Knowledge articles of Gottfried Rudorfer about
eTrust Audit ™
|
|---|
|
Please note that all documents were submitted with a copyright
notice. Please contact me at
office@rudorfer.co.at if you need more information or assistance. |
| Rule for the correlation of eTrust Antivirus Alert Messages |
|
Log the message with critical severity when the same virus occurs on
more than one computer within a given period of time. Message for testing purposes:
eTSAPISend.exe "AuditRouter" "ATR10412" "Category" "Host
Security" "Date" "12/19/2005 16:05:16"
"DetectionMethod"
"Signature" "Engine" "InoculateIT" "InfectedFile" "C:\DOCUMENTS
AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET
FILES\CONTENT.IE5\W1A70HER\EICAR[1].COM" "InfectedObject" "" "InfectionStatus"
"Cure failed, file renamed." "InfectionType" "Virus" "iSponsorName"
"eTrustAV"
"Location"
"\\WORKGROUP\ATVISCVM03"
"Log" "eTrust Antivirus" "OS" "MS WinNT5.2 (Server)" "Recorder"
"eTrustAV" "RecorderHost" "\\WORKGROUP\ATVISCVM03" "Severity"
"2" "Src" "Realtime" "Status" "S" "Taxonomy" "Host
Security.AntiVirus.Rename.F.C" "TimeZone" "0" "User"
"ATVISCVM03\Administrator" "Version" "8.0.4.040921"
"VirusName" "EICAR_test_file"
|
|
;# Copyright (C) 2005 by Gottfried Rudorfer ;# ;# 3422 Greifenstein, Austria ;# office@rudorfer.co.at ;# http://rudorfer.homedns.org/eaud/ ;# ;# Permission to use, copy, modify, and distribute this software and its ;# documentation for any purpose and without fee is hereby granted, provided ;# that the above copyright notice appears in all copies and that both that ;# copyright notice and this permission notice appear in all supporting ;# documentation. This software is provided "as is" without expressed or ;# implied warranty. ;# ;# Date: Sun, Dec 18 2005 ;# Author: Gottfried Rudorfer ;# ;------------------------------------------------------------------------------------- Rule RuleFirstCount Exclude Int SummaryInfo exists Exclude Int _$MyVirusName_%VirusName% exists Do Int Define _$MyVirusName_%VirusName%_%Location% ExpireIn(9) Do Int Define _$MyVirusName_%VirusName% Do Int Set _$MyVirusName_%VirusName% ExpireIn(9) Notify(1) Do Int Set _$MyVirusName_%VirusName% NumberOfInfectedSystems(1) ;------------------------------------------------------------------------------------- Rule RuleAddCount Exclude Int SummaryInfo exists Exclude Int _$MyVirusName_%VirusName%_%Location% exists Do Int Define _$MyVirusName_%VirusName%_%Location% Do Int Set _$MyVirusName_%VirusName%_%Location% ExpireIn(9) Do Int Add _$MyVirusName_%VirusName%.NumberOfInfectedSystems 1 ;------------------------------------------------------------------------------------- Rule RuleVirusAlert Exclude Int SummaryInfo exists Exclude Int Integer: _$MyVirusName_%VirusName%.NumberOfInfectedSystems < 2 Do Int Set _$MyVirusName_%VirusName% SummaryInfo ("VirusAlert") Do Int Set _$MyVirusName_%VirusName% Severity (3) ;------------------------------------------------------------------------------------- Rule RuleVirusWarning Exclude Int SummaryInfo exists Exclude Int Integer: _$MyVirusName_%VirusName%.NumberOfInfectedSystems >= 2 Do Int Set _$MyVirusName_%VirusName% SummaryInfo ("VirusWarning") Do Int Set _$MyVirusName_%VirusName% Severity (1) ;------------------------------------------------------------------------------------- Rule Display Include Int SummaryInfo exists Do Int Delete _$MyVirusName_%VirusName% Do Int Delete _$MyVirusName_%VirusName%_%Location% SCRIPT_ACTION |
| Rule for the correlation of HTTP login attempts recorded by the syslog daemon |
|
;# Copyright (C) 2005 by Gottfried
Rudorfer ;# ;# 3422 Greifenstein, Austria ;# office@rudorfer.co.at ;# http://rudorfer.homedns.org/eaud/ ;# ;# Permission to use, copy, modify, and distribute this software and its ;# documentation for any purpose and without fee is hereby granted, provided ;# that the above copyright notice appears in all copies and that both that ;# copyright notice and this permission notice appear in all supporting ;# documentation. This software is provided "as is" without expressed or ;# implied warranty. ;# ;# Date: Sun, Oct 30 2005 ;# Author: Gottfried Rudorfer ;# ;------------------------------------------------------------------------------------- ; ; For this to work correctly the following SYSLOG.MP-settings before the definition of GENERAL_NO_SRC are necessary: ; ;; Nov 02 11:33:32 server httpd: PAM_httpd: authentication failure; root(uid=65534) -> admin for httpd service ; HTTP_FAILURE_PAM ; { ; Name = HTTP_FAILURE_PAM ; KeyVal = GENERAL%%httpd ; Type = RECORD ; Regex = PAM_httpd\: authentication failure\; <Process> -> <User> for httpd service ; Key = HTTP_FAILURE_PAM ; ReplaceSpace = TRUE ; Process ; { ; format = .* ; } ; AddToken1 = Info:PAM_httpd: authentication failure\; <Process> -> <User> for httpd service ; } ; ;; Nov 02 11:33:32 server httpd: HTTP login from 192.168.0.1 as admin ; HTTP_OK_PAM ; { ; Name = HTTP_OK_PAM ; KeyVal = GENERAL%%httpd ; Type = RECORD ; Regex = HTTP login from <From> as <User> ; Key = HTTP_OK_PAM ; ReplaceSpace = TRUE ; From ; { ; format = [a-zA-Z0-9_\.\-]* ; } ; AddToken1 = Info:HTTP login from <From> as <User> ; } ; Rule RuleFailed Exclude Int _$PIDHTTPFailedLogin_%Location%_%User% exists Exclude Int Info Not ~ "httpd: authentication failure" Do Int Define _$PIDHTTPFailedLogin_%Location%_%User% Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% ExpireIn(6) Notify(1) Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% SummaryInfo ("Failure") Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% RI_Severity (2) Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% Severity (2) ;------------------------------------------------------------------------------------- Rule RuleRetry Exclude Int _$PIDHTTPFailedLogin_%Location%_%User% Not exists Exclude Int SummaryInfo Not ~ "Failure" Exclude Int Info Not ~ "HTTP login from" Do Int Define _$PIDHTTPFailedLogin_%Location%_%User% Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% SummaryInfo ("Retry") Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% RI_Severity (1) Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% Severity (1) Do Int NewEvent _$PIDHTTPFailedLogin_%Location%_%User% ;------------------------------------------------------------------------------------- Rule RuleLogonOK Exclude Int _$PIDHTTPFailedLogin_%Location%_%User% exists Exclude Int SummaryInfo ~ "Retry" Exclude Int SummaryInfo ~ "Failure" Exclude Int Info Not ~ "HTTP login from" Do Int Define _$PIDHTTPFailedLogin_%Location%_%User% Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% SummaryInfo ("Logon ok") Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% RI_Severity (26) Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% Severity (0) Do Int NewEvent _$PIDHTTPFailedLogin_%Location%_%User% ;------------------------------------------------------------------------------------- Rule Display Include Int SummaryInfo exists Do Int Delete _$PIDHTTPFailedLogin_%Location%_%User% SCRIPT_ACTION Download the rule here. Back |
| Rule for the correlation of SSH login attempts recorded by the syslog daemon |
| ;# Copyright (C) 2005 by Gottfried Rudorfer ;# ;# 3422 Greifenstein, Austria ;# office@rudorfer.co.at ;# http://rudorfer.homedns.org/eaud/ ;# ;# Permission to use, copy, modify, and distribute this software and its ;# documentation for any purpose and without fee is hereby granted, provided ;# that the above copyright notice appears in all copies and that both that ;# copyright notice and this permission notice appear in all supporting ;# documentation. This software is provided "as is" without expressed or ;# implied warranty. ;# ;# Date: Sun, Oct 30 2005 ;# Author: Gottfried Rudorfer ;# ;------------------------------------------------------------------------------------- Rule RuleFailed Exclude Int _$PIDSSHFailedLogin_%Location%_%Src% exists Exclude Int Info Not ~ "^Failed password" Do Int Define _$PIDSSHFailedLogin_%Location%_%Src% Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% ExpireIn(6) Notify(1) Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% SummaryInfo ("Failure") Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% RI_Severity (2) Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% Severity (2) ;------------------------------------------------------------------------------------- Rule RuleRetry Exclude Int _$PIDSSHFailedLogin_%Location%_%Src% Not exists Exclude Int SummaryInfo Not ~ "Failure" Exclude Int Info Not ~ "^Accepted password" Do Int Define _$PIDSSHFailedLogin_%Location%_%Src% Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% SummaryInfo ("Retry") Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% RI_Severity (25) Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% Severity (1) Do Int NewEvent _$PIDSSHFailedLogin_%Location%_%Src% ;------------------------------------------------------------------------------------- Rule RuleLogonOK Exclude Int _$PIDSSHFailedLogin_%Location%_%Src% exists Exclude Int SummaryInfo ~ "Retry" Exclude Int SummaryInfo ~ "Failure" Exclude Int Info Not ~ "^Accepted password" Do Int Define _$PIDSSHFailedLogin_%Location%_%Src% Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% SummaryInfo ("Logon ok") Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% RI_Severity (26) Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% Severity (0) Do Int NewEvent _$PIDSSHFailedLogin_%Location%_%Src% ;------------------------------------------------------------------------------------- Rule Display Include Int SummaryInfo exists Do Int Delete _$PIDSSHFailedLogin_%Location%_%Src% SCRIPT_ACTION |