paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-10-23 00:02:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
47e4b66215adf45702ea2c506bd4fab5e4f7fc0c
main/Auditd/decoders/auditd-syscall.xml
taylor_socfortress a4fcfd5822 Create auditd-syscall.xml
2022-12-29 10:44:46 -06:00

44 lines
2.3 KiB
XML
Raw Blame History

<decoder name="auditd-syscall">
<prematch>^type=SYSCALL</prematch>
</decoder>
<!--
type=SYSCALL msg=audit(1479982525.380:50): arch=c000003e syscall=2 success=yes exit=3 a0=7ffedc40d83b a1=941 a2=1b6 a3=7ffedc40cce0 items=2 ppid=432 pid=3333 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="touch" exe="/bin/touch" key="audit-wazuh-w" type=CWD msg=audit(1479982525.380:50): cwd="/var/log/audit" type=PATH msg=audit(1479982525.380:50): item=0 name="/var/log/audit/tmp_directory1/" inode=399849 dev=ca:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT type=PATH msg=audit(1479982525.380:50): item=1 name="/var/log/audit/tmp_directory1/malware.py" inode=399852 dev=ca:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE type=PROCTITLE msg=audit(1479982525.380:50): proctitle=746F756368002F7661722F6C6F672F61756469742F746D705F6469726563746F7279312F6D616C776172652E7079
-->
<!-- ID -->
<decoder name="auditd-syscall">
<parent>auditd-syscall</parent>
<!--<prematch offset="after_parent">^SYSCALL </prematch>-->
<regex offset="after_parent">msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): </regex>
<order>audit.id</order>
</decoder>
<!-- SYSCALL -->
<decoder name="auditd-syscall">
<parent>auditd-syscall</parent>
<regex offset="after_regex">^arch=(\S+) syscall=(\d+) success=(\S+) exit=(\S+) a0=\S+ a1=\S+ a2=\S+ a3=\S+ items=\S+ ppid=(\S+) pid=(\S+) auid=(\S+) uid=(\S+) gid=(\S+) euid=(\S+) suid=(\S+) fsuid=(\S+) egid=(\S+) sgid=(\S+) fsgid=(\S+) tty=(\S+) ses=(\S+) comm=\p(\S+)\p exe=\p(\S+)\p</regex>
<order>audit.arch,audit.syscall,audit.success,audit.exit,audit.ppid,audit.pid,audit.auid,audit.uid,audit.gid,audit.euid,audit.suid,audit.fsuid,audit.egid,audit.sgid,audit.fsgid,audit.tty,audit.session,audit.command,audit.exe</order>
</decoder>
<!-- SYSCALL - command -->
<decoder name="auditd-syscall">
<parent>auditd-syscall</parent>
<regex offset="after_regex">comm=\p*(\w+)\p*</regex>
<order>audit.command</order>
</decoder>
<!-- SYSCALL - exe -->
<decoder name="auditd-syscall">
<parent>auditd-syscall</parent>
<regex offset="after_regex">exe=\p(\S+)\p</regex>
<order>audit.exe</order>
</decoder>
<!-- SYSCALL - key -->
<decoder name="auditd-syscall">
<parent>auditd-syscall</parent>
<regex offset="after_regex">key=\((\S+)\)|key="(\S+)"|key=(\S+)</regex>
<order>audit.key</order>
</decoder>
Reference in New Issue View Git Blame Copy Permalink