search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.49k stars 1.04k forks source link

sudo decoder won't extract username if there is a single space #1147

Closed wiredaem0n closed 7 years ago

wiredaem0n commented 7 years ago

Sudo user extractor decoder only works if there 2 or more spaces after sudo: In fact, running the example on the sudo decoder file:

Dec 30 19:36:11 rheltest sudo: cplummer : TTY=pts/2 ; PWD=/home/cplummer1 ; USER=root ; TSID=0000UM ; COMMAND=/bin/bash

Will in fact not work. Please see the file with the test for further information. I can easily fix by doing \s* instead of \s+, but I'm asumming there is indeed an oversight here

Sudo User extract failures.txt

Thanks,

ddpbsd commented 7 years ago

That example works for me:

2017/06/22 19:31:58 ossec-testrule: INFO: Reading the lists file: 'rules/lists/ossec.block'
2017/06/22 19:31:58 ossec-testrule: INFO: Started (pid: 47114).
ossec-testrule: Type one log per line.

**Phase 1: Completed pre-decoding.
       full event: 'Dec 30 19:36:11 rheltest sudo: cplummer : TTY=pts/2 ; PWD=/home/cplummer1 ; USER=root ; TSID=0000UM ; COMMAND=/bin/bash'
       hostname: 'rheltest'
       program_name: 'sudo'
       log: 'cplummer : TTY=pts/2 ; PWD=/home/cplummer1 ; USER=root ; TSID=0000UM ; COMMAND=/bin/bash'

**Phase 2: Completed decoding.
       decoder: 'sudo'
       dstuser: 'cplummer'
       url: '/home/cplummer1'
       srcuser: 'root'
       status: '/bin/bash'

**Phase 3: Completed filtering (rules).
       Rule id: '5403'
       Level: '4'
       Description: 'First time user executed sudo.'
**Alert to be generated.
wiredaem0n commented 7 years ago

My bad, closing, master branch seems OK.