 --- a/contrib/ossec-testing/tests/doas.ini +++ b/contrib/ossec-testing/tests/doas.ini @@ -1,26 +1,26 @@ [failed command] -log 1 pass = Apr 13 08:49:20 ix doas: failed command for ddp2: ls +log 1 fail = Apr 13 08:49:20 ix doas: failed command for ddp2: ls rule = 51554 alert = 5 decoder = doas [command run as root] -log 1 pass = Mar 22 07:21:58 ix doas: ddp ran command /bin/ksh as root from /data/ddp/projects/git/sysconf/ossec/rules +log 1 fail = Mar 22 07:21:58 ix doas: ddp ran command /bin/ksh as root from /data/ddp/projects/git/sysconf/ossec/rules rule = 51556 alert = 2 decoder = doas [failed auth] -log 1 pass = Feb 29 14:58:39 ix doas: failed auth for ddp +log 1 fail = Feb 29 14:58:39 ix doas: failed auth for ddp rule = 51557 alert = 5 decoder = doas [doas command run] -log 1 pass = Aug 13 15:16:40 ix doas: ddp ran command as ddpnfs: ls +log 1 fail = Aug 13 15:16:40 ix doas: ddp ran command as ddpnfs: ls rule = 51555 alert = 1