paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-10-23 00:02:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Delete Auditd/decoders directory

Browse Source
This commit is contained in:
taylor_socfortress
2023-01-03 06:54:01 -06:00
committed by GitHub
parent 47e4b66215
commit 722b0ca144
6 changed files with 0 additions and 241 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
Auditd/decoders/README.md
View File

@@ -1,26 +0,0 @@
Use custom decoders rather than the ones provided by Wazuh. I was seeing issues during testing with their provided decoders.
Remember to exclude Wazuh's default auditd decoder and rules within the `ossec.conf` of the manager:
```
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<decoder_exclude>ruleset/decoders/0040-auditd_decoders.xml</decoder_exclude>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<rule_exclude>0365-auditd_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<list>etc/lists/software-vendors</list>
<list>etc/lists/common-ports</list>
<list>etc/lists/rfc-1918</list>
<list>etc/lists/cve</list>
<list>etc/lists/malicious-powershell</list>
<list>etc/lists/bash_profile</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
```

38
Auditd/decoders/auditd-config_change.xml
View File

@@ -1,38 +0,0 @@
<decoder name="auditd-config_change">
<prematch>^type=CONFIG_CHANGE</prematch>
</decoder>
<!--
type=CONFIG_CHANGE msg=audit(1672265894.539:138315): auid=4294967295 ses=4294967295 subj=unconfined op=add_rule key="T1497_Virtualization_Sandbox_Evasion_System_Checks" list=4 res=1AUID="unset"
-->
<decoder name="auditd-config_change">
<parent>auditd-config_change</parent>
<!--<prematch offset="after_parent">^SYSCALL </prematch>-->
<regex offset="after_parent">msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): </regex>
<order>audit.id</order>
</decoder>
<decoder name="auditd-config_change">
<parent>auditd-config_change</parent>
<regex>auid=(\S+) ses=(\S+) subj=(\S+) op=(\S+) </regex>
<order>audit.auid,audit.session,audit.subj,audit.op</order>
</decoder>
<decoder name="auditd-config_change">
<parent>auditd-config_change</parent>
<regex>key=\((\S+)\)|key="(\S+)"|key=(\S+) </regex>
<order>audit.key</order>
</decoder>
<decoder name="auditd-config_change">
<parent>auditd-config_change</parent>
<regex>list=(\S+)</regex>
<order>audit.list</order>
</decoder>
<decoder name="auditd-config_change">
<parent>auditd-config_change</parent>
<regex>res=(\S+)</regex>
<order>audit.res</order>
</decoder>

62
Auditd/decoders/auditd-execve.xml
View File

@@ -1,62 +0,0 @@
<decoder name="auditd-execve">
<prematch>^type=EXECVE</prematch>
</decoder>
<!--
type=EXECVE msg=audit(1672268062.108:138472): argc=2 a0="base64" a1="-d" a2="t" a3="chmod"
-->
<decoder name="auditd-execve">
<parent>auditd-execve</parent>
<!--<prematch offset="after_parent">^SYSCALL </prematch>-->
<regex offset="after_parent">msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): </regex>
<order>audit.id</order>
</decoder>
<decoder name="auditd-execve">
<parent>auditd-execve</parent>
<regex>argc=\d+ a0="(\.*)"</regex>
<order>audit.execve.a0</order>
</decoder>
<decoder name="auditd-execve">
<parent>auditd-execve</parent>
<regex>a1="(\.*)"</regex>
<order>audit.execve.a1</order>
</decoder>
<decoder name="auditd-execve">
<parent>auditd-execve</parent>
<regex>a2="(\.*)"</regex>
<order>audit.execve.a2</order>
</decoder>
<decoder name="auditd-execve">
<parent>auditd-execve</parent>
<regex>a3="(\.*)"</regex>
<order>audit.execve.a3</order>
</decoder>
<decoder name="auditd-execve">
<parent>auditd-execve</parent>
<regex>a4="(\.*)"</regex>
<order>audit.execve.a4</order>
</decoder>
<decoder name="auditd-execve">
<parent>auditd-execve</parent>
<regex>a5="(\.*)"</regex>
<order>audit.execve.a5</order>
</decoder>
<decoder name="auditd-execve">
<parent>auditd-execve</parent>
<regex>a6="(\.*)"</regex>
<order>audit.execve.a6</order>
</decoder>
<decoder name="auditd-execve">
<parent>auditd-execve</parent>
<regex>a7="(\.*)"</regex>
<order>audit.execve.a7</order>
</decoder>

20
Auditd/decoders/auditd-path.xml
View File

@@ -1,20 +0,0 @@
<decoder name="auditd-path">
<prematch>^type=PATH</prematch>
</decoder>
<!--
type=PATH msg=audit(1672316980.514:138523): item=0 name="/usr/bin/grep" inode=2398 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
-->
<decoder name="auditd-path">
<parent>auditd-path</parent>
<!--<prematch offset="after_parent">^SYSCALL </prematch>-->
<regex offset="after_parent">msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\S+ name="(\.*)" inode=(\S+) dev=\S+ mode=(\S+) ouid=\S+ ogid=\S+ rdev=\S+ nametype=(\S+) </regex>
<order>audit.id,audit.directory.name, audit.directory.inode, audit.directory.mode,audit.directory.nametype</order>
</decoder>
<decoder name="auditd-path">
<parent>auditd-path</parent>
<regex offset="after_regex">type=PATH msg=audit\(\S+\): item=\S+ name="(\.*)" inode=(\S+) dev=\S+ mode=(\S+) ouid=\S+ ogid=\S+ |type=PATH msg=audit\(\S+\): item=\S+ name=\((null)\) inode=(\S+) dev=\S+ mode=(\S+) ouid=\S+ ogid=\S+ </regex>
<order>audit.file.name, audit.file.inode, audit.file.mode</order>
</decoder>

43
Auditd/decoders/auditd-syscall.xml
View File

@@ -1,43 +0,0 @@
<decoder name="auditd-syscall">
<prematch>^type=SYSCALL</prematch>
</decoder>
<!--
type=SYSCALL msg=audit(1479982525.380:50): arch=c000003e syscall=2 success=yes exit=3 a0=7ffedc40d83b a1=941 a2=1b6 a3=7ffedc40cce0 items=2 ppid=432 pid=3333 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="touch" exe="/bin/touch" key="audit-wazuh-w" type=CWD msg=audit(1479982525.380:50): cwd="/var/log/audit" type=PATH msg=audit(1479982525.380:50): item=0 name="/var/log/audit/tmp_directory1/" inode=399849 dev=ca:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT type=PATH msg=audit(1479982525.380:50): item=1 name="/var/log/audit/tmp_directory1/malware.py" inode=399852 dev=ca:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE type=PROCTITLE msg=audit(1479982525.380:50): proctitle=746F756368002F7661722F6C6F672F61756469742F746D705F6469726563746F7279312F6D616C776172652E7079
-->
<!-- ID -->
<decoder name="auditd-syscall">
<parent>auditd-syscall</parent>
<!--<prematch offset="after_parent">^SYSCALL </prematch>-->
<regex offset="after_parent">msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): </regex>
<order>audit.id</order>
</decoder>
<!-- SYSCALL -->
<decoder name="auditd-syscall">
<parent>auditd-syscall</parent>
<regex offset="after_regex">^arch=(\S+) syscall=(\d+) success=(\S+) exit=(\S+) a0=\S+ a1=\S+ a2=\S+ a3=\S+ items=\S+ ppid=(\S+) pid=(\S+) auid=(\S+) uid=(\S+) gid=(\S+) euid=(\S+) suid=(\S+) fsuid=(\S+) egid=(\S+) sgid=(\S+) fsgid=(\S+) tty=(\S+) ses=(\S+) comm=\p(\S+)\p exe=\p(\S+)\p</regex>
<order>audit.arch,audit.syscall,audit.success,audit.exit,audit.ppid,audit.pid,audit.auid,audit.uid,audit.gid,audit.euid,audit.suid,audit.fsuid,audit.egid,audit.sgid,audit.fsgid,audit.tty,audit.session,audit.command,audit.exe</order>
</decoder>
<!-- SYSCALL - command -->
<decoder name="auditd-syscall">
<parent>auditd-syscall</parent>
<regex offset="after_regex">comm=\p*(\w+)\p*</regex>
<order>audit.command</order>
</decoder>
<!-- SYSCALL - exe -->
<decoder name="auditd-syscall">
<parent>auditd-syscall</parent>
<regex offset="after_regex">exe=\p(\S+)\p</regex>
<order>audit.exe</order>
</decoder>
<!-- SYSCALL - key -->
<decoder name="auditd-syscall">
<parent>auditd-syscall</parent>
<regex offset="after_regex">key=\((\S+)\)|key="(\S+)"|key=(\S+)</regex>
<order>audit.key</order>
</decoder>

52
Auditd/decoders/auditd-user_and_cred.xml
View File

@@ -1,52 +0,0 @@
<decoder name="auditd-user_and_cred">
<prematch>^type=</prematch>
</decoder>
<!--
type=USER_ACCT msg=audit(1480087217.108:6042): pid=6013 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root" exe="/usr/sbin/sshd" hostname=10.10.10.100 addr=10.10.10.100 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1480087217.108:6043): pid=6013 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname=10.10.10.100 addr=10.10.10.100 terminal=ssh res=success'
-->
<decoder name="auditd-user_and_cred">
<parent>auditd-user_and_cred</parent>
<prematch offset="after_parent">^USER_ACCT |^CRED_ACQ |^USER_START |^CRED_REFR|^CRYPTO_KEY_USER|^CRYPTO_SESSION |^USER_AUTH |^USER_ROLE_CHANGE|^SERVICE_STOP </prematch>
<regex offset="after_parent">^(\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): </regex>
<order>audit.type,audit.id</order>
</decoder>
<decoder name="auditd-user_and_cred">
<parent>auditd-user_and_cred</parent>
<regex offset="after_regex">^pid=(\S+) uid=(\S+) auid=(\S+) ses=(\S+)</regex>
<order>audit.pid,audit.uid,audit.auid,audit.session</order>
</decoder>
<decoder name="auditd-user_and_cred">
<parent>auditd-user_and_cred</parent>
<regex offset="after_regex">subj=(\S+)</regex>
<order>audit.subj</order>
</decoder>
<decoder name="auditd-user_and_cred">
<parent>auditd-user_and_cred</parent>
<regex offset="after_regex">acct="(\S+)"</regex>
<order>audit.acct</order>
</decoder>
<decoder name="auditd-user_and_cred">
<parent>auditd-user_and_cred</parent>
<regex offset="after_regex">unit=(\S+)</regex>
<order>audit.unit</order>
</decoder>
<decoder name="auditd-user_and_cred">
<parent>auditd-user_and_cred</parent>
<regex offset="after_regex">exe="(\S+)"</regex>
<order>audit.exe</order>
</decoder>
<decoder name="auditd-user_and_cred">
<parent>auditd-user_and_cred</parent>
<regex offset="after_regex">addr=(\S+)</regex>
<order>srcip</order>
</decoder>