The openbsm module | The Orchids IDS

The openbsm module is a dissection module: its purpose is to take an Orchids event, parse its last field (which should be a binary string, of type bstr) and return a refined Orchids events, with additional fields. Typically, the openbsm module is meant to dissect raw data coming from the udp module, parsing it as an OpenBSM record.

Configuration options

None.

Fields

OpenBSM records consist of a header, a list of tokens, and a trailer. Each contains one or several fields. The Orchids events returned by the openbsm module are a complete list of fields appearing in an OpenBSM record.

OPENBSM_OTHER_FILE32 header

Although OpenBSM defines 5 kinds of headers, the first four really are variants of each other. We start with OpenBSM records that have an OPENBSM_OTHER_FILE32 header (all constants are defined in $OCONF/rules/openbsm.h; the constant OPENBSM_OTHER_FILE32 is called AUT_OTHER_FILE32 in the OpenBSM specification). These merely specify a file name:

Field	Type	Mono?	Description
`.openbsm.kind`	`uint`		header kind (=`OPENBSM_OTHER_FILE32` here)
`.openbsm.time`	`timeval`	✓	time
`.openbsm.file`	`str`		file name

OPENBSM_HEADER{32,64}(_EX)? headers

The usual OpenBSM records have a .openbsm.kind field taken among OPENBSM_HEADER32, OPENBSM_HEADER32_EX, OPENBSM_HEADER64, or OPENBSM_HEADER64_EX. (Those correspond to AUT_HEADER32, AUT_HEADER32_EX, AUT_HEADER64, and AUT_HEADER64_EX respectively in the OpenBSM specification.)

The OPENBSM_HEADER{32,64}_EX headers have an extra IP address field .openbsm.ip. This is always returned as an ipv6 value, even when the IP address is an IPv4 address. (Every IPv4 address embeds as an IPv6 address.)

The contents of the header will then be found under the following Orchids fields:

Field	Type	Mono?	Description
`.openbsm.kind`	`uint`		header kind (anything but `OPENBSM_OTHER_FILE32` here)
`.openbsm.version`	`uint`		version
`.openbsm.type`	`uint`		type
`.openbsm.modifier`	`uint`		modifier
`.openbsm.time`	`timeval`	✓	time
`.openbsm.ip`	`ipv6`		IP address (if `.openbsm.kind` is of the form `OPENBSM_HEADER{32,64}_EX`)

Additional fields are provided, depending on the tokens present in the OpenBSM record. They are listed by token sort now.

AUT_ARG32, AUT_ARG64 tokens:
There are at most 128 of these. Each one has a name and a value. There is no field starting how many arguments are present.

Field	Type	Description
`.openbsm.argname1`	`str`	argument name 1
`.openbsm.arg1`	`uint`	argument value 1
`.openbsm.argname2`	`str`	argument name 2
`.openbsm.arg2`	`uint`	argument value 2
	…
`.openbsm.argname128`	`str`	argument name 128
`.openbsm.arg128`	`uint`	argument value 128

AUT_DATA tokens:
Arrays of 1, 2, 4 or 8-byte numbers, with formatting instructions. Since Orchids does not have arrays, and AUT_DATA tokens are meant to be printed anyway, such tokens are rendered as strings. E.g., a AUT_DATA token with two 1-byte entries (say, 7 and 11), specified to be printed in hex, would yield the Orchids string "0x7 0xb".

Field Type Mono? Description

.openbsm.data str raw data, printed as a string

Field	Type	Mono?	Description
`.openbsm.data`	`str`		raw data, printed as a string

AUT_ATTR32, AUT_ATTR64 tokens:
Specifies file attributes.

Field	Type	Description
`.openbsm.file_access_mode`	`uint`	file access mode
`.openbsm.owner_uid`	`uint`	owner user id
`.openbsm.owner_gid`	`uint`	owner group id
`.openbsm.fsid`	`uint`	file system id
`.openbsm.nid`	`uint`	node id
`.openbsm.dev`	`uint`	device id

AUT_EXIT token:

Field Type Mono? Description

.openbsm.exit_status uint exit status

.openbsm.exit_value uint exit return value

Field	Type	Mono?	Description
`.openbsm.exit_status`	`uint`		exit status
`.openbsm.exit_value`	`uint`		exit return value

AUT_EXEC_ARGS token:
Arguments passed to execve() and related syscalls.
There are at most 128 of these. The .openbsm.execarg_num field states how much there are.

Field	Type	Description
`.bsm.execarg_num`	`uint`	number of arguments to `execve()`
`.openbsm.execarg1`	`uint`	exec argument value 1
`.openbsm.execarg2`	`uint`	exec argument value 2
	…
`.openbsm.execarg128`	`uint`	exec argument value 128

AUT_EXEC_ENV token:
Environment variables passed to execve() and related syscalls.
There are at most 128 of these. The .openbsm.execarg_num field states how much there are.

Field	Type	Description
`.bsm.execarg_num`	`uint`	number of arguments to `execve()`
`.openbsm.arg1`	`str`	exec environment variable 1
`.openbsm.arg2`	`str`	exec environment variable 2
	…
`.openbsm.arg128`	`str`	exec environment variable 128

AUT_NEWGROUPS token:
New groups created. There are at most 16 of these. The .openbsm.newgroups_num field states how much there are.

Field	Type	Description
`.bsm.newgroups_num`	`uint`	number of new groups
`.openbsm.newgroup1`	`uint`	new group number 1
`.openbsm.newgroup2`	`uint`	new group number 2
	…
`.openbsm.newgroup16`	`uint`	new group number 16

AUT_IN_ADDR token:
IPv4 address.

Field Type Mono? Description

.openbsm.inaddr ipv4 IPv4 address
AUT_IN_ADDR_EX token:
IPv4 or IPv6 address.

Field Type Mono? Description

.openbsm.inaddr6 ipv6 IPv6 address, or IPv4 address encoded as IPv6

Field	Type	Mono?	Description
`.openbsm.inaddr`	`ipv4`		IPv4 address

Field	Type	Mono?	Description
`.openbsm.inaddr6`	`ipv6`		IPv6 address, or IPv4 address encoded as IPv6

AUT_IP token:
Internet Protocol (IP) header contents.

Field	Type	Description
`.openbsm.ip_version`	`uint`	version
`.openbsm.ip_tos`	`uint`	type of service
`.openbsm.ip_len`	`uint`	length
`.openbsm.ip_id`	`uint`	identifier
`.openbsm.ip_offset`	`uint`	offset
`.openbsm.ip_ttl`	`uint`	time to live
`.openbsm.ip_protocol`	`uint`	protocol
`.openbsm.ip_checksum`	`uint`	checksum
`.openbsm.ip_source`	`ipv4`	source address
`.openbsm.ip_dest`	`ipv4`	destination address

AUT_IPC token:
Inter-process communication info.

Field Type Mono? Description

.openbsm.ipc_type uint object type

.openbsm.ipc_id uint object identifier

Field	Type	Mono?	Description
`.openbsm.ipc_type`	`uint`		object type
`.openbsm.ipc_id`	`uint`		object identifier

AUT_IPC_PERM token:
Inter-process communication permission info.

Field	Type	Description
`.openbsm.ipcperm_uid`	`uint`	owner user id
`.openbsm.ipcperm_gid`	`uint`	owner group id
`.openbsm.ipcperm_puid`	`uint`	creator user id
`.openbsm.ipcperm_pgid`	`uint`	creator group id
`.openbsm.ipcperm_mode`	`uint`	access mode
`.openbsm.ipcperm_seq`	`uint`	slot sequence number
`.openbsm.ipcperm_key`	`uint`	key

AUT_IPORT token:
IP port.

Field Type Mono? Description

.openbsm.iport uint IP port
AUT_OPAQUE token:
Opaque data. There is no way to do anything sensible with such data, I’m afraid, except pass it on.

Field Type Mono? Description

.openbsm.opaque bstr opaque data
AUT_PATH token:
Specifies a file or directory name passed as an argument to a command or system call.

Field Type Mono? Description

.openbsm.path str file or directory name

Field	Type	Mono?	Description
`.openbsm.iport`	`uint`		IP port

Field	Type	Mono?	Description
`.openbsm.opaque`	`bstr`		opaque data

Field	Type	Mono?	Description
`.openbsm.path`	`str`		file or directory name

AUT_PROCESS{32,64}(_EX)? tokens:
A process and its various user and group ids.

Field	Type	Description
`.openbsm.proc_auid`	`uint`	audit id
`.openbsm.proc_euid`	`uint`	effective user id
`.openbsm.proc_egid`	`uint`	effective group id
`.openbsm.proc_ruid`	`uint`	real user id
`.openbsm.proc_rgid`	`uint`	real group id
`.openbsm.proc_pid`	`uint`	process id
`.openbsm.proc_sid`	`uint`	session id
`.openbsm.proc_port`	`uint`	port id
`.openbsm.proc_addr`	`ipv6`	machine id, as an IPv6 (or IPv4, encoded as IPv6) address

AUT_SUBJECT{32,64}(_EX)? tokens:
A subject, with all its various user and group ids.

Field	Type	Description
`.openbsm.subj_auid`	`uint`	audit id
`.openbsm.subj_euid`	`uint`	effective user id
`.openbsm.subj_egid`	`uint`	effective group id
`.openbsm.subj_ruid`	`uint`	real user id
`.openbsm.subj_rgid`	`uint`	real group id
`.openbsm.subj_pid`	`uint`	process id
`.openbsm.subj_sid`	`uint`	session id
`.openbsm.subj_port`	`uint`	port id
`.openbsm.subj_addr`	`ipv6`	machine id, as an IPv6 (or IPv4, encoded as IPv6) address

AUT_RETURN{32,64} tokens:
Return codes.

Field Type Mono? Description

.openbsm.return_status uint return status

.openbsm.return_value uint return value
AUT_SEQ token:
Sequence number.

Field Type Mono? Description

.openbsm.seqno uint sequence number
AUT_SOCKINET{32,128} tokens:
Internet socket (IPv4, resp. IPv6). The .openbsm.sock_family field is shared with the AUT_SOCKUNIX token.

Field Type Mono? Description

.openbsm.sock_family uint socket family

.openbsm.sock_port uint socket local port

.openbsm.sock_addr ipv6 socket address
AUT_SOCKUNIX token:
Unix (local) socket. The .openbsm.sock_family field is shared with the AUT_SOCKINT{32,128} tokens.

Field Type Mono? Description

.openbsm.sock_family uint socket family

.openbsm.sock_path str name of the socket, as a local file

Field	Type	Mono?	Description
`.openbsm.return_status`	`uint`		return status
`.openbsm.return_value`	`uint`		return value

Field	Type	Mono?	Description
`.openbsm.seqno`	`uint`		sequence number

Field	Type	Description
`.openbsm.sock_family`	`uint`	socket family
`.openbsm.sock_port`	`uint`	socket local port
`.openbsm.sock_addr`	`ipv6`	socket address

Field	Type	Mono?	Description
`.openbsm.sock_family`	`uint`		socket family
`.openbsm.sock_path`	`str`		name of the socket, as a local file

AUT_SOCKET, AUT_SOCKET_EX tokens:
Socket. The .openbsm.socket_domain is only present for AUT_SOCKET_EX tokens.

Field	Type	Description
`.openbsm.socket_domain`	`uint`	domain (optional)
`.openbsm.socket_type`	`uint`	type
`.openbsm.socket_lport`	`uint`	local port
`.openbsm.socket_laddr`	`ipv6`	IPv6 (or IPv4 encoded as IPv6) local address
`.openbsm.socket_rport`	`uint`	remote port
`.openbsm.socket_raddr`	`ipv6`	IPv6 (or IPv4 encoded as IPv6) remote address

AUT_TEXT token:
Text message.

Field Type Mono? Description

.openbsm.text str text string
AUT_ZONENAME token:
Zone name.

Field Type Mono? Description

.openbsm.zonename str zone name