On Fri, Mar 3, 2017 at 3:04 AM, Casimiro <hfbar...@gmail.com> wrote: > I solve my problem with this solution > > https://www.alienvault.com/forums/discussion/5962/ossec-plugin-modification > > > <decoder name="windows"> > <type>windows</type> > <prematch>^WinEvtLog: </prematch> > </decoder> > > <decoder name="windows-default"> > <parent>windows</parent> > <type>windows</type> > <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex> > <regex>(\.+): \.+: (\S+): </regex> > <order>status, id, extra_data, srcuser, system_name</order> > <fts>name, location, user, system_name</fts> > </decoder> > <!-- > And adding some IP/name extractions > --> > <decoder name="windows-default"> > <parent>windows</parent> > <type>windows</type> > <regex offset="after_parent">Client > Address:\s*\t*(\d+.\d+.\d+.\d+)</regex> > <order>srcip</order> > </decoder> >
This looks similar to what's in MASTER. > > I'm trying other solution, but this don't parse well > > <decoder name="windows-675"> > <type>windows</type> > <parent>windows</parent> > <prematch offset="after_parent">^\.+: (\w+)\((675)\):</prematch> > <regex offset="after_parent">^\.+: (\w+)\((675)\): \.+: \.+: \.+: > (\S+): \.+: \.+: (\S+)</regex> > <order>status, id, system_name, srcuser</order> > </decoder> > <decoder name="windows-675"> > <type>windows</type> > <parent>windows</parent> > <regex offset="after_parent">Client Address: > (\d+.\d+.\d+.\d+)</regex> > <order>srcip</order> > </decoder> > > > El jueves, 2 de marzo de 2017, 19:58:30 (UTC+1), dan (ddpbsd) escribió: >> >> It continues to work with a fresh install of MASTER >> **Phase 1: Completed pre-decoding. >> full event: 'Mar 2 17:36:50 ossec-test2 WinEvtLog: Security: >> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): >> no domain: WK034.dom.com: The Windows Filtering Platform blocked a >> packet. Application Information: Process ID: 0 Application Name: - >> Network Information: Direction: %%14592 Source Address: 10.20.10.55 >> Source Port: 55666 Destination Address: 255.255.255.255 Destination >> Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 >> Layer Name: %%14597 Layer Run-Time ID: 13' >> hostname: 'ossec-test2' >> program_name: 'WinEvtLog' >> log: 'Security: AUDIT_FAILURE(5152): >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> WK034.dom.com: The Windows Filtering Platform blocked a packet. >> Application Information: Process ID: 0 Application Name: - Network >> Information: Direction: %%14592 Source Address: 10.20.10.55 Source >> Port: 55666 Destination Address: 255.255.255.255 Destination Port: >> 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer >> Name: %%14597 Layer Run-Time ID: 13' >> >> **Phase 2: Completed decoding. >> decoder: 'windows' >> status: 'AUDIT_FAILURE' >> id: '5152' >> extra_data: 'Microsoft-Windows-Security-Auditing' >> dstuser: '(no user)' >> system_name: 'WK034.dom.com' >> srcip: '10.20.10.55' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '18105' >> Level: '4' >> Description: 'Windows audit failure event.' >> **Alert to be generated. >> >> On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp) <ddp...@gmail.com> wrote: >> > On Thu, Mar 2, 2017 at 6:41 AM, Casimiro <hfba...@gmail.com> wrote: >> >> Thanks. >> >> But don't work. It only decode srcip field. Attach the output: >> >> >> >> **Phase 1: Completed pre-decoding. >> >> full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): >> >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> >> WK034.dom.com: >> >> The Windows Filtering Platform blocked a packet. Application >> >> Information: >> >> Process ID: 0 Application Name: - Network Information: Direction: >> >> %%14592 >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' >> >> hostname: 'USMCyberRange' >> >> program_name: '(null)' >> >> log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): >> >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> >> WK34.dom.com: The >> >> Windows Filtering Platform blocked a packet. Application Information: >> >> Process ID: 0 Application Name: - Network Information: Direction: >> >> %%14592 >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' >> >> >> >> **Phase 2: Completed decoding. >> >> decoder: 'windows' >> >> srcip: '10.20.10.55' >> >> >> >> **Rule debugging: >> >> Trying rule: 6 - Generic template for all windows rules. >> >> *Rule 6 matched. >> >> *Trying child rules. >> >> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. >> >> Trying rule: 18100 - Group of windows rules. >> >> *Rule 18100 matched. >> >> *Trying child rules. >> >> Trying rule: 18101 - Windows informational event. >> >> Trying rule: 18102 - Windows warning event. >> >> Trying rule: 18104 - Windows audit success event. >> >> Trying rule: 18103 - Windows error event. >> >> Trying rule: 18105 - Windows audit failure event. >> >> >> >> **Phase 3: Completed filtering (rules). >> >> Rule id: '18100' >> >> Level: '0' >> >> Description: 'Group of windows rules.' >> >> >> >> So, the original fields of decoder has been erased (status, id, >> >> extra_data, >> >> srcuser, system_name, name, location, user, system_name). The >> >> consecuence is >> >> that orginal rules don't match. >> >> >> > >> > That's strange, it works for me (I had to add the timestamp info): >> > **Phase 1: Completed pre-decoding. >> > full event: 'Mar 2 11:17:01 ossec-test WinEvtLog: Security: >> > AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): >> > no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked >> > a packet. Application Information: Process ID: 0 Application Name: - >> > Network Information: Direction: %%14592 Source Address: 10.20.10.55 >> > Source Port: 55666 Destination Address: 255.255.255.255 Destination >> > Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 >> > Layer Name: %%14597 Layer Run-Time ID: 13' >> > hostname: 'ossec-test' >> > program_name: 'WinEvtLog' >> > log: 'Security: AUDIT_FAILURE(5152): >> > Microsoft-Windows-Security-Auditing: (no user): no domain: >> > WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet. >> > Application Information: Process ID: 0 Application Name: - Network >> > Information: Direction: %%14592 Source Address: 10.20.10.55 Source >> > Port: 55666 Destination Address: 255.255.255.255 Destination Port: >> > 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer >> > Name: %%14597 Layer Run-Time ID: 13' >> > >> > **Phase 2: Completed decoding. >> > decoder: 'windows' >> > status: 'AUDIT_FAILURE' >> > id: '5152' >> > extra_data: 'Microsoft-Windows-Security-Auditing' >> > dstuser: '(no user)' >> > system_name: 'WKSUSR034.mccd.def' >> > srcip: '10.20.10.55' >> > >> > **Phase 3: Completed filtering (rules). >> > Rule id: '18105' >> > Level: '4' >> > Description: 'Windows audit failure event.' >> > **Alert to be generated. >> > >> > Are you sure you have the latest Windows decoders? I'll try firing up >> > another image and try again. >> > >> > >> >> El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió: >> >>> >> >>> I'm trying to override the windows decoder to extract more fields (in >> >>> local_decoder.xml), like source ip, destination ip, source port, >> >>> >> >>> This is my local decoder for windows >> >>> >> >>> <decoder name="windows-audit"> >> >>> <parent>windows</parent> >> >>> <prematch>AUDIT_FAILURE(51512)</prematch> >> >>> <regex offset="after_parent">Source >> >>> Address:\s+(\d+.\d+.\d+.\d+)</regex> >> >>> <order>srcip</order> >> >>> </decoder> >> >>> >> >>> When I put new decoder en local_decoder.xml. The windows log don't >> >>> match >> >>> with windows parent decoder. If I take off the local decoder then log >> >>> match >> >>> with windows parent decoder. >> >>> >> >>> I want to get all fields: parent fields + soon fields (in this case >> >>> status, id, extra_data, srcuser, system_name and srcip) >> >>> >> >>> Thanks in advanced >> >>> >> >>> >> >>> >> >>> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to ossec-list+...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.