On Mar 6, 2017 9:51 AM, "Eduardo Reichert Figueiredo" <
eduardo.reich...@hotmail.com> wrote:

Hi all,
exist possiblity of write source ip address in eventos of integrity check?
For the alert display real IP?


There is no IP information in the syscheck log messages, so there is
nothing to print.



Em sexta-feira, 3 de março de 2017 15:55:14 UTC-3, dan (ddpbsd) escreveu:

> On Fri, Mar 3, 2017 at 3:04 AM, Casimiro <hfba...@gmail.com> wrote:
> > I solve my problem with this solution
> >
> > https://www.alienvault.com/forums/discussion/5962/ossec-plug
> in-modification
> >
> >
> > <decoder name="windows">
> >         <type>windows</type>
> >         <prematch>^WinEvtLog: </prematch>
> > </decoder>
> >
> > <decoder name="windows-default">
> >         <parent>windows</parent>
> >         <type>windows</type>
> >         <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+):
> </regex>
> >         <regex>(\.+): \.+: (\S+): </regex>
> >         <order>status, id, extra_data, srcuser, system_name</order>
> >         <fts>name, location, user, system_name</fts>
> > </decoder>
> > <!--
> >         And adding some IP/name extractions
> > -->
> > <decoder name="windows-default">
> >         <parent>windows</parent>
> >         <type>windows</type>
> >         <regex offset="after_parent">Client
> > Address:\s*\t*(\d+.\d+.\d+.\d+)</regex>
> >         <order>srcip</order>
> > </decoder>
> >
>
> This looks similar to what's in MASTER.
>
> >
> > I'm trying other solution, but this don't parse well
> >
> > <decoder name="windows-675">
> >         <type>windows</type>
> >         <parent>windows</parent>
> >         <prematch offset="after_parent">^\.+: (\w+)\((675)\):</prematch>
> >         <regex offset="after_parent">^\.+: (\w+)\((675)\): \.+: \.+:
> \.+:
> > (\S+): \.+: \.+: (\S+)</regex>
> >         <order>status, id, system_name, srcuser</order>
> > </decoder>
> > <decoder name="windows-675">
> >         <type>windows</type>
> >         <parent>windows</parent>
> >         <regex offset="after_parent">Client Address:
> > (\d+.\d+.\d+.\d+)</regex>
> >         <order>srcip</order>
> > </decoder>
> >
> >
> > El jueves, 2 de marzo de 2017, 19:58:30 (UTC+1), dan (ddpbsd) escribió:
> >>
> >> It continues to work with a fresh install of MASTER
> >> **Phase 1: Completed pre-decoding.
> >>        full event: 'Mar  2 17:36:50 ossec-test2 WinEvtLog: Security:
> >> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user):
> >> no domain: WK034.dom.com: The Windows Filtering Platform blocked a
> >> packet. Application Information: Process ID: 0 Application Name: -
> >> Network Information: Direction: %%14592 Source Address: 10.20.10.55
> >> Source Port: 55666 Destination Address: 255.255.255.255 Destination
> >> Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713
> >> Layer Name: %%14597 Layer Run-Time ID: 13'
> >>        hostname: 'ossec-test2'
> >>        program_name: 'WinEvtLog'
> >>        log: 'Security: AUDIT_FAILURE(5152):
> >> Microsoft-Windows-Security-Auditing: (no user): no domain:
> >> WK034.dom.com: The Windows Filtering Platform blocked a packet.
> >> Application Information: Process ID: 0 Application Name: - Network
> >> Information: Direction: %%14592 Source Address: 10.20.10.55 Source
> >> Port: 55666 Destination Address: 255.255.255.255 Destination Port:
> >> 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer
> >> Name: %%14597 Layer Run-Time ID: 13'
> >>
> >> **Phase 2: Completed decoding.
> >>        decoder: 'windows'
> >>        status: 'AUDIT_FAILURE'
> >>        id: '5152'
> >>        extra_data: 'Microsoft-Windows-Security-Auditing'
> >>        dstuser: '(no user)'
> >>        system_name: 'WK034.dom.com'
> >>        srcip: '10.20.10.55'
> >>
> >> **Phase 3: Completed filtering (rules).
> >>        Rule id: '18105'
> >>        Level: '4'
> >>        Description: 'Windows audit failure event.'
> >> **Alert to be generated.
> >>
> >> On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp) <ddp...@gmail.com> wrote:
> >> > On Thu, Mar 2, 2017 at 6:41 AM, Casimiro <hfba...@gmail.com> wrote:
> >> >> Thanks.
> >> >> But don't work. It only decode srcip field. Attach the output:
> >> >>
> >> >> **Phase 1: Completed pre-decoding.
> >> >>        full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
> >> >> Microsoft-Windows-Security-Auditing: (no user): no domain:
> >> >> WK034.dom.com:
> >> >> The Windows Filtering Platform blocked a packet. Application
> >> >> Information:
> >> >> Process ID: 0 Application Name: - Network Information: Direction:
> >> >> %%14592
> >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address:
> >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter
> Information:
> >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'
> >> >>        hostname: 'USMCyberRange'
> >> >>        program_name: '(null)'
> >> >>        log: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
> >> >> Microsoft-Windows-Security-Auditing: (no user): no domain:
> >> >> WK34.dom.com: The
> >> >> Windows Filtering Platform blocked a packet. Application
> Information:
> >> >> Process ID: 0 Application Name: - Network Information: Direction:
> >> >> %%14592
> >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address:
> >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter
> Information:
> >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'
> >> >>
> >> >> **Phase 2: Completed decoding.
> >> >>        decoder: 'windows'
> >> >>        srcip: '10.20.10.55'
> >> >>
> >> >> **Rule debugging:
> >> >>     Trying rule: 6 - Generic template for all windows rules.
> >> >>        *Rule 6 matched.
> >> >>        *Trying child rules.
> >> >>     Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
> >> >>     Trying rule: 18100 - Group of windows rules.
> >> >>        *Rule 18100 matched.
> >> >>        *Trying child rules.
> >> >>     Trying rule: 18101 - Windows informational event.
> >> >>     Trying rule: 18102 - Windows warning event.
> >> >>     Trying rule: 18104 - Windows audit success event.
> >> >>     Trying rule: 18103 - Windows error event.
> >> >>     Trying rule: 18105 - Windows audit failure event.
> >> >>
> >> >> **Phase 3: Completed filtering (rules).
> >> >>        Rule id: '18100'
> >> >>        Level: '0'
> >> >>        Description: 'Group of windows rules.'
> >> >>
> >> >> So, the original fields of decoder has been erased (status, id,
> >> >> extra_data,
> >> >> srcuser, system_name, name, location, user, system_name). The
> >> >> consecuence is
> >> >> that orginal rules don't match.
> >> >>
> >> >
> >> > That's strange, it works for me (I had to add the timestamp info):
> >> > **Phase 1: Completed pre-decoding.
> >> >        full event: 'Mar  2 11:17:01 ossec-test WinEvtLog: Security:
> >> > AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user):
> >> > no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked
> >> > a packet. Application Information: Process ID: 0 Application Name: -
> >> > Network Information: Direction: %%14592 Source Address: 10.20.10.55
> >> > Source Port: 55666 Destination Address: 255.255.255.255 Destination
> >> > Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713
> >> > Layer Name: %%14597 Layer Run-Time ID: 13'
> >> >        hostname: 'ossec-test'
> >> >        program_name: 'WinEvtLog'
> >> >        log: 'Security: AUDIT_FAILURE(5152):
> >> > Microsoft-Windows-Security-Auditing: (no user): no domain:
> >> > WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet.
> >> > Application Information: Process ID: 0 Application Name: - Network
> >> > Information: Direction: %%14592 Source Address: 10.20.10.55 Source
> >> > Port: 55666 Destination Address: 255.255.255.255 Destination Port:
> >> > 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer
> >> > Name: %%14597 Layer Run-Time ID: 13'
> >> >
> >> > **Phase 2: Completed decoding.
> >> >        decoder: 'windows'
> >> >        status: 'AUDIT_FAILURE'
> >> >        id: '5152'
> >> >        extra_data: 'Microsoft-Windows-Security-Auditing'
> >> >        dstuser: '(no user)'
> >> >        system_name: 'WKSUSR034.mccd.def'
> >> >        srcip: '10.20.10.55'
> >> >
> >> > **Phase 3: Completed filtering (rules).
> >> >        Rule id: '18105'
> >> >        Level: '4'
> >> >        Description: 'Windows audit failure event.'
> >> > **Alert to be generated.
> >> >
> >> > Are you sure you have the latest Windows decoders? I'll try firing up
> >> > another image and try again.
> >> >
> >> >
> >> >> El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro
> escribió:
> >> >>>
> >> >>> I'm trying to override the windows decoder to extract more fields
> (in
> >> >>> local_decoder.xml), like source ip, destination ip, source port,
> >> >>>
> >> >>> This is my local decoder for windows
> >> >>>
> >> >>> <decoder name="windows-audit">
> >> >>>    <parent>windows</parent>
> >> >>>    <prematch>AUDIT_FAILURE(51512)</prematch>
> >> >>>    <regex offset="after_parent">Source
> >> >>> Address:\s+(\d+.\d+.\d+.\d+)</regex>
> >> >>>    <order>srcip</order>
> >> >>> </decoder>
> >> >>>
> >> >>> When I put new decoder en local_decoder.xml. The windows log don't
> >> >>> match
> >> >>> with windows parent decoder. If I take off the local decoder then
> log
> >> >>> match
> >> >>> with windows parent decoder.
> >> >>>
> >> >>> I want to get all fields: parent fields + soon fields (in this case
> >> >>> status, id, extra_data, srcuser, system_name and srcip)
> >> >>>
> >> >>> Thanks in advanced
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >> --
> >> >>
> >> >> ---
> >> >> You received this message because you are subscribed to the Google
> >> >> Groups
> >> >> "ossec-list" group.
> >> >> To unsubscribe from this group and stop receiving emails from it,
> send
> >> >> an
> >> >> email to ossec-list+...@googlegroups.com.
> >> >> For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
-- 

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to