On Thu, Mar 2, 2017 at 1:01 AM, InfoSec <gjahc...@compucenter.org> wrote: > In the Wazuh fork, dynamic decoders are an outstanding idea. It allows > unprecedented visualization capabilities in the security console *without* > having to resort to further parsing tricks at ingestion time. It is all done > in OSSEC. > > Dynamic decoders enable unprecedented normalization of events. Dynamic > variables + dynamic decoders would tremendously boost OSSEC's host intrusion > detection capabilities, enabling modeling of attack scenarios that were > previously unthinkable in stock OSSEC. > > The above examples are a very basic illustration of the endless threat > scenario modeling possibilities that dynamic variables would add to Wazuh > fork of OSSEC. > > By the way, legitimate user names and domain names in Windows may contain > spaces. System events have "NT Authority" as domain name. The out-of-the-box > dynamic decoders fail and only picks up "NT" in the case of "NT Authority" > domain. Ditto for user names that contain spaces. > > The following work in case user name or domain contain spaces: > > <regex>Account Name:\s\s+(\w\.+)\s\s+Account Domain:</regex> > > and for domain names: > > <regex>Account Domain:\s\s+(\w\.+)\s\s+Logon ID:</regex> >
I've submitted a PR with these changes, thanks! https://github.com/ossec/ossec-hids/pull/1080 > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.