Example rules for eTrust Audit - Gottfried Rudorfer's Homepage

Details: Geschrieben von Gottfried Rudorfer; Kategorie: Verfügbare Software; Veröffentlicht: 14. September 2010

Knowledge articles of Gottfried Rudorfer about eTrust Audit ™
Please note that all documents were submitted with a copyright notice. Please contact me at Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein! if you need more information or assistance.
Rule for the correlation of eTrust Antivirus Alert Messages
Log the message with critical severity when the same virus occurs on more than one computer within a given period of time. Message for testing purposes: eTSAPISend.exe "AuditRouter" "ATR10412" "Category" "Host Security" "Date" "12/19/2005 16:05:16" "DetectionMethod" "Signature" "Engine" "InoculateIT" "InfectedFile" "C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\W1A70HER\EICAR[1].COM" "InfectedObject" "" "InfectionStatus" "Cure failed, file renamed." "InfectionType" "Virus" "iSponsorName" "eTrustAV" "Location" "\\WORKGROUP\ATVISCVM03" "Log" "eTrust Antivirus" "OS" "MS WinNT5.2 (Server)" "Recorder" "eTrustAV" "RecorderHost" "\\WORKGROUP\ATVISCVM03" "Severity" "2" "Src" "Realtime" "Status" "S" "Taxonomy" "Host Security.AntiVirus.Rename.F.C" "TimeZone" "0" "User" "ATVISCVM03\Administrator" "Version" "8.0.4.040921" "VirusName" "EICAR_test_file"
;# Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!
Rule for the correlation of HTTP login attempts recorded by the syslog daemon
;# Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein! ;------------------------------------------------------------------------------------- ; ; For this to work correctly the following SYSLOG.MP-settings before the definition of GENERAL_NO_SRC are necessary: ; ;; Nov 02 11:33:32 server httpd: PAM_httpd: authentication failure; root(uid=65534) -> admin for httpd service ; HTTP_FAILURE_PAM ; { ; Name = HTTP_FAILURE_PAM ; KeyVal = GENERAL%%httpd ; Type = RECORD ; Regex = PAM_httpd\: authentication failure\; <Process> -> <User> for httpd service ; Key = HTTP_FAILURE_PAM ; ReplaceSpace = TRUE ; Process ; { ; format = .* ; } ; AddToken1 = Info:PAM_httpd: authentication failure\; <Process> -> <User> for httpd service ; } ; ;; Nov 02 11:33:32 server httpd: HTTP login from 192.168.0.1 as admin ; HTTP_OK_PAM ; { ; Name = HTTP_OK_PAM ; KeyVal = GENERAL%%httpd ; Type = RECORD ; Regex = HTTP login from <From> as <User> ; Key = HTTP_OK_PAM ; ReplaceSpace = TRUE ; From ; { ; format = [a-zA-Z0-9_\.\-]* ; } ; AddToken1 = Info:HTTP login from <From> as <User> ; } ; Rule RuleFailed Exclude Int _$PIDHTTPFailedLogin_%Location%_%User% exists Exclude Int Info Not ~ "httpd: authentication failure" Do Int Define _$PIDHTTPFailedLogin_%Location%_%User% Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% ExpireIn(6) Notify(1) Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% SummaryInfo ("Failure") Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% RI_Severity (2) Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% Severity (2) ;------------------------------------------------------------------------------------- Rule RuleRetry Exclude Int _$PIDHTTPFailedLogin_%Location%_%User% Not exists Exclude Int SummaryInfo Not ~ "Failure" Exclude Int Info Not ~ "HTTP login from" Do Int Define _$PIDHTTPFailedLogin_%Location%_%User% Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% SummaryInfo ("Retry") Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% RI_Severity (1) Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% Severity (1) Do Int NewEvent _$PIDHTTPFailedLogin_%Location%_%User% ;------------------------------------------------------------------------------------- Rule RuleLogonOK Exclude Int _$PIDHTTPFailedLogin_%Location%_%User% exists Exclude Int SummaryInfo ~ "Retry" Exclude Int SummaryInfo ~ "Failure" Exclude Int Info Not ~ "HTTP login from" Do Int Define _$PIDHTTPFailedLogin_%Location%_%User% Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% SummaryInfo ("Logon ok") Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% RI_Severity (26) Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% Severity (0) Do Int NewEvent _$PIDHTTPFailedLogin_%Location%_%User% ;------------------------------------------------------------------------------------- Rule Display Include Int SummaryInfo exists Do Int Delete _$PIDHTTPFailedLogin_%Location%_%User% SCRIPT_ACTION Download the rule here.

Rule for the correlation of SSH login attempts recorded by the syslog daemon
;# Copyright (C) 2005 by Gottfried Rudorfer ;# ;# 3422 Greifenstein, Austria ;# Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein! ;# http://rudorfer.homedns.org/eaud/ ;# ;# Permission to use, copy, modify, and distribute this software and its ;# documentation for any purpose and without fee is hereby granted, provided ;# that the above copyright notice appears in all copies and that both that ;# copyright notice and this permission notice appear in all supporting ;# documentation. This software is provided "as is" without expressed or ;# implied warranty. ;# ;# Date: Sun, Oct 30 2005 ;# Author: Gottfried Rudorfer ;# ;------------------------------------------------------------------------------------- Rule RuleFailed Exclude Int _$PIDSSHFailedLogin_%Location%_%Src% exists Exclude Int Info Not ~ "^Failed password" Do Int Define _$PIDSSHFailedLogin_%Location%_%Src% Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% ExpireIn(6) Notify(1) Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% SummaryInfo ("Failure") Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% RI_Severity (2) Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% Severity (2) ;------------------------------------------------------------------------------------- Rule RuleRetry Exclude Int _$PIDSSHFailedLogin_%Location%_%Src% Not exists Exclude Int SummaryInfo Not ~ "Failure" Exclude Int Info Not ~ "^Accepted password" Do Int Define _$PIDSSHFailedLogin_%Location%_%Src% Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% SummaryInfo ("Retry") Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% RI_Severity (25) Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% Severity (1) Do Int NewEvent _$PIDSSHFailedLogin_%Location%_%Src% ;------------------------------------------------------------------------------------- Rule RuleLogonOK Exclude Int _$PIDSSHFailedLogin_%Location%_%Src% exists Exclude Int SummaryInfo ~ "Retry" Exclude Int SummaryInfo ~ "Failure" Exclude Int Info Not ~ "^Accepted password" Do Int Define _$PIDSSHFailedLogin_%Location%_%Src% Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% SummaryInfo ("Logon ok") Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% RI_Severity (26) Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% Severity (0) Do Int NewEvent _$PIDSSHFailedLogin_%Location%_%Src% ;------------------------------------------------------------------------------------- Rule Display Include Int SummaryInfo exists Do Int Delete _$PIDSSHFailedLogin_%Location%_%Src% SCRIPT_ACTION Download the rule here.