On Thu, Mar 2, 2017 at 1:01 AM, InfoSec <gjahc...@compucenter.org> wrote:
> In the Wazuh fork, dynamic decoders are an outstanding idea. It allows
> unprecedented visualization capabilities in the security console *without*
> having to resort to further parsing tricks at ingestion time. It is all done
> in OSSEC.
>
> Dynamic decoders enable unprecedented normalization of events. Dynamic
> variables + dynamic decoders would tremendously boost OSSEC's host intrusion
> detection capabilities, enabling modeling of attack scenarios that were
> previously unthinkable in stock OSSEC.
>
> The above examples are a very basic illustration of the endless threat
> scenario modeling possibilities that dynamic variables would add to Wazuh
> fork of OSSEC.
>
> By the way, legitimate user names and domain names in Windows may contain
> spaces. System events have "NT Authority" as domain name. The out-of-the-box
> dynamic decoders fail and only picks up "NT" in the case of "NT Authority"
> domain. Ditto for user names that contain spaces.
>
> The following work in case user name or domain contain spaces:
>
> <regex>Account Name:\s\s+(\w\.+)\s\s+Account Domain:</regex>
>
> and for domain names:
>
> <regex>Account Domain:\s\s+(\w\.+)\s\s+Logon ID:</regex>
>

I've submitted a PR with these changes, thanks!
https://github.com/ossec/ossec-hids/pull/1080

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to