[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-dev
Subject: [ossec-dev] Re: Active response command issue + solution
From: cmlara <ipstealer () gmail ! com>
Date: 2012-09-02 4:58:22
Message-ID: df5a8660-3bc6-4025-98c4-ca9f908d9c61 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Oh and this time with the file attached so it stays in the Google Groups
with the message and not on an outside system.
On Tuesday, September 20, 2011 2:10:48 PM UTC, Robert wrote:
>
> Greetings.
>
> We've deployed OSSEC into an environment with the primary purpose of
> parsing large amounts of log data on a centralized syslog-ng server.
> This deployment has been successful, but we ran into some fairly
> annoying limitations that was causing us significant headache with
> passing relevant decoded alert data into an external script which
> handles passing the alert into our existing internal monitoring
> systems. Our expectation (and requirement) is to have some of the
> decoded data passed into the command, so that the fields can either
> have either further automated analysis done, or simply to forward the
> decoded fields into a ticket.
>
> http://www.ossec.net/wiki/Decoder_rules_relation
>
> At the bottom of this document, it specifies a list of fields that can
> be used with the <expect> tag in the active-response. Unfortunately,
> when we tried to use these fields, it didn't work. Looking at the
> source code, we discovered that IP, USER are hard-coded as the only
> two fields that OSSEC allows <expect> to be used for.
>
> We've created a patch for 2.6 to allow for all of the fields listed in
> your wiki. We've also made the required changes to allow for OSSEC to
> pass spaces properly in these fields, as we noticed that any field
> passed with expect with a space in it would break our scripts. We've
> tested this internally, and everything appears to work perfectly.
> We're more than happy to provide this back to you guys to integrate
> into a future release.
>
> Let me know if there is a more preferred way of providing this patch.
> Here are the changes:
>
> http://pastebin.com/qUBthUGb
[Attachment #5 (text/html)]
Oh and this time with the file attached so it stays in the Google Groups with the \
message and not on an outside system.<br><br>On Tuesday, September 20, 2011 2:10:48 \
PM UTC, Robert wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt \
0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Greetings. <br>
<br>We've deployed OSSEC into an environment with the primary purpose of
<br>parsing large amounts of log data on a centralized syslog-ng server.
<br>This deployment has been successful, but we ran into some fairly
<br>annoying limitations that was causing us significant headache with
<br>passing relevant decoded alert data into an external script which
<br>handles passing the alert into our existing internal monitoring
<br>systems. Our expectation (and requirement) is to have some of the
<br>decoded data passed into the command, so that the fields can either
<br>have either further automated analysis done, or simply to forward the
<br>decoded fields into a ticket.
<br>
<br><a href="http://www.ossec.net/wiki/Decoder_rules_relation" \
target="_blank">http://www.ossec.net/wiki/<wbr>Decoder_rules_relation</a> <br>
<br>At the bottom of this document, it specifies a list of fields that can
<br>be used with the <expect> tag in the active-response. Unfortunately,
<br>when we tried to use these fields, it didn't work. Looking at the
<br>source code, we discovered that IP, USER are hard-coded as the only
<br>two fields that OSSEC allows <expect> to be used for.
<br>
<br>We've created a patch for 2.6 to allow for all of the fields listed in
<br>your wiki. We've also made the required changes to allow for OSSEC to
<br>pass spaces properly in these fields, as we noticed that any field
<br>passed with expect with a space in it would break our scripts. We've
<br>tested this internally, and everything appears to work perfectly.
<br>We're more than happy to provide this back to you guys to integrate
<br>into a future release.
<br>
<br>Let me know if there is a more preferred way of providing this patch.
<br>Here are the changes:
<br>
<br><a href="http://pastebin.com/qUBthUGb" \
target="_blank">http://pastebin.com/qUBthUGb</a></blockquote>
------=_Part_2521_23187090.1346561902370--
["Patch-OSSEC-2.6-Extend-EXPECT-data.patch" (text/x-patch)]
diff -rupN orig/ossec-hids-2.6/src/analysisd/alerts/exec.c \
new/ossec-hids-2.6/src/analysisd/alerts/exec.c
--- orig/ossec-hids-2.6/src/analysisd/alerts/exec.c 2011-07-11 19:36:58.000000000 \
+0000
+++ new/ossec-hids-2.6/src/analysisd/alerts/exec.c 2012-09-02 03:59:39.605515646 \
+0000 @@ -24,70 +24,207 @@
#include "eventinfo.h"
-
-/* OS_Exec v0.1
+/**
+ * Clean up the IP and check against whitelist
+ *
+ * return NULL if invalid or error or if IP to be ignored
*/
-void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar)
-{
- char exec_msg[OS_SIZE_1024 +1];
+char* clean_ip(char *checkIP) {
+
char *ip;
- char *user;
+
+ ip = strrchr(checkIP, ':')
+ if(ip)
+ {
+ ip++;
+ }
+ else
+ {
+ ip = checkIP
+ }
- /* Cleaning the IP */
- if(lf->srcip && (ar->ar_cmd->expect & SRCIP))
+ /* Checking if IP is to ignored */
+ if(Config.white_list)
{
- ip = strrchr(lf->srcip, ':');
- if(ip)
- {
- ip++;
- }
- else
+ if(OS_IPFoundList(ip, Config.white_list))
{
- ip = lf->srcip;
+ return NULL;
}
+ }
+ /* Checking if it is a hostname */
+ if(Config.hostname_white_list)
+ {
+ int srcip_size;
+ OSMatch **wl;
- /* Checking if IP is to ignored */
- if(Config.white_list)
+ srcip_size = strlen(ip);
+
+ wl = Config.hostname_white_list;
+ while(*wl)
{
- if(OS_IPFoundList(ip, Config.white_list))
- {
- return;
- }
+ if(OSMatch_Execute(ip, srcip_size, *wl))
+ return NULL;
+ wl++;
}
+ }
+ return ip;
+}
- /* Checking if it is a hostname */
- if(Config.hostname_white_list)
- {
- int srcip_size;
- OSMatch **wl;
- srcip_size = strlen(ip);
-
- wl = Config.hostname_white_list;
- while(*wl)
- {
- if(OSMatch_Execute(ip, srcip_size, *wl))
- return;
- wl++;
- }
- }
+/* OS_Exec v0.1
+ */
+void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar)
+{
+ char exec_msg[OS_SIZE_2048 +1];
+
+ char *dstuser;
+ char *srcuser;
+
+ char *dstip;
+ char *srcip;
+ char *dstport;
+ char *srcport;
+
+ char *protocol;
+ char *action;
+ char *id;
+ char *url;
+ char *data;
+ char *status;
+ char *systemname;
+
+ /* Getting username */
+ if(lf->dstuser && (ar->ar_cmd->expect & DSTUSER))
+ {
+ dstuser = lf->dstuser;
}
else
{
- ip = "-";
+ dstuser = "-";
}
-
-
- /* Getting username */
- if(lf->dstuser && (ar->ar_cmd->expect & USERNAME))
+ /* Getting Source User */
+ if(lf->srcuser && (ar->ar_cmd->expect & SRCUSER))
+ {
+ srcuser = lf->srcuser;
+ }
+ else
+ {
+ srcuser = "-";
+ }
+ /* Cleaning the IP */
+ if(lf->srcip && (ar->ar_cmd->expect & SRCIP))
{
- user = lf->dstuser;
+ srcip = clean_ip(lf->srcip);
+ if (srcip == NULL)
+ return;
}
else
{
- user = "-";
+ srcip = "-";
+ }
+
+ /* Getting Destination IP*/
+ if(lf->dstip && (ar->ar_cmd->expect & DSTIP))
+ {
+ dstip = clean_ip(lf->dstip);
+ if (dstip == NULL)
+ return;
+ }
+ else
+ {
+ dstip = "-";
+ }
+
+ /* Getting Source Port */
+ if(lf->srcport && (ar->ar_cmd->expect & SRCPORT))
+ {
+ srcport = lf->srcport;
+ }
+ else
+ {
+ srcport = "-";
+ }
+
+ /* Getting the Destination Port */
+ if(lf->dstport && (ar->ar_cmd->expect & DSTPORT))
+ {
+ dstport = lf->dstport;
+ }
+ else
+ {
+ dstport = "-";
+ }
+
+ /* Getting Protocol */
+ if(lf->protocol && (ar->ar_cmd->expect & PROTOCOL))
+ {
+ protocol = lf->protocol;
+ }
+ else
+ {
+ protocol = "-";
+ }
+
+ /* Getting Action */
+ if(lf->action && (ar->ar_cmd->expect & ACTION))
+ {
+ action = lf->action;
+ }
+ else
+ {
+ action = "-";
+ }
+
+ /* Getting ID */
+ if(lf->id && (ar->ar_cmd->expect & ID))
+ {
+ id = lf->id;
+ }
+ else
+ {
+ id = "-";
+ }
+
+ /* Getting URL */
+ if(lf->url && (ar->ar_cmd->expect & URL))
+ {
+ url = lf->url;
+ }
+ else
+ {
+ url = "-";
+ }
+
+ /* Getting Data */
+ if(lf->data && (ar->ar_cmd->expect & DATA))
+ {
+ data = lf->data;
+ }
+ else
+ {
+ data = "-";
+ }
+
+ /* Getting Status */
+ if(lf->status && (ar->ar_cmd->expect & STATUS))
+ {
+ status = lf->status;
+ }
+ else
+ {
+ status = "-";
+ }
+
+ /* Getting System name */
+ if(lf->systemname && (ar->ar_cmd->expect & SYSTEMNAME))
+ {
+ systemname = lf->systemname;
+ }
+ else
+ {
+ systemname = "-";
}
@@ -102,15 +239,27 @@ void OS_Exec(int *execq, int *arq, Event
if(!(Config.ar & LOCAL_AR))
return;
- snprintf(exec_msg, OS_SIZE_1024,
- "%s %s %s %d.%ld %d %s",
- ar->name,
- user,
- ip,
+
+ snprintf(exec_msg, OS_SIZE_2048,
+ "%s%s%s%s%s%s%d.%ld%s%d%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s",
+ ar->name, AR_CMD_LINE_ARG_SEP,
+ dstuser, AR_CMD_LINE_ARG_SEP,
+ srcip, AR_CMD_LINE_ARG_SEP,
lf->time,
- __crt_ftell,
- lf->generated_rule->sigid,
- lf->location);
+ __crt_ftell, AR_CMD_LINE_ARG_SEP,
+ lf->generated_rule->sigid, AR_CMD_LINE_ARG_SEP,
+ lf->location, AR_CMD_LINE_ARG_SEP,
+ srcuser, AR_CMD_LINE_ARG_SEP,
+ dstip, AR_CMD_LINE_ARG_SEP,
+ srcport, AR_CMD_LINE_ARG_SEP,
+ dstport, AR_CMD_LINE_ARG_SEP,
+ protocol, AR_CMD_LINE_ARG_SEP,
+ action, AR_CMD_LINE_ARG_SEP,
+ id, AR_CMD_LINE_ARG_SEP,
+ url, AR_CMD_LINE_ARG_SEP,
+ data, AR_CMD_LINE_ARG_SEP,
+ status, AR_CMD_LINE_ARG_SEP,
+ systemname);
if(OS_SendUnix(*execq, exec_msg, 0) < 0)
{
@@ -123,20 +272,22 @@ void OS_Exec(int *execq, int *arq, Event
else if((Config.ar & REMOTE_AR) && (lf->location[0] == '('))
{
int rc;
- snprintf(exec_msg, OS_SIZE_1024,
- "%s %c%c%c %s %s %s %s %d.%ld %d %s",
+ snprintf(exec_msg, OS_SIZE_2048,
+ "%s %c%c%c %s %s %s %s %d.%ld %d %s %s %s %s %s %s %s %s %s \"%s\" \
%s \"%s\"", lf->location,
(ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C,
(ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C,
(ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C,
ar->agent_id != NULL? ar->agent_id: "(null)",
ar->name,
- user,
- ip,
+ dstuser,
+ srcip,
lf->time,
__crt_ftell,
lf->generated_rule->sigid,
- lf->location);
+ lf->location,
+ srcuser, dstip, srcport, dstport, protocol, action, id, url, data,
+ status, systemname);
if((rc = OS_SendUnix(*arq, exec_msg, 0)) < 0)
{
diff -rupN orig/ossec-hids-2.6/src/analysisd/analysisd.c \
new/ossec-hids-2.6/src/analysisd/analysisd.c
--- orig/ossec-hids-2.6/src/analysisd/analysisd.c 2011-07-11 19:36:58.000000000 +0000
+++ new/ossec-hids-2.6/src/analysisd/analysisd.c 2012-09-02 03:20:24.405518554 +0000
@@ -1038,7 +1038,7 @@ void OS_ReadMSG_analysisd(int m_queue)
while(*rule_ar)
{
do_ar = 1;
- if((*rule_ar)->ar_cmd->expect & USERNAME)
+ if((*rule_ar)->ar_cmd->expect & DSTUSER)
{
if(!lf->dstuser ||
!OS_PRegex(lf->dstuser,"^[a-zA-Z._0-9@?-]*$"))
@@ -1059,6 +1059,17 @@ void OS_ReadMSG_analysisd(int m_queue)
}
}
+ if((*rule_ar)->ar_cmd->expect & DSTIP)
+ {
+ if(!lf->dstip || !OS_PRegex(lf->dstip, \
"^[a-zA-Z.:_0-9-]*$")) + {
+ if(lf->dstip)
+ merror(CRAFTED_IP, ARGV0, lf->dstip);
+
+ do_ar = 0;
+ }
+ }
+
if(do_ar)
{
OS_Exec(&execdq, &arq, lf, *rule_ar);
diff -rupN orig/ossec-hids-2.6/src/config/active-response.c \
new/ossec-hids-2.6/src/config/active-response.c
--- orig/ossec-hids-2.6/src/config/active-response.c 2011-07-11 19:36:58.000000000 \
+0000
+++ new/ossec-hids-2.6/src/config/active-response.c 2012-09-02 03:20:24.405518554 \
+0000 @@ -410,9 +410,35 @@ int ReadActiveCommands(XML_NODE node, vo
if(strlen(tmp_str) > 4)
{
if(OS_Regex("user", tmp_str))
- tmp_command->expect |= USERNAME;
+ tmp_command->expect |= DSTUSER;
+ if(OS_Regex("dstuser", tmp_str))
+ tmp_command->expect |= DSTUSER;
+ if(OS_Regex("srcuser", tmp_str))
+ tmp_command->expect |= SRCUSER;
if(OS_Regex("srcip", tmp_str))
tmp_command->expect |= SRCIP;
+ if(OS_Regex("dstip", tmp_str))
+ tmp_command->expect |= DSTIP;
+ if(OS_Regex("srcport", tmp_str))
+ tmp_command->expect |= SRCPORT;
+ if(OS_Regex("dstport", tmp_str))
+ tmp_command->expect |= DSTPORT;
+ if(OS_Regex("protocol", tmp_str))
+ tmp_command->expect |= PROTOCOL;
+ if(OS_Regex("action", tmp_str))
+ tmp_command->expect |= ACTION;
+ if(OS_Regex("id", tmp_str))
+ tmp_command->expect |= ID;
+ if(OS_Regex("url", tmp_str))
+ tmp_command->expect |= URL;
+ if(OS_Regex("data", tmp_str))
+ tmp_command->expect |= DATA;
+ if(OS_Regex("extra_data", tmp_str))
+ tmp_command->expect |= DATA;
+ if(OS_Regex("status", tmp_str))
+ tmp_command->expect |= STATUS;
+ if(OS_Regex("system_name", tmp_str))
+ tmp_command->expect |= SYSTEMNAME;
}
free(tmp_str);
diff -rupN orig/ossec-hids-2.6/src/headers/ar.h new/ossec-hids-2.6/src/headers/ar.h
--- orig/ossec-hids-2.6/src/headers/ar.h 2011-07-11 19:36:58.000000000 +0000
+++ new/ossec-hids-2.6/src/headers/ar.h 2012-09-02 03:20:24.405518554 +0000
@@ -1,4 +1,4 @@
-/* @(#) $Id$ */
+ /* @(#) $Id$ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
@@ -38,9 +38,19 @@
/* Expected values */
-#define SRCIP 0000004
-#define DSTIP 0000002
-#define USERNAME 0000001
+#define SYSTEMNAME 0010000
+#define STATUS 0004000
+#define DATA 0002000
+#define URL 0001000
+#define ID 0000400
+#define ACTION 0000200
+#define PROTOCOL 0000100
+#define SRCPORT 0000040
+#define DSTPORT 0000020
+#define SRCIP 0000010
+#define DSTIP 0000004
+#define SRCUSER 0000002
+#define DSTUSER 0000001
#endif
diff -rupN orig/ossec-hids-2.6/src/os_execd/execd.c \
new/ossec-hids-2.6/src/os_execd/execd.c
--- orig/ossec-hids-2.6/src/os_execd/execd.c 2011-07-11 19:36:59.000000000 +0000
+++ new/ossec-hids-2.6/src/os_execd/execd.c 2012-09-02 03:20:24.405518554 +0000
@@ -396,7 +396,7 @@ void ExecdStart(int q)
/* Zeroing the name */
- tmp_msg = strchr(buffer, ' ');
+ tmp_msg = strchr(buffer, (int)(*AR_CMD_LINE_ARG_SEP));
if(!tmp_msg)
{
merror(EXECD_INV_MSG, ARGV0, buffer);
@@ -439,6 +439,7 @@ void ExecdStart(int q)
timeout_args[2] = NULL;
+ // Redo command parsing with new field separator
/* Getting the arguments. */
i = 2;
while(i < (MAX_ARGS -1))
@@ -446,7 +447,7 @@ void ExecdStart(int q)
cmd_args[i] = tmp_msg;
cmd_args[i+1] = NULL;
- tmp_msg = strchr(tmp_msg, ' ');
+ tmp_msg = strchr(tmp_msg, (int)(*AR_CMD_LINE_ARG_SEP));
if(!tmp_msg)
{
timeout_args[i] = strdup(cmd_args[i]);
diff -rupN orig/ossec-hids-2.6/src/os_execd/execd.h \
new/ossec-hids-2.6/src/os_execd/execd.h
--- orig/ossec-hids-2.6/src/os_execd/execd.h 2011-07-11 19:36:59.000000000 +0000
+++ new/ossec-hids-2.6/src/os_execd/execd.h 2012-09-02 03:20:24.405518554 +0000
@@ -37,7 +37,8 @@
/* Execd select timeout -- in seconds */
#define EXECD_TIMEOUT 90
-
+/* DEFINE the exec command line arg separator */
+static const char AR_CMD_LINE_ARG_SEP[] = "|";
/** Function prototypes **/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic