The openbsm
module is a dissection module: its purpose is to take an Orchids event, parse its last field (which should be a binary string, of type bstr
) and return a refined Orchids events, with additional fields. Typically, the openbsm
module is meant to dissect raw data coming from the udp
module, parsing it as an OpenBSM record.
Configuration options
None.
Fields
OpenBSM records consist of a header, a list of tokens, and a trailer. Each contains one or several fields. The Orchids events returned by the openbsm
module are a complete list of fields appearing in an OpenBSM record.
OPENBSM_OTHER_FILE32
header
Although OpenBSM defines 5 kinds of headers, the first four really are variants of each other. We start with OpenBSM records that have an OPENBSM_OTHER_FILE32
header (all constants are defined in $OCONF/rules/openbsm.h
; the constant OPENBSM_OTHER_FILE32
is called AUT_OTHER_FILE32
in the OpenBSM specification). These merely specify a file name:
Field | Type | Mono? | Description |
---|---|---|---|
.openbsm.kind |
uint |
header kind (=OPENBSM_OTHER_FILE32 here) |
|
.openbsm.time |
timeval |
✓ | time |
.openbsm.file |
str |
file name |
OPENBSM_HEADER{32,64}(_EX)?
headers
The usual OpenBSM records have a .openbsm.kind
field taken among OPENBSM_HEADER32
, OPENBSM_HEADER32_EX
, OPENBSM_HEADER64
, or OPENBSM_HEADER64_EX
. (Those correspond to AUT_HEADER32
, AUT_HEADER32_EX
, AUT_HEADER64
, and AUT_HEADER64_EX
respectively in the OpenBSM specification.)
The OPENBSM_HEADER{32,64}_EX
headers have an extra IP address field .openbsm.ip
. This is always returned as an ipv6
value, even when the IP address is an IPv4 address. (Every IPv4 address embeds as an IPv6 address.)
The contents of the header will then be found under the following Orchids fields:
Field | Type | Mono? | Description |
---|---|---|---|
.openbsm.kind |
uint |
header kind (anything but OPENBSM_OTHER_FILE32 here) |
|
.openbsm.version |
uint |
version | |
.openbsm.type |
uint |
type | |
.openbsm.modifier |
uint |
modifier | |
.openbsm.time |
timeval |
✓ | time |
.openbsm.ip |
ipv6 |
IP address (if .openbsm.kind is of the form OPENBSM_HEADER{32,64}_EX ) |
Additional fields are provided, depending on the tokens present in the OpenBSM record. They are listed by token sort now.
AUT_ARG32
,AUT_ARG64
tokens:
There are at most 128 of these. Each one has a name and a value. There is no field starting how many arguments are present.Field Type Mono? Description .openbsm.argname1
str
argument name 1 .openbsm.arg1
uint
argument value 1 .openbsm.argname2
str
argument name 2 .openbsm.arg2
uint
argument value 2 … .openbsm.argname128
str
argument name 128 .openbsm.arg128
uint
argument value 128 AUT_DATA
tokens:
Arrays of 1, 2, 4 or 8-byte numbers, with formatting instructions. Since Orchids does not have arrays, andAUT_DATA
tokens are meant to be printed anyway, such tokens are rendered as strings. E.g., aAUT_DATA
token with two 1-byte entries (say, 7 and 11), specified to be printed in hex, would yield the Orchids string"0x7 0xb"
.Field Type Mono? Description .openbsm.data
str
raw data, printed as a string AUT_ATTR32
,AUT_ATTR64
tokens:
Specifies file attributes.Field Type Mono? Description .openbsm.file_access_mode
uint
file access mode .openbsm.owner_uid
uint
owner user id .openbsm.owner_gid
uint
owner group id .openbsm.fsid
uint
file system id .openbsm.nid
uint
node id .openbsm.dev
uint
device id AUT_EXIT
token:
Field Type Mono? Description .openbsm.exit_status
uint
exit status .openbsm.exit_value
uint
exit return value AUT_EXEC_ARGS
token:
Arguments passed toexecve()
and related syscalls.
There are at most 128 of these. The.openbsm.execarg_num
field states how much there are.Field Type Mono? Description .bsm.execarg_num
uint
number of arguments to execve()
.openbsm.execarg1
uint
exec argument value 1 .openbsm.execarg2
uint
exec argument value 2 … .openbsm.execarg128
uint
exec argument value 128 AUT_EXEC_ENV
token:
Environment variables passed toexecve()
and related syscalls.
There are at most 128 of these. The.openbsm.execarg_num
field states how much there are.Field Type Mono? Description .bsm.execarg_num
uint
number of arguments to execve()
.openbsm.arg1
str
exec environment variable 1 .openbsm.arg2
str
exec environment variable 2 … .openbsm.arg128
str
exec environment variable 128 AUT_NEWGROUPS
token:
New groups created. There are at most 16 of these. The.openbsm.newgroups_num
field states how much there are.Field Type Mono? Description .bsm.newgroups_num
uint
number of new groups .openbsm.newgroup1
uint
new group number 1 .openbsm.newgroup2
uint
new group number 2 … .openbsm.newgroup16
uint
new group number 16 AUT_IN_ADDR
token:
IPv4 address.Field Type Mono? Description .openbsm.inaddr
ipv4
IPv4 address AUT_IN_ADDR_EX
token:
IPv4 or IPv6 address.Field Type Mono? Description .openbsm.inaddr6
ipv6
IPv6 address, or IPv4 address encoded as IPv6 AUT_IP
token:
Internet Protocol (IP) header contents.Field Type Mono? Description .openbsm.ip_version
uint
version .openbsm.ip_tos
uint
type of service .openbsm.ip_len
uint
length .openbsm.ip_id
uint
identifier .openbsm.ip_offset
uint
offset .openbsm.ip_ttl
uint
time to live .openbsm.ip_protocol
uint
protocol .openbsm.ip_checksum
uint
checksum .openbsm.ip_source
ipv4
source address .openbsm.ip_dest
ipv4
destination address AUT_IPC
token:
Inter-process communication info.Field Type Mono? Description .openbsm.ipc_type
uint
object type .openbsm.ipc_id
uint
object identifier AUT_IPC_PERM
token:
Inter-process communication permission info.Field Type Mono? Description .openbsm.ipcperm_uid
uint
owner user id .openbsm.ipcperm_gid
uint
owner group id .openbsm.ipcperm_puid
uint
creator user id .openbsm.ipcperm_pgid
uint
creator group id .openbsm.ipcperm_mode
uint
access mode .openbsm.ipcperm_seq
uint
slot sequence number .openbsm.ipcperm_key
uint
key AUT_IPORT
token:
IP port.Field Type Mono? Description .openbsm.iport
uint
IP port AUT_OPAQUE
token:
Opaque data. There is no way to do anything sensible with such data, I’m afraid, except pass it on.Field Type Mono? Description .openbsm.opaque
bstr
opaque data AUT_PATH
token:
Specifies a file or directory name passed as an argument to a command or system call.Field Type Mono? Description .openbsm.path
str
file or directory name AUT_PROCESS{32,64}(_EX)?
tokens:
A process and its various user and group ids.Field Type Mono? Description .openbsm.proc_auid
uint
audit id .openbsm.proc_euid
uint
effective user id .openbsm.proc_egid
uint
effective group id .openbsm.proc_ruid
uint
real user id .openbsm.proc_rgid
uint
real group id .openbsm.proc_pid
uint
process id .openbsm.proc_sid
uint
session id .openbsm.proc_port
uint
port id .openbsm.proc_addr
ipv6
machine id, as an IPv6 (or IPv4, encoded as IPv6) address AUT_SUBJECT{32,64}(_EX)?
tokens:
A subject, with all its various user and group ids.Field Type Mono? Description .openbsm.subj_auid
uint
audit id .openbsm.subj_euid
uint
effective user id .openbsm.subj_egid
uint
effective group id .openbsm.subj_ruid
uint
real user id .openbsm.subj_rgid
uint
real group id .openbsm.subj_pid
uint
process id .openbsm.subj_sid
uint
session id .openbsm.subj_port
uint
port id .openbsm.subj_addr
ipv6
machine id, as an IPv6 (or IPv4, encoded as IPv6) address AUT_RETURN{32,64}
tokens:
Return codes.Field Type Mono? Description .openbsm.return_status
uint
return status .openbsm.return_value
uint
return value AUT_SEQ
token:
Sequence number.Field Type Mono? Description .openbsm.seqno
uint
sequence number AUT_SOCKINET{32,128}
tokens:
Internet socket (IPv4, resp. IPv6). The.openbsm.sock_family field is shared with the
AUT_SOCKUNIX
token.Field Type Mono? Description .openbsm.sock_family
uint
socket family .openbsm.sock_port
uint
socket local port .openbsm.sock_addr
ipv6
socket address AUT_SOCKUNIX
token:
Unix (local) socket. The.openbsm.sock_family
field is shared with theAUT_SOCKINT{32,128}
tokens.Field Type Mono? Description .openbsm.sock_family
uint
socket family .openbsm.sock_path
str
name of the socket, as a local file AUT_SOCKET
,AUT_SOCKET_EX
tokens:
Socket. The.openbsm.socket_domain
is only present forAUT_SOCKET_EX
tokens.Field Type Mono? Description .openbsm.socket_domain
uint
domain (optional) .openbsm.socket_type
uint
type .openbsm.socket_lport
uint
local port .openbsm.socket_laddr
ipv6
IPv6 (or IPv4 encoded as IPv6) local address .openbsm.socket_rport
uint
remote port .openbsm.socket_raddr
ipv6
IPv6 (or IPv4 encoded as IPv6) remote address AUT_TEXT
token:
Text message.Field Type Mono? Description .openbsm.text
str
text string AUT_ZONENAME
token:
Zone name.Field Type Mono? Description .openbsm.zonename
str
zone name