Knowledge articles of Gottfried Rudorfer about eTrust Audit ™
|
---|
Please note that all documents were submitted with a copyright notice. Please contact me at This email address is being protected from spambots. You need JavaScript enabled to view it. if you need more information or assistance. |
Rule for the correlation of eTrust Antivirus Alert Messages |
Log the message with critical severity when the same virus occurs on more than one computer within a given period of time.
Message for testing purposes: eTSAPISend.exe "AuditRouter" "ATR10412" "Category" "Host Security" "Date" "12/19/2005 16:05:16" "DetectionMethod" "Signature" "Engine" "InoculateIT" "InfectedFile" "C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\W1A70HER\EICAR[1].COM" "InfectedObject" "" "InfectionStatus" "Cure failed, file renamed." "InfectionType" "Virus" "iSponsorName" "eTrustAV" "Location" "\\WORKGROUP\ATVISCVM03" "Log" "eTrust Antivirus" "OS" "MS WinNT5.2 (Server)" "Recorder" "eTrustAV" "RecorderHost" "\\WORKGROUP\ATVISCVM03" "Severity" "2" "Src" "Realtime" "Status" "S" "Taxonomy" "Host Security.AntiVirus.Rename.F.C" "TimeZone" "0" "User" "ATVISCVM03\Administrator" "Version" "8.0.4.040921" "VirusName" "EICAR_test_file"
|
;# This email address is being protected from spambots. You need JavaScript enabled to view it.
|
Rule for the correlation of HTTP login attempts recorded by the syslog daemon |
;# This email address is being protected from spambots. You need JavaScript enabled to view it. |
Rule for the correlation of SSH login attempts recorded by the syslog daemon |
;# Copyright (C) 2005 by Gottfried Rudorfer ;# ;# 3422 Greifenstein, Austria ;# This email address is being protected from spambots. You need JavaScript enabled to view it. ;# http://rudorfer.homedns.org/eaud/ ;# ;# Permission to use, copy, modify, and distribute this software and its ;# documentation for any purpose and without fee is hereby granted, provided ;# that the above copyright notice appears in all copies and that both that ;# copyright notice and this permission notice appear in all supporting ;# documentation. This software is provided "as is" without expressed or ;# implied warranty. ;# ;# Date: Sun, Oct 30 2005 ;# Author: Gottfried Rudorfer ;# ;------------------------------------------------------------------------------------- Rule RuleFailed Exclude Int _$PIDSSHFailedLogin_%Location%_%Src% exists Exclude Int Info Not ~ "^Failed password" Do Int Define _$PIDSSHFailedLogin_%Location%_%Src% Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% ExpireIn(6) Notify(1) Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% SummaryInfo ("Failure") Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% RI_Severity (2) Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% Severity (2) ;------------------------------------------------------------------------------------- Rule RuleRetry Exclude Int _$PIDSSHFailedLogin_%Location%_%Src% Not exists Exclude Int SummaryInfo Not ~ "Failure" Exclude Int Info Not ~ "^Accepted password" Do Int Define _$PIDSSHFailedLogin_%Location%_%Src% Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% SummaryInfo ("Retry") Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% RI_Severity (25) Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% Severity (1) Do Int NewEvent _$PIDSSHFailedLogin_%Location%_%Src% ;------------------------------------------------------------------------------------- Rule RuleLogonOK Exclude Int _$PIDSSHFailedLogin_%Location%_%Src% exists Exclude Int SummaryInfo ~ "Retry" Exclude Int SummaryInfo ~ "Failure" Exclude Int Info Not ~ "^Accepted password" Do Int Define _$PIDSSHFailedLogin_%Location%_%Src% Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% SummaryInfo ("Logon ok") Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% RI_Severity (26) Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% Severity (0) Do Int NewEvent _$PIDSSHFailedLogin_%Location%_%Src% ;------------------------------------------------------------------------------------- Rule Display Include Int SummaryInfo exists Do Int Delete _$PIDSSHFailedLogin_%Location%_%Src% SCRIPT_ACTION Download the rule here. |