Ah, here's the info:
On Thursday, July 6, 2017 at 6:09:03 PM UTC-7, Ian Brown wrote:dpkg -s ossec-hids-server Package: ossec-hids-server Status: install ok installed Priority: extra Section: admin Installed-Size: 6509 Maintainer: Doug Burks Architecture: amd64 Version: 2.8.2-ubuntu10securityonion3 Depends: libssl1.0.0 | libssl0.9.8, libgeoip1, geoip-database, wget Pre-Depends: debconf (>= 0.2.17) | debconf-2.0 Conflicts: ossec-hids-agent, ossec-hids-local Conffiles: /etc/ossec-init.conf 9dddd7280d0ac9ffc13ba68f42051881 /etc/init.d/ossec-hids-server d87575d8ab2b2be4494be416ea68edc5 Description: Open Source Security, Host-Based Intrusion Detection System It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. This is the server version. Homepage: http://www.ossec.net Dan, > > It's what comes in SecurityOnion's latest iso > (securityonion-14.04.5.2.iso). > > ./ossec-logtest -V > > OSSEC HIDS v2.8 - Trend Micro Inc. > > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License (version 2) as > published by the Free Software Foundation. For more details, go to > http://www.ossec.net/main/license/ > > I tried "apt-file search /var/ossec/bin/ossec-logtest" to see if a > package owns it, but that program returned no results, so I'm going to > assume it has been compiled from source. > > > On 7/6/2017 5:47 PM, dan (ddp) wrote: > > On Wed, Jul 5, 2017 at 10:26 PM, Ian Brown wrote: > >> Dan, that matches for the source and destination IP addresses, but if I > >> understand logtest's "Phase 2" output correctly, using those additional > >> decoders drops all the other things that the original windows decoder > found: > >> > >> --------------------------- > >> > >> # ./ossec-logtest -v > >> 2017/07/06 02:19:12 ossec-testrule: INFO: Reading local decoder file. > >> 2017/07/06 02:19:12 ossec-testrule: INFO: Started (pid: 4227). > >> ossec-testrule: Type one log per line. > >> > >> 2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): > >> Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: > The > >> Windows Filtering Platform blocked a packet. Application Information: > >> Process ID: 0 Application Name: - Network Information: Direction: > %%14592 > >> Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 > >> Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time > ID: > >> 93069 Layer Name: %%14597 Layer Run-Time ID: 13 > >> > >> > >> **Phase 1: Completed pre-decoding. > >> full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: > >> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no > >> domain: workstation: The Windows Filtering Platform blocked a packet. > >> Application Information: Process ID: 0 Application Name: - Network > >> Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: > 143 > >> Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter > >> Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer > Run-Time > >> ID: 13' > >> hostname: 'securityonion' > >> program_name: '(null)' > >> log: '2017 Jul 03 11:17:37 WinEvtLog: Security: > AUDIT_FAILURE(5152): > >> Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: > The > >> Windows Filtering Platform blocked a packet. Application Information: > >> Process ID: 0 Application Name: - Network Information: Direction: > %%14592 > >> Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 > >> Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time > ID: > >> 93069 Layer Name: %%14597 Layer Run-Time ID: 13' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'windows' > >> srcip: '1.2.3.4' > >> dstip: '5.6.7.8' > >> > >> **Rule debugging: > >> Trying rule: 6 - Generic template for all windows rules. > >> *Rule 6 matched. > >> *Trying child rules. > >> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. > >> Trying rule: 18100 - Group of windows rules. > >> *Rule 18100 matched. > >> *Trying child rules. > >> Trying rule: 18101 - Windows informational event. > >> Trying rule: 18102 - Windows warning event. > >> Trying rule: 18104 - Windows audit success event. > >> Trying rule: 18103 - Windows error event. > >> Trying rule: 18105 - Windows audit failure event. > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '18100' > >> Level: '0' > >> Description: 'Group of windows rules.' > >> ------------- > >> > >> This is Phase 2 without those additional decoders: > >> > >> **Phase 2: Completed decoding. > >> decoder: 'windows' > >> status: 'AUDIT_FAILURE' > >> id: '5152' > >> extra_data: 'Microsoft-Windows-Security-Auditing' > >> dstuser: '(no user)' > >> system_name: 'workstation' > >> > >> Do your decoders still inherit the matching of those fields and logtest > just > >> doesn't show this? > >> > > It works on mine: > > **Phase 1: Completed pre-decoding. > > full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: > > AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): > > no domain: workstation: The Windows Filtering Platform blocked a > > packet. Application Information: Process ID: 0 Application Name: - > > Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source > > Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 > > Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: > > %%14597 Layer Run-Time ID: 13' > > hostname: 'ix' > > program_name: 'WinEvtLog' > > log: 'Security: AUDIT_FAILURE(5152): > > Microsoft-Windows-Security-Auditing: (no user): no domain: > > workstation: The Windows Filtering Platform blocked a packet. > > Application Information: Process ID: 0 Application Name: - Network > > Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: > > 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 > > Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 > > Layer Run-Time ID: 13' > > > > **Phase 2: Completed decoding. > > decoder: 'windows' > > status: 'AUDIT_FAILURE' > > id: '5152' > > extra_data: 'Microsoft-Windows-Security-Auditing' > > dstuser: '(no user)' > > system_name: 'workstation' > > srcip: '1.2.3.4' > > dstip: '5.6.7.8' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '18105' > > Level: '4' > > Description: 'Windows audit failure event.' > > **Alert to be generated. > > > > Which version are you using? > > > > Here's a clean room test, before the additions: > > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > > full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: > > AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): > > no domain: workstation: The Windows Filtering Platform blocked a > > packet. Application Information: Process ID: 0 Application Name: - > > Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source > > Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 > > Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: > > %%14597 Layer Run-Time ID: 13' > > hostname: 'ossec-test' > > program_name: 'WinEvtLog' > > log: 'Security: AUDIT_FAILURE(5152): > > Microsoft-Windows-Security-Auditing: (no user): no domain: > > workstation: The Windows Filtering Platform blocked a packet. > > Application Information: Process ID: 0 Application Name: - Network > > Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: > > 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 > > Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 > > Layer Run-Time ID: 13' > > > > **Phase 2: Completed decoding. > > decoder: 'windows' > > status: 'AUDIT_FAILURE' > > id: '5152' > > extra_data: 'Microsoft-Windows-Security-Auditing' > > dstuser: '(no user)' > > system_name: 'workstation' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '18105' > > Level: '4' > > Description: 'Windows audit failure event.' > > **Alert to be generated. > > > > > > After the additions: > > **Phase 1: Completed pre-decoding. > > full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: > > AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): > > no domain: workstation: The Windows Filtering Platform blocked a > > packet. Application Information: Process ID: 0 Application Name: - > > Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source > > Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 > > Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: > > %%14597 Layer Run-Time ID: 13' > > hostname: 'ossec-test' > > program_name: 'WinEvtLog' > > log: 'Security: AUDIT_FAILURE(5152): > > Microsoft-Windows-Security-Auditing: (no user): no domain: > > workstation: The Windows Filtering Platform blocked a packet. > > Application Information: Process ID: 0 Application Name: - Network > > Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: > > 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 > > Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 > > Layer Run-Time ID: 13' > > > > **Phase 2: Completed decoding. > > decoder: 'windows' > > status: 'AUDIT_FAILURE' > > id: '5152' > > extra_data: 'Microsoft-Windows-Security-Auditing' > > dstuser: '(no user)' > > system_name: 'workstation' > > srcip: '1.2.3.4' > > dstip: '5.6.7.8' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '18105' > > Level: '4' > > Description: 'Windows audit failure event.' > > **Alert to be generated. > > > > > > This was using the latest code in github. > > > > > >> > >> On 7/5/2017 6:51 PM, dan (ddp) wrote: > >>> On Mon, Jul 3, 2017 at 2:52 PM, Ian Brown wrote: > >>>> There is a decoder that isn't quite handling some log entries the > want I > >>>> need. I want to augment an existing decoder, but apparently I'm not > >>>> doing > >>>> this correctly. > >>>> Here's an example log entry: > >>>> 2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): > >>>> Microsoft-Windows-Security-Auditing: (no user): no domain: > workstation: > >>>> The > >>>> Windows Filtering Platform blocked a packet. Application Information: > >>>> Process ID: 0 Application Name: - Network Information: Direction: > %%14592 > >>>> Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 > >>>> Destination Port: 2619 Protocol: 6 Filter Information: Filter > Run-Time > >>>> ID: > >>>> 93069 Layer Name: %%14597 Layer Run-Time ID: 13 > >>>> > >>>> Using this as a guild: > >>>> > >>>> > http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/create-custom.html > > >>>> > >>>> I've created a new decoder that inherits from this existing one: > >>>> > >>>> <decoder name="windows"> > >>>> <type>windows</type> > >>>> <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: > |^WinEvtLog: > >>>> </prematch> > >>>> <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): > </regex> > >>>> <regex>(\.+): \.+: (\S+): </regex> > >>>> <order>status, id, extra_data, user, system_name</order> > >>>> <fts>name, location, user, system_name</fts> > >>>> </decoder> > >>>> > >>>> I've tried an number of different versions of this -- below was my > last > >>>> attempt: > >>>> > >>>> <decoder name="windows-filtering-platform"> > >>>> <parent>windows</parent> > >>>> <prematch offset="after_parent">The Windows Filtering > >>>> Platform</prematch> > >>>> <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): > </regex> > >>>> <regex>(\.+): \.+: (\S+): Thee Windows Filtering Platform</regex> > >>>> <regex>Source Address: (\S+) Source Port: (\d+) Destination > Address: > >>>> (\S+) > >>>> Destination Port: (\d+)</regex> > >>>> <order>status, id, extra_data, user, system_name, srcip, srcport, > >>>> dstip, > >>>> dstport</order> > >>>> </decoder> > >>>> > >>>> All I'm trying to do is match for the source and destination > information > >>>> that's in these particular log entries. However, when I added my > >>>> decoder, > >>>> it "took over" for all the windows decoder matches instead of just > for > >>>> the > >>>> log entries I was hoping to match against -- any log entry that > contained > >>>> "The Windows Filtering Platform." > >>>> > >>>> On top of that, my decoder's regex doesn't seem to be matching any of > the > >>>> fields -- phase 2 just states: > >>>> > >>>> **Phase 2: Completed decoding. > >>>> decoder: 'windows' > >>>> > >>>> instead of at least: > >>>> **Phase 2: Completed decoding. > >>>> decoder: 'windows' > >>>> status: 'AUDIT_FAILURE' > >>>> id: '5152' > >>>> extra_data: 'Microsoft-Windows-Security-Auditing' > >>>> dstuser: '(no user)' > >>>> system_name: 'workstation' > >>>> > >>>> How far off the rails am I in achieving the solution I'm looking for? > >>>> > >>> Adding these 2 decoders gives me the source and destination IP > addresses: > >>> <decoder name="windows1"> > >>> <parent>windows</parent> > >>> <regex>Source Address: (\S+)</regex> > >>> <order>srcip</order> > >>> </decoder> > >>> > >>> <decoder name="windows1"> > >>> <parent>windows</parent> > >>> <regex>Destination Address: (\S+) </regex> > >>> <order>dstip</order> > >>> </decoder> > >>> > >>> > >>>> -- > >>>> > >>>> --- > >>>> You received this message because you are subscribed to the Google > Groups > >>>> "ossec-list" group. > >>>> To unsubscribe from this group and stop receiving emails from it, > send an > >>>> email to ossec-list+unsubscr...@googlegroups.com. > >>>> For more options, visit https://groups.google.com/d/optout. > >> > >> > >> -- > >> > >> --- You received this message because you are subscribed to the Google > >> Groups "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to ossec-list+unsubscr...@googlegroups.com. > >> For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.