fix comments, add test

crowdsecurity · Dec 30, 2024 · e624671 · e624671
1 parent 4d2d8fd
commit e624671
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 3 deletions.
diff --git a/.tests/auditd-sus-exec/auditd-sus-exec.log b/.tests/auditd-sus-exec/auditd-sus-exec.log
@@ -0,0 +1 @@
+type=SYSCALL msg=audit(1735551158.502:102037): arch=c000003e syscall=59 success=yes exit=0 a0=795b1349d528 a1=795b1349d570 a2=60b9a3a1f010 a3=8 items=2 ppid=59007 pid=59024 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2238 comm="id" exe="/tmp/id" subj=unconfined key="rootcmd"ARCH=x86_64 SYSCALL=execve AUID="bui" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
diff --git a/.tests/auditd-sus-exec/config.yaml b/.tests/auditd-sus-exec/config.yaml
@@ -0,0 +1,11 @@
+parsers:
+    - ./parsers/s01-parse/crowdsecurity/auditd-logs.yaml
+    - crowdsecurity/syslog-logs
+    - crowdsecurity/dateparse-enrich
+scenarios:
+    - ./scenarios/crowdsecurity/auditd-sus-exec.yaml
+postoverflows:
+    - ""
+log_file: auditd-sus-exec.log
+log_type: auditd
+ignore_parsers: true
diff --git a/.tests/auditd-sus-exec/parser.assert b/.tests/auditd-sus-exec/parser.assert
diff --git a/.tests/auditd-sus-exec/scenario.assert b/.tests/auditd-sus-exec/scenario.assert
@@ -0,0 +1,29 @@
+len(results) == 1
+"59007" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["59007"].IP == ""
+results[0].Overflow.Sources["59007"].Range == ""
+results[0].Overflow.Sources["59007"].GetScope() == "pid"
+results[0].Overflow.Sources["59007"].GetValue() == "59007"
+results[0].Overflow.Alert.Events[0].GetMeta("auditd_eventid") == "102037"
+results[0].Overflow.Alert.Events[0].GetMeta("auditd_type") == "SYSCALL"
+results[0].Overflow.Alert.Events[0].GetMeta("auid") == "1001"
+results[0].Overflow.Alert.Events[0].GetMeta("comm") == "id"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "auditd-sus-exec.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("euid") == "0"
+results[0].Overflow.Alert.Events[0].GetMeta("exe") == "/tmp/id"
+results[0].Overflow.Alert.Events[0].GetMeta("gid") == "0"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auditd_syscall_execve"
+results[0].Overflow.Alert.Events[0].GetMeta("pid") == "59024"
+results[0].Overflow.Alert.Events[0].GetMeta("ppid") == "59007"
+results[0].Overflow.Alert.Events[0].GetMeta("ses") == "2238"
+results[0].Overflow.Alert.Events[0].GetMeta("str_GID") == "root"
+results[0].Overflow.Alert.Events[0].GetMeta("str_UID") == "root"
+results[0].Overflow.Alert.Events[0].GetMeta("subj") == "unconfined"
+results[0].Overflow.Alert.Events[0].GetMeta("syscall_num") == "59"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-12-30T09:32:38Z"
+results[0].Overflow.Alert.Events[0].GetMeta("tty") == "pts1"
+results[0].Overflow.Alert.Events[0].GetMeta("uid") == "0"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/auditd-sus-exec"
+results[0].Overflow.Alert.Remediation == false
+results[0].Overflow.Alert.GetEventsCount() == 1
diff --git a/parsers/s01-parse/crowdsecurity/laurel-logs.yaml b/parsers/s01-parse/crowdsecurity/laurel-logs.yaml
@@ -17,8 +17,7 @@ nodes:
           - meta: service
             value: laurel
           - meta: log_type
-            expression: |
-              evt.Unmarshaled.laurel.SYSCALL.SYSCALL == "execve" ? "auditd_syscall_execve" : "auditd_syscall"
+            expression: "auditd_syscall" + evt.Unmarshaled.laurel.SYSCALL.SYSCALL
           - target: evt.StrTime
             expression: evt.Parsed.timestamp
           - meta: exe

diff --git a/scenarios/crowdsecurity/auditd-sus-exec.yaml b/scenarios/crowdsecurity/auditd-sus-exec.yaml
@@ -2,7 +2,7 @@ type: trigger
 #debug: true
 name: crowdsecurity/auditd-sus-exec
 description: "Detect post-exploitation behaviour : exec from suspicious locations"
-filter: evt.Meta.log_type == 'syscall_execve' and ( evt.Meta.exe startsWith "/tmp/" or evt.Meta.exe contains "/." )
+filter: evt.Meta.log_type == 'auditd_syscall_execve' and ( evt.Meta.exe startsWith "/tmp/" or evt.Meta.exe contains "/." )
 labels:
   confidence: 2
   spoofable: 0
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		type=SYSCALL msg=audit(1735551158.502:102037): arch=c000003e syscall=59 success=yes exit=0 a0=795b1349d528 a1=795b1349d570 a2=60b9a3a1f010 a3=8 items=2 ppid=59007 pid=59024 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2238 comm="id" exe="/tmp/id" subj=unconfined key="rootcmd"ARCH=x86_64 SYSCALL=execve AUID="bui" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"