So basically what you're doing is looking for INFO logs and then matching the log content and not the actual log ID? Interesting. My general rule workflow is this: If OS=WINDOWS, then if TYPE=ERROR/INFO/WARN/etc, then if EVENTID=x, then create alert with LEVEL=y.
Types can be referenced in <ossec-dir>/rules/msauth_rules.xml, with 18101 being informational. Also, check out "http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf"; My basic powershell rule looks like the following: <!-- BEGIN "Windows PowerShell.evtx" Rules --> <rule id="104010" level="7"> <if_sid>18101</if_sid> <id>^400$|^403$</id> <Match>PowerShell</Match> <description>PowerShell Started/Stopped.</description> <info>From "Windows PowerShell.evtx"</info> </rule> <!-- END "Windows PowerShell.evtx" Rules --> On Wednesday, December 2, 2015 at 4:02:25 PM UTC-5, Phillipa Moorea wrote: > > Thanks for all the help from you (Santiago), from dan, some other posts on > here, github repository issues, a book I bought on ossec for $10, and the > work of the OSSEC developers that made the 2.8.3 update, and of course the > people in the AlienVault Labs! > > I was now able to get the alerts working. I analyzed the PowerShell logs > and changed my rules a bit. Here is what I changed it too: > > <group name="powershell,"> > <rule id="100210" level="0"> > <if_sid>18100,18101</if_sid> > <match>CommandType=Script</match> > <description>Powershell Script.</description> > </rule> > <rule id="100211" level="0"> > <if_sid>18100,18101</if_sid> > <match>CommandType=Cmdlet</match> > <description>Powershell Command.</description> > </rule> > <rule id="100212" level="0"> > <if_sid>18100,18101</if_sid> > <match>CommandType=Function</match> > <description>Powershell Function.</description> > </rule> > <rule id="100213" level="2"> > <if_sid>100210</if_sid> > <match>NewCommandState=Started</match> > <description>Powershell Script (500-Started).</description> > </rule> > <rule id="100214" level="2"> > <if_sid>100210</if_sid> > <match>NewCommandState=Stopped</match> > <description>Powershell Script (501-Stopped).</description> > </rule> > <rule id="100215" level="2"> > <if_sid>100211</if_sid> > <match>NewCommandState=Started</match> > <description>Powershell Command (500-Started).</description> > </rule> > <rule id="100216" level="2"> > <if_sid>100211</if_sid> > <match>NewCommandState=Stopped</match> > <description>Powershell Command (501-Stopped).</description> > </rule> > <rule id="100217" level="2"> > <if_sid>100212</if_sid> > <match>NewCommandState=Started</match> > <description>Powershell Function (500-Started).</description> > </rule> > ... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
