Go Back

MySecRep

Syslog Security Report Generator
Introduction   What's New?    Configuration   Tuning options    Download   Copyright    Example
Introduction

For several security-tools, you will find a lot of reporting-tools. Thats good, but i haven't seen one who combined the logging of multiple security-tools. So thats why i started working on mysecrep. It will take (currently from a single syslog-file) the logging from snort (Network-based IDS), samhain (file-integrity scanner, as a host-based-IDS) and pcds ( Process Change Detection System, also as a host-based-IDS) and it generates a text-report which can be emailed or only written to disk.
Be aware that you don't need to use all off the tools, if the information is not in the logfile, MySecRep will simply go on without complaints.
As MySecRep reads from syslog, you can run this on your syslogserver, generating a daily report for auditing purposes.

What's New

December 26, 2003.
In version 0.8 the code for snort-reporting is cleaned up. It's now more flexible to extend or modify. I added a line for the short or long logging in the report. I also modified the file-mask settings.

June 7, 2003.
As with version 0.7 i fixed a bug for the first 9 day's of a month. This includes an extra space and messed-up the logging. I also included logging of portscans as mentioned by snort's preprocessor "portscan2". They are logged as Priority 3.

The complete changelog can be read here: Changelog

Configuration

MySecRep itself doesn't need much configuration, only the input-file, outputfile and an email-adress. These are the options, although they are all straight-forward:

my $infile = "/var/log/security.alert";
my $outfile = "/var/log/security.report";

# Warning! If you need to use an @ sign, escape it:
# adress\@domain.com
# Also, multiple adresses can be used. Seperate them by a space.
my $adminmail = "admin" ;

# You can switch to not sending mail by setting mail to 0.
my $mail = 0;

# You can reverse the order of logging. Put to 1 for reverse, 0
# for normal behavior.
my $reverse = 0;

# You can create a "short" or "long" report. A short report does
# not contain the Classification information from the snort log.
# A long one does.
my $type = "short";

# Include or exculde the portscan-messages. They will be put to priority 3
# if incuded. Default is 1 (on), put to 0 for "off".
my $portscan = 1;

To make sure you have all the logging, you have to make sure all of the logging is written to 1 file and off course it's readable for the script!

For SNORT i use a syslog-output in snort.conf:

# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments
#
output alert_syslog: LOG_LOCAL5 LOG_ERR

For PCDS (v2.4 and up) i use the following (default) value for loglevel:
# Choose your syslog-output facility and level. Default is set to local5 and err (error).
# WARNING: devide the facility and level by a "|" sign: local5|err
my $loglevel = "local5|err";

For SAMHAIN i made the next modifications to the configfile, samhainrc:
[EventSeverity]
#
# Here you can assign severities to policy violations.
# If this severity exceeds the treshold of a log facility (see below),
# a policy violation will be logged to that facility.
#
# Severity for verification failures.
#
SeverityReadOnly=alert
SeverityLogFiles=crit
SeverityGrowingLogs=err
SeverityIgnoreNone=alert
SeverityAttributes=err
#
# We have a file in IgnoreAll that might or might not be present.
# Setting the severity to 'info' prevents messages about deleted/new file.
#
SeverityIgnoreAll=info

#
# Files : file access problems
# Dirs  : directory access problems
# Names : suspect (non-printable) characters in a pathname
#
SeverityFiles=crit
SeverityDirs=err
SeverityNames=warn

As in samhain, error, critical and alert define the priority's 3, 2 and 1 in which MySecRep will report them. So modify them to your needs.
Finally, all this (for you i hope it won't be much) should be written to a file where MySecRep can pick it up. So for my syslog.conf i added this line:
# Save everything from security in security.alert
local5.err;authpriv.warn;authpriv.err;authpriv.crit     /var/log/security.alert

Now you have to take care this log is rotated regulary so you can create a report out of the old one. As you can do this in several way's, i can't give you a default solution for it.


Tuning

Within the header of the file, you'll find several options, which are described over there. As MySecRep is still under construction, they are subject to change, so i will describe them when finished.

Download

HA! The important part:
December 26, 2003: Version 0.8
MD5 from this version:  c402d8b4fa6be405861e9209016ea49d

MySecRep.

Copyright

MySecRep is released under the GPL.


Example

This is an example, which has lots of messages in it. I'm glad it's not my production-environment logging these things!
These are the results found in /home/bart/bin/security.alert
The total number of messages found is : 21

Number of messages with Priority 1: 2
Number of messages with Priority 2: 19
Number of messages with Priority 3: 0
The logging-type is set to: short

Found to be Priority 1:

May 16 04:56:51 Host devbox reports policy ReadOnly violated on /etc/mail/statistics
May 17 03:41:10 Host devbox reports policy ReadOnly violated on /etc/mail/statistics

Found to be Priority 2:

May 16 04:04:08 Host devbox reports: 1 awk  process running. Not seen before.
May 16 04:04:08 Host devbox reports: 1 rpm  process running. Not seen before.
May 16 04:04:08 Host devbox reports: 1 rpmq  process running. Not seen before.
May 16 04:04:08 Host devbox reports: 1 run-parts  process running. Not seen before.
May 16 08:51:14 robots.txt access TCP 64.68.80.207:24760 => 10.10.10.10:80 sid: 1852
May 16 13:34:02 Host devbox reports: 1 cleanup  process running. Not seen before.
May 16 13:34:02 Host devbox reports: 1 local  process running. Not seen before.
May 16 13:34:02 Host devbox reports: 1 smtpd  process running. Not seen before.
May 16 13:34:02 Host devbox reports: 1 trivial-rewrite  process running. Not seen before.
May 16 20:44:25 robots.txt access TCP 194.226.175.10:3396 => 10.10.10.10:80 sid: 1852
May 16 23:34:02 Host devbox reports: 1 cleanup  process running. Not seen before.
May 16 23:34:02 Host devbox reports: 1 local  process running. Not seen before.
May 16 23:34:02 Host devbox reports: 1 smtpd  process running. Not seen before.
May 16 23:34:02 Host devbox reports: 1 trivial-rewrite  process running. Not seen before.
May 17 00:43:34 robots.txt access TCP 64.68.82.39:30149 => 10.10.10.10:80 sid: 1852
May 17 01:34:03 Host devbox reports: 1 cleanup  process running. Not seen before.
May 17 01:34:03 Host devbox reports: 1 local  process running. Not seen before.
May 17 01:34:03 Host devbox reports: 1 smtpd  process running. Not seen before.
May 17 01:34:03 Host devbox reports: 1 trivial-rewrite  process running. Not seen before.

Found to be Priority 3: