On Wed, Jul 5, 2017 at 10:26 PM, Ian Brown <zestys...@gmail.com> wrote:
> Dan, that matches for the source and destination IP addresses, but if I
> understand logtest's "Phase 2" output correctly, using those additional
> decoders drops all the other things that the original windows decoder found:
>
> ---------------------------
>
> # ./ossec-logtest -v
> 2017/07/06 02:19:12 ossec-testrule: INFO: Reading local decoder file.
> 2017/07/06 02:19:12 ossec-testrule: INFO: Started (pid: 4227).
> ossec-testrule: Type one log per line.
>
> 2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The
> Windows Filtering Platform blocked a packet. Application Information:
> Process ID: 0 Application Name: - Network Information: Direction: %%14592
> Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8
> Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID:
> 93069 Layer Name: %%14597 Layer Run-Time ID: 13
>
>
> **Phase 1: Completed pre-decoding.
> full event: '2017 Jul 03 11:17:37 WinEvtLog: Security:
> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no
> domain: workstation: The Windows Filtering Platform blocked a packet.
> Application Information: Process ID: 0 Application Name: - Network
> Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143
> Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter
> Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time
> ID: 13'
> hostname: 'securityonion'
> program_name: '(null)'
> log: '2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The
> Windows Filtering Platform blocked a packet. Application Information:
> Process ID: 0 Application Name: - Network Information: Direction: %%14592
> Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8
> Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID:
> 93069 Layer Name: %%14597 Layer Run-Time ID: 13'
>
> **Phase 2: Completed decoding.
> decoder: 'windows'
> srcip: '1.2.3.4'
> dstip: '5.6.7.8'
>
> **Rule debugging:
> Trying rule: 6 - Generic template for all windows rules.
> *Rule 6 matched.
> *Trying child rules.
> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
> Trying rule: 18100 - Group of windows rules.
> *Rule 18100 matched.
> *Trying child rules.
> Trying rule: 18101 - Windows informational event.
> Trying rule: 18102 - Windows warning event.
> Trying rule: 18104 - Windows audit success event.
> Trying rule: 18103 - Windows error event.
> Trying rule: 18105 - Windows audit failure event.
>
> **Phase 3: Completed filtering (rules).
> Rule id: '18100'
> Level: '0'
> Description: 'Group of windows rules.'
> -------------
>
> This is Phase 2 without those additional decoders:
>
> **Phase 2: Completed decoding.
> decoder: 'windows'
> status: 'AUDIT_FAILURE'
> id: '5152'
> extra_data: 'Microsoft-Windows-Security-Auditing'
> dstuser: '(no user)'
> system_name: 'workstation'
>
> Do your decoders still inherit the matching of those fields and logtest just
> doesn't show this?
>
It works on mine:
**Phase 1: Completed pre-decoding.
full event: '2017 Jul 03 11:17:37 WinEvtLog: Security:
AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user):
no domain: workstation: The Windows Filtering Platform blocked a
packet. Application Information: Process ID: 0 Application Name: -
Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source
Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619
Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name:
%%14597 Layer Run-Time ID: 13'
hostname: 'ix'
program_name: 'WinEvtLog'
log: 'Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing: (no user): no domain:
workstation: The Windows Filtering Platform blocked a packet.
Application Information: Process ID: 0 Application Name: - Network
Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port:
143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6
Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597
Layer Run-Time ID: 13'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '5152'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'workstation'
srcip: '1.2.3.4'
dstip: '5.6.7.8'
**Phase 3: Completed filtering (rules).
Rule id: '18105'
Level: '4'
Description: 'Windows audit failure event.'
**Alert to be generated.
Which version are you using?
Here's a clean room test, before the additions:
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2017 Jul 03 11:17:37 WinEvtLog: Security:
AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user):
no domain: workstation: The Windows Filtering Platform blocked a
packet. Application Information: Process ID: 0 Application Name: -
Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source
Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619
Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name:
%%14597 Layer Run-Time ID: 13'
hostname: 'ossec-test'
program_name: 'WinEvtLog'
log: 'Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing: (no user): no domain:
workstation: The Windows Filtering Platform blocked a packet.
Application Information: Process ID: 0 Application Name: - Network
Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port:
143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6
Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597
Layer Run-Time ID: 13'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '5152'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'workstation'
**Phase 3: Completed filtering (rules).
Rule id: '18105'
Level: '4'
Description: 'Windows audit failure event.'
**Alert to be generated.
After the additions:
**Phase 1: Completed pre-decoding.
full event: '2017 Jul 03 11:17:37 WinEvtLog: Security:
AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user):
no domain: workstation: The Windows Filtering Platform blocked a
packet. Application Information: Process ID: 0 Application Name: -
Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source
Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619
Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name:
%%14597 Layer Run-Time ID: 13'
hostname: 'ossec-test'
program_name: 'WinEvtLog'
log: 'Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing: (no user): no domain:
workstation: The Windows Filtering Platform blocked a packet.
Application Information: Process ID: 0 Application Name: - Network
Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port:
143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6
Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597
Layer Run-Time ID: 13'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '5152'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'workstation'
srcip: '1.2.3.4'
dstip: '5.6.7.8'
**Phase 3: Completed filtering (rules).
Rule id: '18105'
Level: '4'
Description: 'Windows audit failure event.'
**Alert to be generated.
This was using the latest code in github.
>
>
> On 7/5/2017 6:51 PM, dan (ddp) wrote:
>>
>> On Mon, Jul 3, 2017 at 2:52 PM, Ian Brown <zestys...@gmail.com> wrote:
>>>
>>> There is a decoder that isn't quite handling some log entries the want I
>>> need. I want to augment an existing decoder, but apparently I'm not
>>> doing
>>> this correctly.
>>> Here's an example log entry:
>>> 2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152):
>>> Microsoft-Windows-Security-Auditing: (no user): no domain: workstation:
>>> The
>>> Windows Filtering Platform blocked a packet. Application Information:
>>> Process ID: 0 Application Name: - Network Information: Direction: %%14592
>>> Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8
>>> Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time
>>> ID:
>>> 93069 Layer Name: %%14597 Layer Run-Time ID: 13
>>>
>>> Using this as a guild:
>>>
>>> http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/create-custom.html
>>>
>>> I've created a new decoder that inherits from this existing one:
>>>
>>> <decoder name="windows">
>>> <type>windows</type>
>>> <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog:
>>> </prematch>
>>> <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex>
>>> <regex>(\.+): \.+: (\S+): </regex>
>>> <order>status, id, extra_data, user, system_name</order>
>>> <fts>name, location, user, system_name</fts>
>>> </decoder>
>>>
>>> I've tried an number of different versions of this -- below was my last
>>> attempt:
>>>
>>> <decoder name="windows-filtering-platform">
>>> <parent>windows</parent>
>>> <prematch offset="after_parent">The Windows Filtering
>>> Platform</prematch>
>>> <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
>>> <regex>(\.+): \.+: (\S+): Thee Windows Filtering Platform</regex>
>>> <regex>Source Address: (\S+) Source Port: (\d+) Destination Address:
>>> (\S+)
>>> Destination Port: (\d+)</regex>
>>> <order>status, id, extra_data, user, system_name, srcip, srcport,
>>> dstip,
>>> dstport</order>
>>> </decoder>
>>>
>>> All I'm trying to do is match for the source and destination information
>>> that's in these particular log entries. However, when I added my
>>> decoder,
>>> it "took over" for all the windows decoder matches instead of just for
>>> the
>>> log entries I was hoping to match against -- any log entry that contained
>>> "The Windows Filtering Platform."
>>>
>>> On top of that, my decoder's regex doesn't seem to be matching any of the
>>> fields -- phase 2 just states:
>>>
>>> **Phase 2: Completed decoding.
>>> decoder: 'windows'
>>>
>>> instead of at least:
>>> **Phase 2: Completed decoding.
>>> decoder: 'windows'
>>> status: 'AUDIT_FAILURE'
>>> id: '5152'
>>> extra_data: 'Microsoft-Windows-Security-Auditing'
>>> dstuser: '(no user)'
>>> system_name: 'workstation'
>>>
>>> How far off the rails am I in achieving the solution I'm looking for?
>>>
>> Adding these 2 decoders gives me the source and destination IP addresses:
>> <decoder name="windows1">
>> <parent>windows</parent>
>> <regex>Source Address: (\S+)</regex>
>> <order>srcip</order>
>> </decoder>
>>
>> <decoder name="windows1">
>> <parent>windows</parent>
>> <regex>Destination Address: (\S+) </regex>
>> <order>dstip</order>
>> </decoder>
>>
>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
>
> --- You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
