I solve my problem with this solution
https://www.alienvault.com/forums/discussion/5962/ossec-plugin-modification
<decoder name="windows">
<type>windows</type>
<prematch>^WinEvtLog: </prematch>
</decoder>
<decoder name="windows-default">
<parent>windows</parent>
<type>windows</type>
<regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
<order>status, id, extra_data, srcuser, system_name</order>
<fts>name, location, user, system_name</fts>
</decoder>
<!--
And adding some IP/name extractions
-->
<decoder name="windows-default">
<parent>windows</parent>
<type>windows</type>
<regex offset="after_parent">Client
Address:\s*\t*(\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
I'm trying other solution, but this don't parse well
<decoder name="windows-675">
<type>windows</type>
<parent>windows</parent>
<prematch offset="after_parent">^\.+: (\w+)\((675)\):</prematch>
<regex offset="after_parent">^\.+: (\w+)\((675)\): \.+: \.+: \.+:
(\S+): \.+: \.+: (\S+)</regex>
<order>status, id, system_name, srcuser</order>
</decoder>
<decoder name="windows-675">
<type>windows</type>
<parent>windows</parent>
<regex offset="after_parent">Client Address:
(\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
El jueves, 2 de marzo de 2017, 19:58:30 (UTC+1), dan (ddpbsd) escribió:
>
> It continues to work with a fresh install of MASTER
> **Phase 1: Completed pre-decoding.
> full event: 'Mar 2 17:36:50 ossec-test2 WinEvtLog: Security:
> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user):
> no domain: WK034.dom.com: The Windows Filtering Platform blocked a
> packet. Application Information: Process ID: 0 Application Name: -
> Network Information: Direction: %%14592 Source Address: 10.20.10.55
> Source Port: 55666 Destination Address: 255.255.255.255 Destination
> Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713
> Layer Name: %%14597 Layer Run-Time ID: 13'
> hostname: 'ossec-test2'
> program_name: 'WinEvtLog'
> log: 'Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user): no domain:
> WK034.dom.com: The Windows Filtering Platform blocked a packet.
> Application Information: Process ID: 0 Application Name: - Network
> Information: Direction: %%14592 Source Address: 10.20.10.55 Source
> Port: 55666 Destination Address: 255.255.255.255 Destination Port:
> 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer
> Name: %%14597 Layer Run-Time ID: 13'
>
> **Phase 2: Completed decoding.
> decoder: 'windows'
> status: 'AUDIT_FAILURE'
> id: '5152'
> extra_data: 'Microsoft-Windows-Security-Auditing'
> dstuser: '(no user)'
> system_name: 'WK034.dom.com'
> srcip: '10.20.10.55'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '18105'
> Level: '4'
> Description: 'Windows audit failure event.'
> **Alert to be generated.
>
> On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp) <ddp...@gmail.com <javascript:>>
> wrote:
> > On Thu, Mar 2, 2017 at 6:41 AM, Casimiro <hfba...@gmail.com
> <javascript:>> wrote:
> >> Thanks.
> >> But don't work. It only decode srcip field. Attach the output:
> >>
> >> **Phase 1: Completed pre-decoding.
> >> full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
> >> Microsoft-Windows-Security-Auditing: (no user): no domain:
> WK034.dom.com:
> >> The Windows Filtering Platform blocked a packet. Application
> Information:
> >> Process ID: 0 Application Name: - Network Information: Direction:
> %%14592
> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address:
> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information:
> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'
> >> hostname: 'USMCyberRange'
> >> program_name: '(null)'
> >> log: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
> >> Microsoft-Windows-Security-Auditing: (no user): no domain: WK34.dom.com:
> The
> >> Windows Filtering Platform blocked a packet. Application Information:
> >> Process ID: 0 Application Name: - Network Information: Direction:
> %%14592
> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address:
> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information:
> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'
> >>
> >> **Phase 2: Completed decoding.
> >> decoder: 'windows'
> >> srcip: '10.20.10.55'
> >>
> >> **Rule debugging:
> >> Trying rule: 6 - Generic template for all windows rules.
> >> *Rule 6 matched.
> >> *Trying child rules.
> >> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
> >> Trying rule: 18100 - Group of windows rules.
> >> *Rule 18100 matched.
> >> *Trying child rules.
> >> Trying rule: 18101 - Windows informational event.
> >> Trying rule: 18102 - Windows warning event.
> >> Trying rule: 18104 - Windows audit success event.
> >> Trying rule: 18103 - Windows error event.
> >> Trying rule: 18105 - Windows audit failure event.
> >>
> >> **Phase 3: Completed filtering (rules).
> >> Rule id: '18100'
> >> Level: '0'
> >> Description: 'Group of windows rules.'
> >>
> >> So, the original fields of decoder has been erased (status, id,
> extra_data,
> >> srcuser, system_name, name, location, user, system_name). The
> consecuence is
> >> that orginal rules don't match.
> >>
> >
> > That's strange, it works for me (I had to add the timestamp info):
> > **Phase 1: Completed pre-decoding.
> > full event: 'Mar 2 11:17:01 ossec-test WinEvtLog: Security:
> > AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user):
> > no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked
> > a packet. Application Information: Process ID: 0 Application Name: -
> > Network Information: Direction: %%14592 Source Address: 10.20.10.55
> > Source Port: 55666 Destination Address: 255.255.255.255 Destination
> > Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713
> > Layer Name: %%14597 Layer Run-Time ID: 13'
> > hostname: 'ossec-test'
> > program_name: 'WinEvtLog'
> > log: 'Security: AUDIT_FAILURE(5152):
> > Microsoft-Windows-Security-Auditing: (no user): no domain:
> > WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet.
> > Application Information: Process ID: 0 Application Name: - Network
> > Information: Direction: %%14592 Source Address: 10.20.10.55 Source
> > Port: 55666 Destination Address: 255.255.255.255 Destination Port:
> > 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer
> > Name: %%14597 Layer Run-Time ID: 13'
> >
> > **Phase 2: Completed decoding.
> > decoder: 'windows'
> > status: 'AUDIT_FAILURE'
> > id: '5152'
> > extra_data: 'Microsoft-Windows-Security-Auditing'
> > dstuser: '(no user)'
> > system_name: 'WKSUSR034.mccd.def'
> > srcip: '10.20.10.55'
> >
> > **Phase 3: Completed filtering (rules).
> > Rule id: '18105'
> > Level: '4'
> > Description: 'Windows audit failure event.'
> > **Alert to be generated.
> >
> > Are you sure you have the latest Windows decoders? I'll try firing up
> > another image and try again.
> >
> >
> >> El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió:
> >>>
> >>> I'm trying to override the windows decoder to extract more fields (in
> >>> local_decoder.xml), like source ip, destination ip, source port,
> >>>
> >>> This is my local decoder for windows
> >>>
> >>> <decoder name="windows-audit">
> >>> <parent>windows</parent>
> >>> <prematch>AUDIT_FAILURE(51512)</prematch>
> >>> <regex offset="after_parent">Source
> >>> Address:\s+(\d+.\d+.\d+.\d+)</regex>
> >>> <order>srcip</order>
> >>> </decoder>
> >>>
> >>> When I put new decoder en local_decoder.xml. The windows log don't
> match
> >>> with windows parent decoder. If I take off the local decoder then log
> match
> >>> with windows parent decoder.
> >>>
> >>> I want to get all fields: parent fields + soon fields (in this case
> >>> status, id, extra_data, srcuser, system_name and srcip)
> >>>
> >>> Thanks in advanced
> >>>
> >>>
> >>>
> >>>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to the Google
> Groups
> >> "ossec-list" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an
> >> email to ossec-list+...@googlegroups.com <javascript:>.
> >> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
