From 6158168a97226b21187e98fb457ee88b1d5d1be3 Mon Sep 17 00:00:00 2001 From: Henri DF Date: Tue, 29 Mar 2016 21:35:07 -0700 Subject: [PATCH 1/2] Grammar support for priorities --- userspace/digwatch/lua/compiler.lua | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/userspace/digwatch/lua/compiler.lua b/userspace/digwatch/lua/compiler.lua index f2cc3555..7ba40ed3 100644 --- a/userspace/digwatch/lua/compiler.lua +++ b/userspace/digwatch/lua/compiler.lua @@ -155,6 +155,18 @@ end -- grammar +local function normalize_level(level) + valid_levels = {"emergency", "alert", "critical", "error", "warning", "notice", "informational", "debug"} + level = string.lower(level) + for i,v in ipairs(valid_levels) do + if (string.find(v, "^"..level)) then + return v + end + end + error("Invalid severity level: "..level) +end + + local function filter(e) return {type = "Filter", value=e} end @@ -163,12 +175,12 @@ local function macro (name, filter) return {type = "MacroDef", name = name, value = filter} end -local function outputformat (format) - return {type = "OutputFormat", value = format} +local function outputformat (level, format) + return {type = "OutputFormat", level = normalize_level(level), value = format} end -local function functioncall (str, mname, fname, args) - return {type = "FunctionCall", mname = mname, fname = fname, arguments = args, source = str} +local function functioncall (level, str, mname, fname, args) + return {type = "FunctionCall", level = normalize_level(level), mname = mname, fname = fname, arguments = args, source = str} end local function rule(filter, output) @@ -217,7 +229,7 @@ local G = { MacroDef = (C(V"Macro") * V"Skip" * V"Colon" * (V"Filter")); FuncArgs = symb("(") * list(V"Value", symb(",")) * symb(")"); - Output = (C(V"Name" * P(".") * V"Name" * V"FuncArgs") / functioncall) + P(1)^0 / outputformat; + Output = (C(V"Identifier") * V"Skip" * C(V"Name" * P(".") * V"Name" * V"FuncArgs") / functioncall) + (C(V"Identifier") * V"Skip" * C(P(1)^0) / outputformat); -- Terminals Value = terminal "Number" + terminal "String" + terminal "BareString"; From aef0be3027109da86e3a925bd3e40bdc34215751 Mon Sep 17 00:00:00 2001 From: Henri DF Date: Wed, 30 Mar 2016 12:54:46 -0700 Subject: [PATCH 2/2] Add priorities to all outputs For now, all are WARNING. Will need to refine/adjust over time. --- rules/base.txt | 72 +++++++++++++++++++++++++------------------------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/rules/base.txt b/rules/base.txt index 92b5335c..c356fb32 100644 --- a/rules/base.txt +++ b/rules/base.txt @@ -65,72 +65,72 @@ system_users: user.name in (bin, daemon, games, lp, mail, nobody, sshd, sync, uu ####### # Don't write to binary dirs -evt.dir = > and write and bin_dir | Write to bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +evt.dir = > and write and bin_dir | WARNING Write to bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Don't write to /etc -evt.dir = > and write and etc_dir | Write to etc dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +evt.dir = > and write and etc_dir | WARNING Write to etc dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Don't read 'sensitive' files -read and not proc.name in (sshd, sudo, su) and not_cron and sensitive_files | Read sensitive file (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +read and not proc.name in (sshd, sudo, su) and not_cron and sensitive_files | WARNING Read sensitive file (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Don't modify binary dirs -modify and (bin_dir_rename or bin_dir_mkdir) | Modify bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +modify and (bin_dir_rename or bin_dir_mkdir) | WARNING Modify bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Don't load shared objects coming from unexpected places -read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) | output.first_sequence(evt, "fd.filename", "shared_obj", "Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)") +read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) | WARNING output.first_sequence(evt, "fd.filename", "shared_obj", "Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)") # Attempts to access things that shouldn't be -evt.res = EACCES | EACCESS (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +evt.res = EACCES | INFO System call returned EACCESS (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Only sysdig and docker can call setns -syscall.type = setns and not proc.name in (docker, sysdig) | Unexpected setns (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +syscall.type = setns and not proc.name in (docker, sysdig) | WARNING Unexpected setns (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Shells should only be run by cron or sshd -proc.name = bash and not proc.pname in (bash, sshd, cron, sudo, su, tmux) | Unexpected shell (%user.name %proc.name %proc.pname %evt.dir %evt.type %evt.args %fd.name) +proc.name = bash and not proc.pname in (bash, sshd, cron, sudo, su, tmux) | WARNING Unexpected shell (%user.name %proc.name %proc.pname %evt.dir %evt.type %evt.args %fd.name) # Anything run interactively by root -# evt.type != switch and user.name = root and proc.name != sshd and interactive | Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +# evt.type != switch and user.name = root and proc.name != sshd and interactive | WARNING Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Anything run interactively by a non-login user -system_users and interactive | Sytem user ran an interactive command (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +system_users and interactive | WARNING Sytem user ran an interactive command (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Chmod should only be run interactively (by a user) -syscall.type = chmod and not interactive | non-interactive chmod (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +syscall.type = chmod and not interactive | WARNING non-interactive chmod (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Shells in a container -container and proc.name = bash | shell in a container (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +container and proc.name = bash | WARNING shell in a container (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Network traffic to/from standard utils # sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets -fd.sockfamily = ip and system_binaries | network traffic to %proc.name (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +fd.sockfamily = ip and system_binaries | WARNING network traffic to %proc.name (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # SSH errors (failed logins, disconnects, ..) -syslog and ssh_error_message and evt.dir = < | sshd error (%proc.name %evt.arg.data) +syslog and ssh_error_message and evt.dir = < | WARNING sshd error (%proc.name %evt.arg.data) # Non-sudo setuid -evt.type=setuid and not_cron and not proc.name in (sudo, sshd) | unexpected setuid call by non-sudo (%user.name %proc.name %evt.dir %evt.type %evt.args) +evt.type=setuid and not_cron and not proc.name in (sudo, sshd) | WARNING unexpected setuid call by non-sudo (%user.name %proc.name %evt.dir %evt.type %evt.args) # User management (su and sudo are ok) -not proc.name in (su, sudo) and (adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries) | user-management binary command run (%user.name %proc.name %evt.dir %evt.type %evt.args) +not proc.name in (su, sudo) and (adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries) | WARNING user-management binary command run (%user.name %proc.name %evt.dir %evt.type %evt.args) # Some rootkits hide files in /dev # (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153) -(evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null | file created in /dev (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +(evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null | WARNING file created in /dev (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Elasticsearch ports elasticsearch_cluster_port: fd.sport=9300 elasticsearch_api_port: fd.sport=9200 elasticsearch_port: elasticsearch_cluster_port or elasticsearch_api_port -user.name = elasticsearch and inbound and not elasticsearch_port | Unexpected Elasticsearch inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) -user.name = elasticsearch and outbound and not elasticsearch_cluster_port | Unexpected Elasticsearch outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = elasticsearch and inbound and not elasticsearch_port | WARNING Unexpected Elasticsearch inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = elasticsearch and outbound and not elasticsearch_cluster_port | WARNING Unexpected Elasticsearch outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # ActiveMQ ports activemq_cluster_port: fd.sport=61616 activemq_web_port: fd.sport=8161 activemq_port: activemq_web_port or activemq_cluster_port -user.name = activemq and inbound and not activemq_port | Unexpected ActiveMQ inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) -user.name = activemq and outbound and not activemq_cluster_port | Unexpected ActiveMQ outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = activemq and inbound and not activemq_port | WARNING Unexpected ActiveMQ inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = activemq and outbound and not activemq_cluster_port | WARNING Unexpected ActiveMQ outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Cassandra ports @@ -142,8 +142,8 @@ cassandra_ssl_cluster_port: fd.sport=7001 cassandra_jmx_port: fd.sport=7199 cassandra_port: cassandra_thrift_client_port or cassandra_cql_port or cassandra_cluster_port or cassandra_ssl_cluster_port or cassandra_jmx_port -user.name = cassandra and inbound and not cassandra_port | Unexpected Cassandra inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) -user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port) | Unexpected Cassandra outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = cassandra and inbound and not cassandra_port | WARNING Unexpected Cassandra inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port) | WARNING Unexpected Cassandra outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Couchbase ports # http://docs.couchbase.com/admin/admin/Install/install-networkPorts.html @@ -175,8 +175,8 @@ couchbase_dataexchange_port: fd.sport>=21100 and fd.sport<=21299 couchbase_internal_port: couchbase_bucket_port or couchbase_epmd_port or couchbase_dataexchange_port couchbase_port: couchbase_web_port or couchbase_api_port or couchbase_ssl_bucket_port or couchbase_internal_port or couchbase_bucket_port_ie or couchbase_client_interface_port or couchbase_incoming_ssl or couchbase_outgoing_ssl or couchbase_internal_rest_port or couchbase_internal_capi_port -user.name = couchbase and inbound and not couchbase_port | Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) -user.name = couchbase and outbound and not couchbase_internal_port | Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = couchbase and inbound and not couchbase_port | WARNING Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = couchbase and outbound and not couchbase_internal_port | WARNING Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Couchdb ports @@ -190,19 +190,19 @@ couchdb_httpd_ssl_port: fd.sport=6984 etcd_client_port: fd.sport=2379 etcd_peer_port: fd.sport=2380 # need to double-check which user etcd runs as -user.name = etcd and inbound and not (etcd_client_port or etcd_peer_port) | Unexpected Etcd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) -user.name = etcd and outbound and not couchbase_internal_port | Unexpected Etcd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = etcd and inbound and not (etcd_client_port or etcd_peer_port) | WARNING Unexpected Etcd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = etcd and outbound and not couchbase_internal_port | WARNING Unexpected Etcd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Fluentd ports fluentd_http_port: fd.sport=9880 fluentd_forward_port: fd.sport=24224 -user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port) | Unexpected Fluentd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) -user.name = td-agent and outbound and not fluentd_forward_port | Unexpected Fluentd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port) | WARNING Unexpected Fluentd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = td-agent and outbound and not fluentd_forward_port | WARNING Unexpected Fluentd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Gearman ports # http://gearman.org/protocol/ -user.name = gearman and outbound and outbound and not fd.sport = 4730 | Unexpected Gearman outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = gearman and outbound and outbound and not fd.sport = 4730 | WARNING Unexpected Gearman outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Zookeeper zookeeper_port: fd.sport = 2181 @@ -220,15 +220,15 @@ hbase_thrift_info_port: fd.sport = 9095 # If you're not running HBase under the 'hbase' user, adjust first expression # in each rule below -user.name = hbase and inbound and not (hbase_master_port or hbase_master_info_port or hbase_regionserver_port or hbase_regionserver_info_port or hbase_rest_port or hbase_rest_info_port or hbase_regionserver_thrift_port or hbase_thrift_info_port) | Unexpected HBase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) -user.name = hbase and outbound and not (zookeeper_port or hbase_master_port or hbase_regionserver_port) | Unexpected HBase outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = hbase and inbound and not (hbase_master_port or hbase_master_info_port or hbase_regionserver_port or hbase_regionserver_info_port or hbase_rest_port or hbase_rest_info_port or hbase_regionserver_thrift_port or hbase_thrift_info_port) | WARNING Unexpected HBase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = hbase and outbound and not (zookeeper_port or hbase_master_port or hbase_regionserver_port) | WARNING Unexpected HBase outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Kafka ports -user.name = kafka and inbound and fd.sport != 9092 | Unexpected Kafka inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = kafka and inbound and fd.sport != 9092 | WARNING Unexpected Kafka inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Memcached ports -user.name = memcached and inbound and fd.sport != 11211 | Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = memcached and inbound and fd.sport != 11211 | WARNING Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # MongoDB ports mongodb_server_port: fd.sport = 27017 @@ -236,7 +236,7 @@ mongodb_shardserver_port: fd.sport = 27018 mongodb_configserver_port: fd.sport = 27019 mongodb_webserver_port: fd.sport = 28017 -user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | Unexpected MongoDF inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | WARNING Unexpected MongoDF inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # MySQL ports -user.name = mysql and inbound and fd.sport != 3306 | Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = mysql and inbound and fd.sport != 3306 | WARNING Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)