Thanks, Dan, for help. I think I will prefer this rule: <rule id="111003" level="0"> <if_sid>18104</if_sid> <regex>\.*Account\s+Name:\s+Administrator\.*New Process Name:\s+C:\\Windows\\System32\\mspaint.exe|Account\s+Name:\s+Administrator\.*New Process Name:\s +C:\\Windows\\System32\\calc.exe</regex> <description>new process Drop</description> </rule>
But do you know how many OR patterns I can place into one rule? Maybe to long rule can affect perfomance os somethink like that? On Friday, March 10, 2017 at 5:17:45 PM UTC+2, Ieva wrote: > > Hello > Maybe someone can help for newbie to write first OSSEC rule. I tried to > read OSSEC chapter 4 book „Working with rules“ but it didn‘t help. So I > have Windows event logs and want to write a rule with regex to drop out > events with specific pattern. I attached example log bellow: > > 2017 Mar 08 14:36:56 WinEvtLog: Security: AUDIT_SUCCESS(4688): > Microsoft-Windows-Security-Auditing: (no user): no domain: H-N571-1: A new > process has been created. Subject: Security ID: S-1-5-xx Account Name: > Administrator Account Domain: H-N571-1 Logon ID: 0x2ed5d Process > Information: New Process ID: 0x7fc New Process Name: > C:\Windows\System32\calc.exe Token Elevation Type: %%1936 Creator Process > ID: 0xaf0 [END]"; > > For example I want to drop out events with „Administrator“ AND > „C:\Windows\System32\calc.exe“ OR „C:\Windows\System32\mspaint.exe“ > (Administrator AND (xxx/calc.exe OR xxx/mspaint.exe OR xxx/xxx.exe). Could > someone help with this? > Tried with this rule but it ended with server error. > <rule id="111003" level="0"> > <if_sid>18104</if_sid> > > <regex>\.*Account\s+Name:\s+Administrator\.*(C:\\Windows\\System32\\mspaint.exe|C:\\Windows\\System32\\calc.exe)</regex> > <description>new process Drop</description> > </rule> > > Tried this, but it not working at all: > <rule id="111003" level="0"> > <if_sid>18104</if_sid> > > <regex>\.*Account\s+Name:\s+Administrator\.*\(C:\\Windows\\System32\\mspaint.exe|C:\\Windows\\System32\\calc.exe\)</regex> > <description>new process Drop</description> > </rule> > > I think I can achieve my goal by writing two rules: first for mach > „Administrator“ and second for maching other patterns, but maybe it is > possible to write only one rule for this job? > > Thanks for help. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.