On Wed, Jul 5, 2017 at 10:26 PM, Ian Brown <zestys...@gmail.com> wrote: > Dan, that matches for the source and destination IP addresses, but if I > understand logtest's "Phase 2" output correctly, using those additional > decoders drops all the other things that the original windows decoder found: > > --------------------------- > > # ./ossec-logtest -v > 2017/07/06 02:19:12 ossec-testrule: INFO: Reading local decoder file. > 2017/07/06 02:19:12 ossec-testrule: INFO: Started (pid: 4227). > ossec-testrule: Type one log per line. > > 2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The > Windows Filtering Platform blocked a packet. Application Information: > Process ID: 0 Application Name: - Network Information: Direction: %%14592 > Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 > Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: > 93069 Layer Name: %%14597 Layer Run-Time ID: 13 > > > **Phase 1: Completed pre-decoding. > full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: > AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no > domain: workstation: The Windows Filtering Platform blocked a packet. > Application Information: Process ID: 0 Application Name: - Network > Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 > Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter > Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time > ID: 13' > hostname: 'securityonion' > program_name: '(null)' > log: '2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The > Windows Filtering Platform blocked a packet. Application Information: > Process ID: 0 Application Name: - Network Information: Direction: %%14592 > Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 > Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: > 93069 Layer Name: %%14597 Layer Run-Time ID: 13' > > **Phase 2: Completed decoding. > decoder: 'windows' > srcip: '1.2.3.4' > dstip: '5.6.7.8' > > **Rule debugging: > Trying rule: 6 - Generic template for all windows rules. > *Rule 6 matched. > *Trying child rules. > Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. > Trying rule: 18100 - Group of windows rules. > *Rule 18100 matched. > *Trying child rules. > Trying rule: 18101 - Windows informational event. > Trying rule: 18102 - Windows warning event. > Trying rule: 18104 - Windows audit success event. > Trying rule: 18103 - Windows error event. > Trying rule: 18105 - Windows audit failure event. > > **Phase 3: Completed filtering (rules). > Rule id: '18100' > Level: '0' > Description: 'Group of windows rules.' > ------------- > > This is Phase 2 without those additional decoders: > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_FAILURE' > id: '5152' > extra_data: 'Microsoft-Windows-Security-Auditing' > dstuser: '(no user)' > system_name: 'workstation' > > Do your decoders still inherit the matching of those fields and logtest just > doesn't show this? >
It works on mine: **Phase 1: Completed pre-decoding. full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' hostname: 'ix' program_name: 'WinEvtLog' log: 'Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '5152' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'workstation' srcip: '1.2.3.4' dstip: '5.6.7.8' **Phase 3: Completed filtering (rules). Rule id: '18105' Level: '4' Description: 'Windows audit failure event.' **Alert to be generated. Which version are you using? Here's a clean room test, before the additions: ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' hostname: 'ossec-test' program_name: 'WinEvtLog' log: 'Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '5152' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'workstation' **Phase 3: Completed filtering (rules). Rule id: '18105' Level: '4' Description: 'Windows audit failure event.' **Alert to be generated. After the additions: **Phase 1: Completed pre-decoding. full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' hostname: 'ossec-test' program_name: 'WinEvtLog' log: 'Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '5152' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'workstation' srcip: '1.2.3.4' dstip: '5.6.7.8' **Phase 3: Completed filtering (rules). Rule id: '18105' Level: '4' Description: 'Windows audit failure event.' **Alert to be generated. This was using the latest code in github. > > > On 7/5/2017 6:51 PM, dan (ddp) wrote: >> >> On Mon, Jul 3, 2017 at 2:52 PM, Ian Brown <zestys...@gmail.com> wrote: >>> >>> There is a decoder that isn't quite handling some log entries the want I >>> need. I want to augment an existing decoder, but apparently I'm not >>> doing >>> this correctly. >>> Here's an example log entry: >>> 2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): >>> Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: >>> The >>> Windows Filtering Platform blocked a packet. Application Information: >>> Process ID: 0 Application Name: - Network Information: Direction: %%14592 >>> Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 >>> Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time >>> ID: >>> 93069 Layer Name: %%14597 Layer Run-Time ID: 13 >>> >>> Using this as a guild: >>> >>> http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/create-custom.html >>> >>> I've created a new decoder that inherits from this existing one: >>> >>> <decoder name="windows"> >>> <type>windows</type> >>> <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: >>> </prematch> >>> <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex> >>> <regex>(\.+): \.+: (\S+): </regex> >>> <order>status, id, extra_data, user, system_name</order> >>> <fts>name, location, user, system_name</fts> >>> </decoder> >>> >>> I've tried an number of different versions of this -- below was my last >>> attempt: >>> >>> <decoder name="windows-filtering-platform"> >>> <parent>windows</parent> >>> <prematch offset="after_parent">The Windows Filtering >>> Platform</prematch> >>> <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex> >>> <regex>(\.+): \.+: (\S+): Thee Windows Filtering Platform</regex> >>> <regex>Source Address: (\S+) Source Port: (\d+) Destination Address: >>> (\S+) >>> Destination Port: (\d+)</regex> >>> <order>status, id, extra_data, user, system_name, srcip, srcport, >>> dstip, >>> dstport</order> >>> </decoder> >>> >>> All I'm trying to do is match for the source and destination information >>> that's in these particular log entries. However, when I added my >>> decoder, >>> it "took over" for all the windows decoder matches instead of just for >>> the >>> log entries I was hoping to match against -- any log entry that contained >>> "The Windows Filtering Platform." >>> >>> On top of that, my decoder's regex doesn't seem to be matching any of the >>> fields -- phase 2 just states: >>> >>> **Phase 2: Completed decoding. >>> decoder: 'windows' >>> >>> instead of at least: >>> **Phase 2: Completed decoding. >>> decoder: 'windows' >>> status: 'AUDIT_FAILURE' >>> id: '5152' >>> extra_data: 'Microsoft-Windows-Security-Auditing' >>> dstuser: '(no user)' >>> system_name: 'workstation' >>> >>> How far off the rails am I in achieving the solution I'm looking for? >>> >> Adding these 2 decoders gives me the source and destination IP addresses: >> <decoder name="windows1"> >> <parent>windows</parent> >> <regex>Source Address: (\S+)</regex> >> <order>srcip</order> >> </decoder> >> >> <decoder name="windows1"> >> <parent>windows</parent> >> <regex>Destination Address: (\S+) </regex> >> <order>dstip</order> >> </decoder> >> >> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. > > > > -- > > --- You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.