On Fri, Mar 10, 2017 at 3:37 AM, Ieva <ievaaivo...@gmail.com> wrote: > Hello > Maybe someone can help for newbie to write first OSSEC rule. I tried to read > OSSEC chapter 4 book „Working with rules“ but it didn‘t help. So I have > Windows event logs and want to write a rule with regex to drop out events > with specific pattern. I attached example log bellow: > > 2017 Mar 08 14:36:56 WinEvtLog: Security: AUDIT_SUCCESS(4688): > Microsoft-Windows-Security-Auditing: (no user): no domain: H-N571-1: A new > process has been created. Subject: Security ID: S-1-5-xx Account Name: > Administrator Account Domain: H-N571-1 Logon ID: 0x2ed5d Process > Information: New Process ID: 0x7fc New Process Name: > C:\Windows\System32\calc.exe Token Elevation Type: %%1936 Creator Process > ID: 0xaf0 [END]"; > > For example I want to drop out events with „Administrator“ AND > „C:\Windows\System32\calc.exe“ OR „C:\Windows\System32\mspaint.exe“ > (Administrator AND (xxx/calc.exe OR xxx/mspaint.exe OR xxx/xxx.exe). Could > someone help with this? > Tried with this rule but it ended with server error. > <rule id="111003" level="0"> > <if_sid>18104</if_sid> > > <regex>\.*Account\s+Name:\s+Administrator\.*(C:\\Windows\\System32\\mspaint.exe|C:\\Windows\\System32\\calc.exe)</regex>
The parenthesis need to be escaped: <regex>\.*Account\s+Name:\s+Administrator\.*\(C:\\Windows\\System32\\mspaint.exe|C:\\Windows\\System32\\calc.exe\)</regex> But there aren't "()" in the actual log, so they're just getting in the way. > <description>new process Drop</description> > </rule> > > Tried this, but it not working at all: > <rule id="111003" level="0"> > <if_sid>18104</if_sid> > > <regex>\.*Account\s+Name:\s+Administrator\.*\(C:\\Windows\\System32\\mspaint.exe|C:\\Windows\\System32\\calc.exe\)</regex> > <description>new process Drop</description> > </rule> > > I think I can achieve my goal by writing two rules: first for mach > „Administrator“ and second for maching other patterns, but maybe it is > possible to write only one rule for this job? > I think writing multiple rules would be a lot easier. <rule id="111003" level="0"> <if_sid>18104</if_sid> <regex>\.*Account\s+Name:\s+Administrator</regex> <description>new process Drop</description> </rule> <rule id="111004" level="0"> <if_sid>111003</if_sid> <regex>New Process Name:\s+C:\\Windows\\System32\\mspaint.exe|New Process Name:\s+C:\\Windows\\System32\\calc.exe</regex> <description>New process Drop</description> </rule> You probably want to reverse the order though. The above rules should ignore all new processes created by the Administrator account. With OSSEC's regex you'll have to repeat a lot of information: <rule id="111003" level="0"> <if_sid>18104</if_sid> <regex>\.*Account\s+Name:\s+Administrator\.*New Process Name:\s+C:\\Windows\\System32\\mspaint.exe|Account\s+Name:\s+Administrator\.*New Process Name:\s +C:\\Windows\\System32\\calc.exe</regex> <description>new process Drop</description> </rule> > Thanks for help. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.