On Mon, Aug 1, 2016 at 9:11 AM, Craig <chmitch...@gmail.com> wrote: > So, interesting. I guess that is my question. In my testing (using 2.9RC2), > the decoder below won't recognize the log entry unless I keep the header > from archives.log (you can see the output in my post above). If I remove the > header, the decoder doesn't work. What version were you running with your > testing of my log entry? > <decoder name="Sysmon-EventID#1"> > <type>windows</type> > <prematch>INFORMATION\(1\)</prematch> > <regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User: > (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* > \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* > \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:</regex> > <order>status,user,url,data</order> > </decoder> > >
Try this: https://github.com/ossec/ossec-hids/pull/880 > > On Monday, August 1, 2016 at 2:50:22 AM UTC-5, Jesus Linares wrote: >> >> It seems the output of ossec-logtest is cut in the previous post. I paste >> it here again: >> >> >> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: >> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: >> Win7-x64-PC1.hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846 >> ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: >> C:\Users\administrator\Desktop\svchost.exe CommandLine: >> "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: >> C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: >> {67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: >> 1 IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 >> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: >> 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: >> C:\Windows\Explorer.EXE >> >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: '2016 Jul 29 22:32:24 WinEvtLog: >> Microsoft-Windows-Sysmon/Operational: INFORMATION(1): >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: >> Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: >> {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: >> C:\Users\administrator\Desktop\svchost.exe CommandLine: >> "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: >> C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: >> {67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: >> 1 IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 >> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: >> 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: >> C:\Windows\Explorer.EXE' >> hostname: 'ip-10-0-0-10' >> program_name: '(null)' >> log: '2016 Jul 29 22:32:24 WinEvtLog: >> Microsoft-Windows-Sysmon/Operational: INFORMATION(1): >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: >> Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: >> {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: >> C:\Users\administrator\Desktop\svchost.exe CommandLine: >> "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: >> C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: >> {67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: >> 1 IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 >> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: >> 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: >> C:\Windows\Explorer.EXE' >> >> >> **Phase 2: Completed decoding. >> decoder: 'windows' >> status: 'C:\Users\administrator\Desktop\svchost.exe' >> dstuser: 'HACKME\Administrator' >> url: 'C019D10F80409FC4C7D45EBFA48B0076' >> extra_data: 'C:\Windows\explorer.exe' >> >> >> **Phase 3: Completed filtering (rules). >> Rule id: '184666' >> Level: '12' >> Description: 'Sysmon - Suspicious Process - svchost.exe' >> >> You can find decoders for all sysmon events here. >> >> Regards. >> >> >> >> >> >> >> On Monday, August 1, 2016 at 9:46:31 AM UTC+2, Jesus Linares wrote: >>> >>> Hi Craig, >>> >>> the raw event is: >>> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: >>> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: >>> Win7-x64-PC1.hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846 >>> ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: >>> C:\Users\administrator\Desktop\svchost.exe CommandLine: >>> "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: >>> C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: >>> {67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: >>> 1 IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 >>> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: >>> 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: >>> C:\Windows\Explorer.EXE >>> >>> but, OSSEC adds a header in archives.log: >>> >>> 2016 Jul 29 22:32:25 (WIN7-X64-PC1) 172.16.213.5->WinEvtLog 2016 Jul 29 >>> 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): >>> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: >>> Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: >>> {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: >>> C:\Users\administrator\Desktop\svchost.exe CommandLine: >>> "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: >>> C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: >>> {67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: >>> 1 IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 >>> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: >>> 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: >>> C:\Windows\Explorer.EXE >>> >>> >>> So, you must always use ossec-logtest without headers: >>> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: >>> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: >>> Win7-x64-PC1.hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846 >>> ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: >>> C:\Users\administrator\Desktop\svchost.exe CommandLine: >>> "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: >>> C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: >>> {67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: >>> 1 IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 >>> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: >>> 3056<sp > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
