No OSSEC events details

Question

No OSSEC events details

Closed this issue 11 years ago · 5 comments

OSSEC events have their (very relevant) details in the payload.
But Squert is not showing the payload of OSSEC events. The check for the existence of payload is not taking the format of OSSEC events into account.

I'm sure there are better ways to do it, but for the sake of testing, here's a very dirty hack to show OSSEC event payload/details in Squert:

In squert.js at line 1632,
replace:
if (!theData[2]) {
p_hex = "No Data Sent.";
p_ascii = "No Data Sent.";
} else {
p_pl = theData[1].data_payload;
p_length = theData[1].data_payload.length;

with:
if (!theData[2] && !theData[1].data_payload) {
p_hex = "No Data Sent.";
p_ascii = "No Data Sent.";
} else {
if (!theData[1].data_payload) {
p_pl = theData[2].data_payload;
p_length = theData[2].data_payload.length;
} else {
p_pl = theData[1].data_payload;
p_length = theData[1].data_payload.length;
}

dougburks commented 11 years ago

+1

Answer 1 · 2013-09-09T13:28:03.000Z

I don't run ossec. Can you show me an example of an ossec payload?

On Mon, Sep 9, 2013 at 10:11 AM, Pedro Simoes notifications@github.comwrote:

OSSEC events have their (very relevant) details in the payload.
But Squert is not showing the payload of OSSEC events. The check for the
existence of payload is not taking the format of OSSEC events into account.

I'm sure there are better ways to do it, but for the sake of testing,
here's a very dirty hack to show OSSEC event payload/details in Squert:

In squert.js at line 1632,
replace:
if (!theData[2]) {
p_hex = "No Data Sent.";
p_ascii = "No Data Sent.";
} else {
p_pl = theData[1].data_payload;
p_length = theData[1].data_payload.length;

with:
if (!theData[2] && !theData[1].data_payload) {
p_hex = "No Data Sent.";
p_ascii = "No Data Sent.";
} else {
if (!theData[1].data_payload) {
p_pl = theData[2].data_payload;
p_length = theData[2].data_payload.length;
} else {
p_pl = theData[1].data_payload;
p_length = theData[1].data_payload.length;
}

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/31
.

Paul Halliday
http://www.pintumbler.org/

Answer 2 · 2013-09-09T13:46:35.000Z

It's just ascii stored in HEX format, Paul.

Here's a sample:

mysql> SELECT unhex(data_payload) as text FROM data WHERE data.sid=1 and data.cid=6;
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| text |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Integrity checksum changed for: '/etc/network/interfaces'
Size changed from '32' to '895'
Old md5sum was: '60063d9c46ff503248fd6361e4471581'
New md5sum is : 'c131a74a67dd568c1038a6a137f7391c'
Old sha1sum was: '6d7cbd6e3c0affd5f7d1d7ac2f3d392923f496dd'
New sha1sum is : '66ef290c94de1457c44970ad1f6573bd7f3a102e'

|
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

Answer 3 · 2013-09-09T18:08:21.000Z

I need to properly identify the parts returned by the pd function in callback.php so that they can be referenced by name instead of index in squert.js

Answer 4 · 2013-10-14T19:45:00.000Z

Thanks for the help Doug.