patrickod · March 15, 2018 00:06 · patrickod · Mar 15, 2018
diff --git a/logs.json b/logs.json
 {
    "ossec:alerts": {
    "schema": {
      "rule": {
        "level": "integer",
        "comment": "string",
        "sidid": "integer"
      },
      "location": "string",
      "full_log": "string",
      "instance_id": "string",
      "vpc_id": "string",
      "account_id": "string",
      "log_time": "string"
    },
    "configuration": {
      "optional_top_level_keys": [
        "action",
        "comment",
        "cve",
        "dstip",
        "dstport",
        "dstuser",
        "file",
        "full_log",
        "level",
        "location",
        "rule",
        "sidid",
        "srcip",
        "srcport",
        "srcuser"
      ]
    },
    "parser": "json"
  }
 }
diff --git a/ossec_rootcheck.json b/ossec_rootcheck.json
 {
  "records": [
    {
      "data": {
        "rule": {
          "level": 3,
          "comment": "Successful sudo to ROOT executed",
          "sidid": 5402
        },
        "srcuser": "root",
        "dstuser": "ec2-user",
        "location": "/var/log/secure",
        "full_log": "Mar 14 00:03:08 example-host sudo: ec2-user : TTY=pts/1 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/usr/bin/monit status",
        "instance_id": "i-00000000000000000",
        "account_id": "000000000000",
        "vpc_id": "vpc-00000000",
        "log_time": "2018-03-14T00:03:09Z"
      },
      "description": "non-rootcheck events should not trigger an alert",
      "log": "ossec:alerts",
      "service": "s3",
      "source": "ossec.bucket",
      "trigger_rules": []
    }
  ]
 }
diff --git a/rootcheck.py b/rootcheck.py
 """Alert on rootcheck module events from OSSEC"""
 from stream_alert.rule_processor.rules_engine import StreamRules

 rule = StreamRules.rule

 @rule(
    logs=["ossec:alerts"],
    outputs=["aws-s3:production.streamalerts"])
 def ossec_rootcheck(rec):
    """
    Author:        Patrick O'Doherty
    Description:   Identify rootcheck failures from OSSEC
    """
    return rec['location'] == "rootcheck"
	{
	"ossec:alerts": {
	"schema": {
	"rule": {
	"level": "integer",
	"comment": "string",
	"sidid": "integer"
	},
	"location": "string",
	"full_log": "string",
	"instance_id": "string",
	"vpc_id": "string",
	"account_id": "string",
	"log_time": "string"
	},
	"configuration": {
	"optional_top_level_keys": [
	"action",
	"comment",
	"cve",
	"dstip",
	"dstport",
	"dstuser",
	"file",
	"full_log",
	"level",
	"location",
	"rule",
	"sidid",
	"srcip",
	"srcport",
	"srcuser"
	]
	},
	"parser": "json"
	}
	}
	{
	"records": [
	{
	"data": {
	"rule": {
	"level": 3,
	"comment": "Successful sudo to ROOT executed",
	"sidid": 5402
	},
	"srcuser": "root",
	"dstuser": "ec2-user",
	"location": "/var/log/secure",
	"full_log": "Mar 14 00:03:08 example-host sudo: ec2-user : TTY=pts/1 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/usr/bin/monit status",
	"instance_id": "i-00000000000000000",
	"account_id": "000000000000",
	"vpc_id": "vpc-00000000",
	"log_time": "2018-03-14T00:03:09Z"
	},
	"description": "non-rootcheck events should not trigger an alert",
	"log": "ossec:alerts",
	"service": "s3",
	"source": "ossec.bucket",
	"trigger_rules": []
	}
	]
	}
	"""Alert on rootcheck module events from OSSEC"""
	from stream_alert.rule_processor.rules_engine import StreamRules

	rule = StreamRules.rule

	@rule(
	logs=["ossec:alerts"],
	outputs=["aws-s3:production.streamalerts"])
	def ossec_rootcheck(rec):
	"""
	Author: Patrick O'Doherty
	Description: Identify rootcheck failures from OSSEC
	"""
	return rec['location'] == "rootcheck"