I know this is old, but thank you SO much for posting the resolution. I ran into the exact same issue when writing a decoder for a Windows log file. I did not realize that the OSSEC logs in archive contained an added header and it caused me a HUGE headache when writing the decoder. I tested mine in production and it works perfectly. Thank you again.
On Wednesday, December 16, 2015 at 5:09:13 PM UTC-5, Phillipa Moorea wrote: > > Oh yeah, it probably didn't work because I didn't have if_sid maybe the > first time I was doing this. > > On Wednesday, December 16, 2015 at 4:07:21 PM UTC-6, Phillipa Moorea wrote: >> >> I didn't know how to get the rule to match the log id. I tried doing the >> <id>^500$</id> for example, but it didn't work for me. >> This used to be my rule when I was messing around with it: >> <rule id="100210" level="6"> >> <id>^400$|^403$|^500$|^501$|^600$</id> >> <description>Powershell Event.</description> >> </rule> >> >> I also have the problem in which opening PowerShell and running Get-Date >> creates like 22 different alerts :(. In the logs I notice that there is a >> SequenceNumber, but I'm not sure how to use that to say generate 1 alert >> for opening powershell, and 1 alert for running a command. Or just 1 alert >> for opening and running a single command. >> >> Just by opening the powershell window I get 24 events. The >> SequenceNumber iterates like this: >> Event Log 1 - 1 >> Event Log 2 - 3 >> Event Log 3 - 5 >> Event Log 4 - 7 >> Event Log 5 - 9 >> Event Log 6 - 11 >> Event Log 7 - 13 >> Event Log 8 - 15 >> Event Log 9 - 16 >> Event Log 10 - 17 >> Event Log 11 - 18 >> Event Log 12 - 19 >> Event Log 13 - 20 >> Event Log 14 - 21 >> Event Log 15 - 22 >> Event Log 16 - 23 >> Event Log 17 - 24 >> Event Log 18 - 25 >> Event Log 19 - 26 >> Event Log 20 - 27 >> Event Log 21 - 28 >> Event Log 22 - 29 >> Event Log 23 - 30 >> Event Log 24 - 31 >> >> Then I run Get-Date and I get 24 new logs where Event Log 1-24 matches up >> with SequenceNumber 32-55 >> >> Then I close PowerShell and get 1 new Event Log with SequenceNumber 56 >> >> When I open PowerShell again, the SequenceNumber repeats back to 1 >> >> >> On Tuesday, December 8, 2015 at 4:13:03 PM UTC-6, Daniel wrote: >>> >>> So basically what you're doing is looking for INFO logs and then >>> matching the log content and not the actual log ID? Interesting. My general >>> rule workflow is this: >>> If OS=WINDOWS, then if TYPE=ERROR/INFO/WARN/etc, then if EVENTID=x, then >>> create alert with LEVEL=y. >>> >>> Types can be referenced in <ossec-dir>/rules/msauth_rules.xml, with >>> 18101 being informational. Also, check out " >>> http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf"; >>> >>> My basic powershell rule looks like the following: >>> >>> <!-- BEGIN "Windows PowerShell.evtx" Rules --> >>> <rule id="104010" level="7"> >>> <if_sid>18101</if_sid> >>> <id>^400$|^403$</id> >>> <Match>PowerShell</Match> >>> <description>PowerShell Started/Stopped.</description> >>> <info>From "Windows PowerShell.evtx"</info> >>> </rule> >>> <!-- END "Windows PowerShell.evtx" Rules --> >>> >>> >>> On Wednesday, December 2, 2015 at 4:02:25 PM UTC-5, Phillipa Moorea >>> wrote: >>>> >>>> Thanks for all the help from you (Santiago), from dan, some other posts >>>> on here, github repository issues, a book I bought on ossec for $10, and >>>> the work of the OSSEC developers that made the 2.8.3 update, and of course >>>> the people in the AlienVault Labs! >>>> >>>> I was now able to get the alerts working. I analyzed the PowerShell >>>> logs and changed my rules a bit. Here is what I changed it too: >>>> >>>> <group name="powershell,"> >>>> <rule id="100210" level="0"> >>>> <if_sid>18100,18101</if_sid> >>>> <match>CommandType=Script</match> >>>> <description>Powershell Script.</description> >>>> </rule> >>>> <rule id="100211" level="0"> >>>> <if_sid>18100,18101</if_sid> >>>> <match>CommandType=Cmdlet</match> >>>> <description>Powershell Command.</description> >>>> </rule> >>>> <rule id="100212" level="0"> >>>> <if_sid>18100,18101</if_sid> >>>> <match>CommandType=Function</match> >>>> <description>Powershell Function.</description> >>>> </rule> >>>> <rule id="100213" level="2"> >>>> <if_sid>100210</if_sid> >>>> <match>NewCommandState=Started</match> >>>> <description>Powershell Script (500-Started).</description> >>>> </rule> >>>> <rule id="100214" level="2"> >>>> <if_sid>100210</if_sid> >>>> <match>NewCommandState=Stopped</match> >>>> <description>Powershell Script (501-Stopped).</description> >>>> </rule> >>>> <rule id="100215" level="2"> >>>> <if_sid>100211</if_sid> >>>> <match>NewCommandState=Started</match> >>>> <description>Powershell Command (500-Started).</description> >>>> </rule> >>>> <rule id="100216" level="2"> >>>> <if_sid>100211</if_sid> >>>> <match>NewCommandState=Stopped</match> >>>> <description>Powershell Command (501-Stopped).</description> >>>> </rule> >>>> <rule id="100217" level="2"> >>>> <if_sid>100212</if_sid> >>>> <match>NewCommandState=Started</match> >>>> <description>Powershell Function (500-Started).</description> >>>> </rule> >>>> ... >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
