[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] Modify csyslogd
From: Martin_Dulovič <martin.dulovic () gmail ! com>
Date: 2016-08-15 15:39:40
Message-ID: 387bc069-991f-4ebf-bd1a-eeafbb378e6f () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Nevermind, i see i need to run version *v2.9.0beta05*.
Thanks !
On Monday, August 15, 2016 at 5:35:20 PM UTC+2, Martin Dulovič wrote:
>
> Thanks for a quick response!
>
> Today I installed the latest version (2.8.3) and alert still look like
> this:
>
>
> <132>Aug 15 17:28:18 server ossec: Alert Level: 3; Rule: 5303 - User
> successfully changed UID to root.; Location: server->/var/log/auth.log;
> user: root; Aug 15 17:28:16 server su[12372]: + /dev/pts/3 root:root
>
>
>
> On Monday, August 15, 2016 at 4:30:45 PM UTC+2, dan (ddpbsd) wrote:
> >
> > On Mon, Aug 15, 2016 at 8:34 AM, Martin Dulovič
> > <martin....@gmail.com> wrote:
> > > Hi,
> > >
> > > I need to modify csyslogd in a way that it will send alerts with
> > "decoder
> > > name" or group "rule group name".
> > >
> > > Original alert:
> > >
> > > Alert Level: 3; Rule: 5715 - SSHD authentication success.; Location:
> > (jul)
> > > 192.168.2.0->/var/log/messages; srcip: 192.168.2.190; user: root; Jul
> > 25
> > > 13:26:24 slacker sshd[20440]: Accepted password for root from
> > 192.168.2.190
> > > port 49737 ssh2
> > >
> > >
> > > Modified alert:
> > >
> > > Alert Level: 3; Rule: 5715 - SSHD authentication success.; Group: sshd;
> > > Location: (jul) 192.168.2.0->/var/log/messages; srcip: 192.168.2.190;
> > user:
> > > root; Jul 25 13:26:24 slacker sshd[20440]: Accepted password for root
> > from
> > > 192.168.2.190 port 49737 ssh2
> > >
> > >
> > > Is there any easy way to do something like that ? Can i modify ossec to
> > do
> > > that without changing source-code and reinstalling ? Or if i have to
> > change
> > > source-code, can you please tell me what to change ?
> > >
> >
> >
> > I haven't tried it to look, but I think this commit added the group:
> >
> > https://github.com/ossec/ossec-hids/commit/5126aec4069a68eb86e0d3e46f2a49da7526c7b3 \
> >
> > > Thank you in advance.
> > > M. Dulovic
> > >
> > > --
> > >
> > > ---
> > > You received this message because you are subscribed to the Google
> > Groups
> > > "ossec-list" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> > an
> > > email to ossec-list+...@googlegroups.com.
> > > For more options, visit https://groups.google.com/d/optout.
> >
>
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr">Nevermind, i see i need to run version \
<b>v2.9.0beta05</b>.<div><br></div><div>Thanks !<br><br>On Monday, August 15, 2016 at \
5:35:20 PM UTC+2, Martin Dulovič wrote:<blockquote class="gmail_quote" \
style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: \
1ex;"><div dir="ltr">Thanks for a quick response!<div><br></div><div>Today I \
installed the latest version (2.8.3) and alert still look like \
this:</div><div><br></div><div><div style="border:1px solid \
rgb(187,187,187);word-wrap:break-word;background-color:rgb(250,250,250)"><code><div><br></div><div><table \
style="border-collapse:collapse;width:1249px;max-width:100%;margin-bottom:18px;color:rgb(68,68,68);font-family:"Lucida \
Console",Monaco,monospace;font-size:12px;line-height:17.1429px;background-color:rgb(255,255,255)"><tbody><tr><td \
style="padding:5px;line-height:1.42857;vertical-align:top;border-top:1px solid \
rgb(236,240,241)"><div \
style="display:inline-block;word-break:break-all;word-wrap:break-word;white-space:pre-wrap"><132>Aug \
15 17:28:18 server ossec: Alert Level: 3; Rule: 5303 - User successfully changed UID \
to root.; Location: server->/var/log/auth.log; user: root; Aug 15 17:28:16 server \
su[12372]: + /dev/pts/3 \
root:root</div></td></tr></tbody></table></div></code></div><br><br><br>On Monday, \
August 15, 2016 at 4:30:45 PM UTC+2, dan (ddpbsd) wrote:<blockquote \
class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc \
solid;padding-left:1ex">On Mon, Aug 15, 2016 at 8:34 AM, Martin Dulovič <br><<a \
rel="nofollow">martin....@gmail.com</a>> wrote: <br>> Hi,
<br>>
<br>> I need to modify csyslogd in a way that it will send alerts with \
"decoder <br>> name" or group "rule group name".
<br>>
<br>> Original alert:
<br>>
<br>> Alert Level: 3; Rule: 5715 - SSHD authentication success.; Location: (jul)
<br>> 192.168.2.0->/var/log/<wbr>messages; srcip: 192.168.2.190; user: root; \
Jul 25 <br>> 13:26:24 slacker sshd[20440]: Accepted password for root from \
192.168.2.190 <br>> port 49737 ssh2
<br>>
<br>>
<br>> Modified alert:
<br>>
<br>> Alert Level: 3; Rule: 5715 - SSHD authentication success.; Group: sshd;
<br>> Location: (jul) 192.168.2.0->/var/log/<wbr>messages; srcip: \
192.168.2.190; user: <br>> root; Jul 25 13:26:24 slacker sshd[20440]: Accepted \
password for root from <br>> 192.168.2.190 port 49737 ssh2
<br>>
<br>>
<br>> Is there any easy way to do something like that ? Can i modify ossec to do
<br>> that without changing source-code and reinstalling ? Or if i have to change
<br>> source-code, can you please tell me what to change ?
<br>>
<br>
<br>
<br>I haven't tried it to look, but I think this commit added the group:
<br><a href="https://github.com/ossec/ossec-hids/commit/5126aec4069a68eb86e0d3e46f2a49da7526c7b3" \
rel="nofollow" target="_blank" \
onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2 \
Fossec%2Fossec-hids%2Fcommit%2F5126aec4069a68eb86e0d3e46f2a49da7526c7b3\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzdwefCv1ik9dhqCniqHKqjt31vg';return \
true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.co \
m%2Fossec%2Fossec-hids%2Fcommit%2F5126aec4069a68eb86e0d3e46f2a49da7526c7b3\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzdwefCv1ik9dhqCniqHKqjt31vg';return \
true;">https://github.com/ossec/<wbr>ossec-hids/commit/<wbr>5126aec4069a68eb86e0d3e46f2a49<wbr>da7526c7b3</a>
<br>
<br>> Thank you in advance.
<br>> M. Dulovic
<br>>
<br>> --
<br>>
<br>> ---
<br>> You received this message because you are subscribed to the Google Groups
<br>> "ossec-list" group.
<br>> To unsubscribe from this group and stop receiving emails from it, send an
<br>> email to <a rel="nofollow">ossec-list+...@googlegroups.<wbr>com</a>.
<br>> For more options, visit <a href="https://groups.google.com/d/optout" \
rel="nofollow" target="_blank" \
onmousedown="this.href='https://groups.google.com/d/optout';return true;" \
onclick="this.href='https://groups.google.com/d/optout';return \
true;">https://groups.google.com/d/<wbr>optout</a>. \
<br></blockquote></div></div></blockquote></div></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic