[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-dev
Subject: Re: [ossec-dev] Some patches we would like to add for the next releases
From: Cristobal Rosa <crosa () alienvault ! com>
Date: 2013-02-14 16:12:28
Message-ID: CANhfVJ2x3T8Q6WyXo8ko-wenAfOf6NwthKQZJnV0_T2w+R2wCA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi guys!
I forget one of the patches related to the patch 01 (the one that call the
custom log function).
I'm sorry for absent-mindedness
BR,
Cristobal Rosa
R&D Engineer
crosa@alienvault.com
www.AlienVault.com <http://www.alienvault.com>
*
*
*We come in peace and security.*
2013/2/14 dan (ddp) <ddpbsd@gmail.com>
> On Wed, Feb 13, 2013 at 10:32 PM, Daniel Cid <daniel.cid@gmail.com> wrote:
> > Hi Critobal,
> >
> > Those patches are good! However, on patch #1 I am a bit scared on the
> > sprintf usage, since they
> > look to be exploitable (bo). We should probably change it to snprintf
> > to verify the bounds.
> >
> > thanks,
> >
> > --
> > Daniel B. Cid
> > http://dcid.me
> >
>
> Made these changes as well to my repo. With the great alternatives,
> I'm generally surprised when I see sprintf in use.
>
> > On Tue, Jan 29, 2013 at 3:38 AM, Cristobal Rosa <crosa@alienvault.com>
> wrote:
> > > Hi guys,
> > >
> > > We've been working in some patches that we would like to add to your
> next
> > > releases, if you consider it's a good option.
> > >
> > > patch 01: Alert logs customization. We've added a new global
> configuration
> > > option that will allow to an user to customize the alert output by using
> > > some variables and it uses a single line to write the log.
> > >
> > > In order to use this functionality you should modify your ossec
> > > configuration and add the new entry to it. This new section is called
> > > "custom_alert_output" and you could use it to customize the logs
> entries. To
> > > do that we've added a several variables that the use could use.
> > >
> > > <global>
> > > <email_notification>no</email_notification>
> > > <custom_alert_output>AV - $TIMESTAMP --> RID: $RULEID RL:
> $RULELEVEL
> > > RG: $RULEGROUP RC: $RULECOMMENT Event-> [INIT]$FULLLOG[END]
> > > </custom_alert_output>
> > > </global>
> > >
> > >
> > > Variables:
> > > "$TIMESTAMP"
> > > "$FTELL"
> > > "$RULEALERT"
> > > "$HOSTNAME"
> > > "$LOCATION"
> > > "$RULEID"
> > > "$RULELEVEL"
> > > "$RULECOMMENT"
> > > "$SRCIP"
> > > "$DSTUSER"
> > > "$FULLLOG",
> > > "$RULEGROUP"
> > >
> > > Sample logs:
> > > AV - 1320922959 --> RID: 2902 RL: 7 RG: syslog,dpkg,config_changed,
> RC: New
> > > dpkg (Debian Package) installed. Event-> [INIT]2011-11-10 12:02:39
> status
> > > installed libobject-realize-later-perl 0.18-1[END]
> > > AV - 1320922959 --> RID: 2902 RL: 7 RG: syslog,dpkg,config_changed,
> RC: New
> > > dpkg (Debian Package) installed. Event-> [INIT]2011-11-10 12:02:39
> status
> > > installed libuser-identity-perl 0.92-2[END]
> > > AV - 1320922959 --> RID: 2902 RL: 7 RG: syslog,dpkg,config_changed,
> RC: New
> > > dpkg (Debian Package) installed. Event-> [INIT]2011-11-10 12:02:39
> status
> > > installed libmail-box-perl 2.082-2[END]
> > > AV - 1320922959 --> RID: 2902 RL: 7 RG: syslog,dpkg,config_changed,
> RC: New
> > > dpkg (Debian Package) installed. Event-> [INIT]2011-11-10 12:02:39
> status
> > > installed libsys-hostname-long-perl 1.4-2[END]
> > > AV - 1320922959 --> RID: 2902 RL: 7 RG: syslog,dpkg,config_changed,
> RC: New
> > > dpkg (Debian Package) installed. Event-> [INIT]2011-11-10 12:02:39
> status
> > > installed libmail-sendmail-perl 0.79-5[END]
> > > AV - 1320923104 --> RID: 1002 RL: 2 RG: syslog,errors, RC: Unknown
> problem
> > > somewhere in the system. Event-> [INIT]Nov 10 12:05:04 mmmm
> nfcapd[3175]:
> > > Ident: 'mmmm' Flows: 172, Packets: 7305, Bytes: 6246716, Sequence
> Errors: 0,
> > > Bad Packets: 0[END]
> > > AV - 1320923118 --> RID: 5715 RL: 3 RG:
> syslog,sshd,authentication_success,
> > > RC: SSHD authentication success. Event-> [INIT]Nov 10 12:05:16 mmmm
> > > sshd[13269]: Accepted publickey for root from 192.168.2.111 port 50874
> > > ssh2[END]
> > >
> > >
> > > patch 02: Configurable reconnection time on the ossec-agents.
> > > We've added two new options to the ossec agent configuration in order to
> > > allow the user to configure the reconnection time and the time between
> keep
> > > alive messages.
> > >
> > > <ossec_config>
> > > <client>
> > > <server-ip>192.168.2.18</server-ip>
> > > <notify_time>120</notify_time>
> > > <time-reconnect>240</time-reconnect>
> > > </client>
> > > </ossec_config>
> > >
> > > notify_time: time in seconds between information messages sent by the
> agents
> > > to the server
> > > time-reconnect: Time in seconds until a reconnection attempt. This time
> have
> > > to be greater than the notify-time.
> > >
> > > We've added some log traces to check that is working properly
> > >
> > > 2012/12/21 17:18:24 ossec-agent Using notify time: 120 and max time to
> > > reconnect: 240
> > > ...
> > > 2012/12/21 17:23:56 ossec-agent More than 120 seconds without server
> > > response...sending win32info
> > > 2012/12/21 17:23:56 ossec-agent Sending keep alive message....
> > > 2012/12/21 17:23:57 ossec-agent Sending keep alive message....
> > > 2012/12/21 17:23:57 ossec-agent Sending keep alive message....
> > > 2012/12/21 17:23:57 ossec-agent More than 240 seconds without server
> > > response...is server alive? and Is there connection?
> > > 2012/12/21 17:23:58 ossec-agent Sending keep alive message....
> > > 2012/12/21 17:23:58 ossec-agent Sending keep alive message....
> > > 2012/12/21 17:23:59 ossec-agent: WARN: Server unavailable. Setting lock.
> > > 2012/12/21 17:23:59 ossec-agent Sending keep alive message....
> > > 2012/12/21 17:23:59 ossec-agent Sending keep alive message....
> > > 2012/12/21 17:24:00 ossec-agent Sending keep alive message....
> > > 2012/12/21 17:24:02 ossec-agent Sending keep alive message....
> > > 2012/12/21 17:24:04 ossec-agent Sending keep alive message....
> > > 2012/12/21 17:24:06 ossec-agent Sending keep alive message....
> > > 2012/12/21 17:24:09 ossec-agent Sending keep alive message....
> > > 2012/12/21 17:24:13 ossec-agent Sending keep alive message....
> > > 2012/12/21 17:24:17 ossec-agent Sending keep alive message....
> > > 2012/12/21 17:24:21 ossec-agent Sending keep alive message....
> > > 2012/12/21 17:24:26 ossec-agent Sending keep alive message....
> > > 2012/12/21 17:24:32 ossec-agent(4102): INFO: Connected to the server
> > > (192.168.2.111:1514).
> > > 2012/12/21 17:24:32 ossec-agent: INFO: Server responded. Releasing lock.
> > >
> > > patch 03: This is a patch that a client send to us. OSSEC FIM Bug in
> > > handling large files
> > > OSSEC uses an integer to store file sizes in the syscheck DB. When a
> file is
> > > larger than 2 GB, the integer overflows. If the overflow results into a
> > > negative number, OSSEC assumes that the file has been deleted and
> generates
> > > an incorrect alert saying the file has been deleted.
> > >
> > > This patches have been checked for the ossec-2.6 version but they could
> be
> > > used for the ossec 2.7
> > >
> > > Hope this helps.
> > >
> > > Thank you so much!
> > >
> > > BR,
> > >
> > > Cristobal Rosa
> > > R&D Engineer
> > > crosa@alienvault.com
> > > www.AlienVault.com
> > >
> > >
> > > We come in peace and security.
> > >
> > >
> > >
> > > --
> > >
> > > ---
> > > You received this message because you are subscribed to the Google
> Groups
> > > "ossec-dev" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> an
> > > email to ossec-dev+unsubscribe@googlegroups.com.
> > > For more options, visit https://groups.google.com/groups/opt_out.
> > >
> > >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-dev" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-dev+unsubscribe@googlegroups.com.
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-dev+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
---
You received this message because you are subscribed to the Google Groups "ossec-dev" \
group. To unsubscribe from this group and stop receiving emails from it, send an \
email to ossec-dev+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/groups/opt_out.
[Attachment #5 (text/html)]
Hi guys!<br><br>I forget one of the patches related to the patch 01 (the one that \
call the custom log function).<br><br>I'm sorry for \
absent-mindedness<br><br><br><br \
clear="all"><div><div>BR,</div><div><br></div>Cristobal Rosa <div>
R&D Engineer</div><div><a href="mailto:crosa@alienvault.com" \
target="_blank">crosa@alienvault.com</a></div><div><a \
href="http://www.alienvault.com" \
target="_blank">www.AlienVault.com</a><br></div><div><br></div><div> <span \
style="border-collapse:collapse;color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px"><div>
<b><br></b></div><div><b>We come in peace and \
security.</b></div><div><br></div><div><div \
style="font-size:13px;font-family:arial,sans-serif"> </div></div><div \
style="font-size:13px;font-family:arial,sans-serif"><br></div>
</span></div></div>
<br><br><div class="gmail_quote">2013/2/14 dan (ddp) <span dir="ltr"><<a \
href="mailto:ddpbsd@gmail.com" \
target="_blank">ddpbsd@gmail.com</a>></span><br><blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Wed, Feb 13, 2013 at 10:32 PM, Daniel Cid <<a \
href="mailto:daniel.cid@gmail.com">daniel.cid@gmail.com</a>> wrote:<br> > Hi \
Critobal,<br> ><br>
> Those patches are good! However, on patch #1 I am a bit scared on the<br>
> sprintf usage, since they<br>
> look to be exploitable (bo). We should probably change it to snprintf<br>
> to verify the bounds.<br>
><br>
> thanks,<br>
><br>
> --<br>
> Daniel B. Cid<br>
> <a href="http://dcid.me" target="_blank">http://dcid.me</a><br>
><br>
<br>
</div>Made these changes as well to my repo. With the great alternatives,<br>
I'm generally surprised when I see sprintf in use.<br>
<div class="HOEnZb"><div class="h5"><br>
> On Tue, Jan 29, 2013 at 3:38 AM, Cristobal Rosa <<a \
href="mailto:crosa@alienvault.com">crosa@alienvault.com</a>> wrote:<br> >> \
Hi guys,<br> >><br>
>> We've been working in some patches that we would like to add to your \
next<br> >> releases, if you consider it's a good option.<br>
>><br>
>> patch 01: Alert logs customization. We've added a new global \
configuration<br> >> option that will allow to an user to customize the alert \
output by using<br> >> some variables and it uses a single line to write the \
log.<br> >><br>
>> In order to use this functionality you should modify your ossec<br>
>> configuration and add the new entry to it. This new section is called<br>
>> "custom_alert_output" and you could use it to customize the logs \
entries. To<br> >> do that we've added a several variables that the use \
could use.<br> >><br>
>> <global><br>
>> <email_notification>no</email_notification><br>
>> <custom_alert_output>AV - $TIMESTAMP --> RID: $RULEID RL: \
$RULELEVEL<br> >> RG: $RULEGROUP RC: $RULECOMMENT Event-> \
[INIT]$FULLLOG[END]<br> >> </custom_alert_output><br>
>> </global><br>
>><br>
>><br>
>> Variables:<br>
>> "$TIMESTAMP"<br>
>> "$FTELL"<br>
>> "$RULEALERT"<br>
>> "$HOSTNAME"<br>
>> "$LOCATION"<br>
>> "$RULEID"<br>
>> "$RULELEVEL"<br>
>> "$RULECOMMENT"<br>
>> "$SRCIP"<br>
>> "$DSTUSER"<br>
>> "$FULLLOG",<br>
>> "$RULEGROUP"<br>
>><br>
>> Sample logs:<br>
>> AV - 1320922959 --> RID: 2902 RL: 7 RG: syslog,dpkg,config_changed, RC: \
New<br> >> dpkg (Debian Package) installed. Event-> [INIT]2011-11-10 \
12:02:39 status<br> >> installed libobject-realize-later-perl 0.18-1[END]<br>
>> AV - 1320922959 --> RID: 2902 RL: 7 RG: syslog,dpkg,config_changed, RC: \
New<br> >> dpkg (Debian Package) installed. Event-> [INIT]2011-11-10 \
12:02:39 status<br> >> installed libuser-identity-perl 0.92-2[END]<br>
>> AV - 1320922959 --> RID: 2902 RL: 7 RG: syslog,dpkg,config_changed, RC: \
New<br> >> dpkg (Debian Package) installed. Event-> [INIT]2011-11-10 \
12:02:39 status<br> >> installed libmail-box-perl 2.082-2[END]<br>
>> AV - 1320922959 --> RID: 2902 RL: 7 RG: syslog,dpkg,config_changed, RC: \
New<br> >> dpkg (Debian Package) installed. Event-> [INIT]2011-11-10 \
12:02:39 status<br> >> installed libsys-hostname-long-perl 1.4-2[END]<br>
>> AV - 1320922959 --> RID: 2902 RL: 7 RG: syslog,dpkg,config_changed, RC: \
New<br> >> dpkg (Debian Package) installed. Event-> [INIT]2011-11-10 \
12:02:39 status<br> >> installed libmail-sendmail-perl 0.79-5[END]<br>
>> AV - 1320923104 --> RID: 1002 RL: 2 RG: syslog,errors, RC: Unknown \
problem<br> >> somewhere in the system. Event-> [INIT]Nov 10 12:05:04 mmmm \
nfcapd[3175]:<br> >> Ident: 'mmmm' Flows: 172, Packets: 7305, Bytes: \
6246716, Sequence Errors: 0,<br> >> Bad Packets: 0[END]<br>
>> AV - 1320923118 --> RID: 5715 RL: 3 RG: \
syslog,sshd,authentication_success,<br> >> RC: SSHD authentication success. \
Event-> [INIT]Nov 10 12:05:16 mmmm<br> >> sshd[13269]: Accepted publickey \
for root from 192.168.2.111 port 50874<br> >> ssh2[END]<br>
>><br>
>><br>
>> patch 02: Configurable reconnection time on the ossec-agents.<br>
>> We've added two new options to the ossec agent configuration in order \
to<br> >> allow the user to configure the reconnection time and the time \
between keep<br> >> alive messages.<br>
>><br>
>> <ossec_config><br>
>> <client><br>
>> <server-ip>192.168.2.18</server-ip><br>
>> <notify_time>120</notify_time><br>
>> <time-reconnect>240</time-reconnect><br>
>> </client><br>
>> </ossec_config><br>
>><br>
>> notify_time: time in seconds between information messages sent by the \
agents<br> >> to the server<br>
>> time-reconnect: Time in seconds until a reconnection attempt. This time \
have<br> >> to be greater than the notify-time.<br>
>><br>
>> We've added some log traces to check that is working properly<br>
>><br>
>> 2012/12/21 17:18:24 ossec-agent Using notify time: 120 and max time to<br>
>> reconnect: 240<br>
>> ...<br>
>> 2012/12/21 17:23:56 ossec-agent More than 120 seconds without server<br>
>> response...sending win32info<br>
>> 2012/12/21 17:23:56 ossec-agent Sending keep alive message....<br>
>> 2012/12/21 17:23:57 ossec-agent Sending keep alive message....<br>
>> 2012/12/21 17:23:57 ossec-agent Sending keep alive message....<br>
>> 2012/12/21 17:23:57 ossec-agent More than 240 seconds without server<br>
>> response...is server alive? and Is there connection?<br>
>> 2012/12/21 17:23:58 ossec-agent Sending keep alive message....<br>
>> 2012/12/21 17:23:58 ossec-agent Sending keep alive message....<br>
>> 2012/12/21 17:23:59 ossec-agent: WARN: Server unavailable. Setting lock.<br>
>> 2012/12/21 17:23:59 ossec-agent Sending keep alive message....<br>
>> 2012/12/21 17:23:59 ossec-agent Sending keep alive message....<br>
>> 2012/12/21 17:24:00 ossec-agent Sending keep alive message....<br>
>> 2012/12/21 17:24:02 ossec-agent Sending keep alive message....<br>
>> 2012/12/21 17:24:04 ossec-agent Sending keep alive message....<br>
>> 2012/12/21 17:24:06 ossec-agent Sending keep alive message....<br>
>> 2012/12/21 17:24:09 ossec-agent Sending keep alive message....<br>
>> 2012/12/21 17:24:13 ossec-agent Sending keep alive message....<br>
>> 2012/12/21 17:24:17 ossec-agent Sending keep alive message....<br>
>> 2012/12/21 17:24:21 ossec-agent Sending keep alive message....<br>
>> 2012/12/21 17:24:26 ossec-agent Sending keep alive message....<br>
>> 2012/12/21 17:24:32 ossec-agent(4102): INFO: Connected to the server<br>
>> (<a href="http://192.168.2.111:1514" \
target="_blank">192.168.2.111:1514</a>).<br> >> 2012/12/21 17:24:32 \
ossec-agent: INFO: Server responded. Releasing lock.<br> >><br>
>> patch 03: This is a patch that a client send to us. OSSEC FIM Bug in<br>
>> handling large files<br>
>> OSSEC uses an integer to store file sizes in the syscheck DB. When a file \
is<br> >> larger than 2 GB, the integer overflows. If the overflow results into \
a<br> >> negative number, OSSEC assumes that the file has been deleted and \
generates<br> >> an incorrect alert saying the file has been deleted.<br>
>><br>
>> This patches have been checked for the ossec-2.6 version but they could \
be<br> >> used for the ossec 2.7<br>
>><br>
>> Hope this helps.<br>
>><br>
>> Thank you so much!<br>
>><br>
>> BR,<br>
>><br>
>> Cristobal Rosa<br>
>> R&D Engineer<br>
>> <a href="mailto:crosa@alienvault.com">crosa@alienvault.com</a><br>
>> <a href="http://www.AlienVault.com" \
target="_blank">www.AlienVault.com</a><br> >><br>
>><br>
>> We come in peace and security.<br>
>><br>
>><br>
>><br>
>> --<br>
>><br>
>> ---<br>
>> You received this message because you are subscribed to the Google \
Groups<br> >> "ossec-dev" group.<br>
>> To unsubscribe from this group and stop receiving emails from it, send \
an<br> >> email to <a \
href="mailto:ossec-dev%2Bunsubscribe@googlegroups.com">ossec-dev+unsubscribe@googlegroups.com</a>.<br>
>> For more options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> >><br>
>><br>
><br>
> --<br>
><br>
> ---<br>
> You received this message because you are subscribed to the Google Groups \
"ossec-dev" group.<br> > To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:ossec-dev%2Bunsubscribe@googlegroups.com">ossec-dev+unsubscribe@googlegroups.com</a>.<br>
> For more options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> ><br>
><br>
<br>
--<br>
<br>
---<br>
You received this message because you are subscribed to the Google Groups \
"ossec-dev" group.<br> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-dev%2Bunsubscribe@googlegroups.com">ossec-dev+unsubscribe@googlegroups.com</a>.<br>
For more options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> <br>
<br>
</div></div></blockquote></div><br>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-dev" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to ossec-dev+unsubscribe@googlegroups.com.<br /> For \
more options, visit <a \
href="https://groups.google.com/groups/opt_out">https://groups.google.com/groups/opt_out</a>.<br \
/> <br />
<br />
--047d7b5d9a6de6d62504d5b18829--
["01-custom-alert-ossec-2.6v2.patch" (application/octet-stream)]
--- a/src/analysisd/analysisd.c
+++ b/src/analysisd/analysisd.c
@@ -707,6 +707,8 @@
debug1("%s: DEBUG: Startup completed. Waiting for new messages..",ARGV0);
+ if(Config.custom_alert_output)
+ debug1("%s: INFO: Custom output found.!",ARGV0);
/* Daemon loop */
while(1)
@@ -899,9 +901,16 @@
if(stats_rule->alert_opts & DO_LOGALERT)
{
__crt_ftell = ftell(_aflog);
- OS_Log(lf);
+ if(Config.custom_alert_output)
+ {
+ OS_CustomLog(lf,Config.custom_alert_output_format);
+ }
+ else
+ {
+ OS_Log(lf);
+ }
+
}
-
/* Set lf to the old values */
lf->generated_rule = saved_rule;
@@ -1006,7 +1015,14 @@
if(currently_rule->alert_opts & DO_LOGALERT)
{
__crt_ftell = ftell(_aflog);
- OS_Log(lf);
+ if(Config.custom_alert_output)
+ {
+ OS_CustomLog(lf,Config.custom_alert_output_format);
+ }
+ else
+ {
+ OS_Log(lf);
+ }
}
["01-custom-alert-ossec-2.6v2.patch" (application/octet-stream)]
--- a/src/analysisd/analysisd.c
+++ b/src/analysisd/analysisd.c
@@ -707,6 +707,8 @@
debug1("%s: DEBUG: Startup completed. Waiting for new messages..",ARGV0);
+ if(Config.custom_alert_output)
+ debug1("%s: INFO: Custom output found.!",ARGV0);
/* Daemon loop */
while(1)
@@ -899,9 +901,16 @@
if(stats_rule->alert_opts & DO_LOGALERT)
{
__crt_ftell = ftell(_aflog);
- OS_Log(lf);
+ if(Config.custom_alert_output)
+ {
+ OS_CustomLog(lf,Config.custom_alert_output_format);
+ }
+ else
+ {
+ OS_Log(lf);
+ }
+
}
-
/* Set lf to the old values */
lf->generated_rule = saved_rule;
@@ -1006,7 +1015,14 @@
if(currently_rule->alert_opts & DO_LOGALERT)
{
__crt_ftell = ftell(_aflog);
- OS_Log(lf);
+ if(Config.custom_alert_output)
+ {
+ OS_CustomLog(lf,Config.custom_alert_output_format);
+ }
+ else
+ {
+ OS_Log(lf);
+ }
}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic