Knowledge articles of Gottfried Rudorfer about eTrust Audit ™

Please note that all documents were submitted with a copyright notice. Please contact me at This email address is being protected from spambots. You need JavaScript enabled to view it. if you need more information or assistance.

Rule for the correlation of eTrust Antivirus Alert Messages
Log the message with critical severity when the same virus occurs on more than one computer within a given period of time.

Message for testing purposes:

eTSAPISend.exe "AuditRouter" "ATR10412" "Category" "Host Security" "Date" "12/19/2005 16:05:16" "DetectionMethod" "Signature" "Engine" "InoculateIT" "InfectedFile" "C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\W1A70HER\EICAR[1].COM" "InfectedObject" "" "InfectionStatus" "Cure failed, file renamed." "InfectionType" "Virus" "iSponsorName" "eTrustAV" "Location" "\\WORKGROUP\ATVISCVM03" "Log" "eTrust Antivirus" "OS" "MS WinNT5.2 (Server)" "Recorder" "eTrustAV" "RecorderHost" "\\WORKGROUP\ATVISCVM03" "Severity" "2" "Src" "Realtime" "Status" "S" "Taxonomy" "Host Security.AntiVirus.Rename.F.C" "TimeZone" "0" "User" "ATVISCVM03\Administrator" "Version" "8.0.4.040921" "VirusName" "EICAR_test_file"
 

;# This email address is being protected from spambots. You need JavaScript enabled to view it.

Rule for the correlation of HTTP login attempts recorded by the syslog daemon

;# This email address is being protected from spambots. You need JavaScript enabled to view it.
;-------------------------------------------------------------------------------------
;
; For this to work correctly the following SYSLOG.MP-settings before the definition of GENERAL_NO_SRC are necessary:
;
;; Nov 02 11:33:32 server httpd: PAM_httpd: authentication failure; root(uid=65534) -> admin for httpd service
; HTTP_FAILURE_PAM
; {
; Name = HTTP_FAILURE_PAM
; KeyVal = GENERAL%%httpd
; Type = RECORD
; Regex = PAM_httpd\: authentication failure\; <Process> -> <User> for httpd service
; Key = HTTP_FAILURE_PAM
; ReplaceSpace = TRUE
; Process
; {
; format = .*
; }
; AddToken1 = Info:PAM_httpd: authentication failure\; <Process> -> <User> for httpd service
; }
;
;; Nov 02 11:33:32 server httpd: HTTP login from 192.168.0.1 as admin
; HTTP_OK_PAM
; {
; Name = HTTP_OK_PAM
; KeyVal = GENERAL%%httpd
; Type = RECORD
; Regex = HTTP login from <From> as <User>
; Key = HTTP_OK_PAM
; ReplaceSpace = TRUE
; From
; {
; format = [a-zA-Z0-9_\.\-]*
; }
; AddToken1 = Info:HTTP login from <From> as <User>
; }
;

Rule RuleFailed

Exclude Int
_$PIDHTTPFailedLogin_%Location%_%User% exists
Exclude Int
Info Not ~ "httpd: authentication failure"

Do Int Define _$PIDHTTPFailedLogin_%Location%_%User%
Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% ExpireIn(6) Notify(1)
Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% SummaryInfo ("Failure")
Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% RI_Severity (2)
Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% Severity (2)

;-------------------------------------------------------------------------------------
Rule RuleRetry


Exclude Int
_$PIDHTTPFailedLogin_%Location%_%User% Not exists
Exclude Int
SummaryInfo Not ~ "Failure"
Exclude Int
Info Not ~ "HTTP login from"


Do Int Define _$PIDHTTPFailedLogin_%Location%_%User%
Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% SummaryInfo ("Retry")
Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% RI_Severity (1)
Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% Severity (1)


Do Int NewEvent _$PIDHTTPFailedLogin_%Location%_%User%

;-------------------------------------------------------------------------------------
Rule RuleLogonOK

Exclude Int
_$PIDHTTPFailedLogin_%Location%_%User% exists
Exclude Int
SummaryInfo ~ "Retry"
Exclude Int
SummaryInfo ~ "Failure"
Exclude Int
Info Not ~ "HTTP login from"

Do Int Define _$PIDHTTPFailedLogin_%Location%_%User%
Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% SummaryInfo ("Logon ok")
Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% RI_Severity (26)
Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% Severity (0)


Do Int NewEvent _$PIDHTTPFailedLogin_%Location%_%User%

;-------------------------------------------------------------------------------------
Rule Display

Include Int
SummaryInfo exists
Do Int Delete _$PIDHTTPFailedLogin_%Location%_%User%
SCRIPT_ACTION

Download the rule here.

 
Rule for the correlation of SSH login attempts recorded by the syslog daemon
;# Copyright (C) 2005 by Gottfried Rudorfer
;#
;# 3422 Greifenstein, Austria
;# This email address is being protected from spambots. You need JavaScript enabled to view it.
;# http://rudorfer.homedns.org/eaud/
;#
;# Permission to use, copy, modify, and distribute this software and its
;# documentation for any purpose and without fee is hereby granted, provided
;# that the above copyright notice appears in all copies and that both that
;# copyright notice and this permission notice appear in all supporting
;# documentation. This software is provided "as is" without expressed or
;# implied warranty.
;#
;# Date: Sun, Oct 30 2005
;# Author: Gottfried Rudorfer

;#
;-------------------------------------------------------------------------------------
Rule RuleFailed

Exclude Int
_$PIDSSHFailedLogin_%Location%_%Src% exists
Exclude Int
Info Not ~ "^Failed password"

Do Int Define _$PIDSSHFailedLogin_%Location%_%Src%
Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% ExpireIn(6) Notify(1)
Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% SummaryInfo ("Failure")
Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% RI_Severity (2)
Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% Severity (2)

;-------------------------------------------------------------------------------------
Rule RuleRetry


Exclude Int
_$PIDSSHFailedLogin_%Location%_%Src% Not exists
Exclude Int
SummaryInfo Not ~ "Failure"
Exclude Int
Info Not ~ "^Accepted password"


Do Int Define _$PIDSSHFailedLogin_%Location%_%Src%
Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% SummaryInfo ("Retry")
Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% RI_Severity (25)
Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% Severity (1)


Do Int NewEvent _$PIDSSHFailedLogin_%Location%_%Src%

;-------------------------------------------------------------------------------------
Rule RuleLogonOK

Exclude Int
_$PIDSSHFailedLogin_%Location%_%Src% exists
Exclude Int
SummaryInfo ~ "Retry"
Exclude Int
SummaryInfo ~ "Failure"
Exclude Int
Info Not ~ "^Accepted password"

Do Int Define _$PIDSSHFailedLogin_%Location%_%Src%
Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% SummaryInfo ("Logon ok")
Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% RI_Severity (26)
Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% Severity (0)


Do Int NewEvent _$PIDSSHFailedLogin_%Location%_%Src%

;-------------------------------------------------------------------------------------
Rule Display

Include Int
SummaryInfo exists
Do Int Delete _$PIDSSHFailedLogin_%Location%_%Src%
SCRIPT_ACTION

Download the rule here.