On Thu, Jul 6, 2017 at 9:52 PM, Ian Brown <zestys...@gmail.com> wrote: > Dan, > > Apparently it isn't compatible: > > ../bin/ossec-logtest -v > 2017/07/07 01:50:33 ossec-analysisd: Invalid element 'accumulate' for > decoder 'decoder' > 2017/07/07 01:50:33 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. >
Good to know. You could try taking the windows decoders out of the newer decoder.xml file, but that might be a lot of work for little benefit. > > > On 7/6/2017 6:48 PM, dan (ddp) wrote: >> >> On Thu, Jul 6, 2017 at 9:08 PM, Ian Brown <zestys...@gmail.com> wrote: >>> >>> Dan, >>> >>> It's what comes in SecurityOnion's latest iso >>> (securityonion-14.04.5.2.iso). >>> >>> ./ossec-logtest -V >>> >>> OSSEC HIDS v2.8 - Trend Micro Inc. >>> >>> This program is free software; you can redistribute it and/or modify >>> it under the terms of the GNU General Public License (version 2) as >>> published by the Free Software Foundation. For more details, go to >>> http://www.ossec.net/main/license/ >>> >>> I tried "apt-file search /var/ossec/bin/ossec-logtest" to see if a >>> package >>> owns it, but that program returned no results, so I'm going to assume it >>> has >>> been compiled from source. >>> >> 2.8 is good enough info. I don't have anything that old to test >> unfortunately. >> You could backup your decoder.xml and local_decoder.xml files and >> download the latest decoders. >> I think they should be compatible, and you can test them quickly with >> ossec-logtest without restarting OSSEC. >> >>> >>> On 7/6/2017 5:47 PM, dan (ddp) wrote: >>>> >>>> On Wed, Jul 5, 2017 at 10:26 PM, Ian Brown <zestys...@gmail.com> wrote: >>>>> >>>>> Dan, that matches for the source and destination IP addresses, but if I >>>>> understand logtest's "Phase 2" output correctly, using those additional >>>>> decoders drops all the other things that the original windows decoder >>>>> found: >>>>> >>>>> --------------------------- >>>>> >>>>> # ./ossec-logtest -v >>>>> 2017/07/06 02:19:12 ossec-testrule: INFO: Reading local decoder file. >>>>> 2017/07/06 02:19:12 ossec-testrule: INFO: Started (pid: 4227). >>>>> ossec-testrule: Type one log per line. >>>>> >>>>> 2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): >>>>> Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: >>>>> The >>>>> Windows Filtering Platform blocked a packet. Application Information: >>>>> Process ID: 0 Application Name: - Network Information: Direction: >>>>> %%14592 >>>>> Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 >>>>> Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time >>>>> ID: >>>>> 93069 Layer Name: %%14597 Layer Run-Time ID: 13 >>>>> >>>>> >>>>> **Phase 1: Completed pre-decoding. >>>>> full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: >>>>> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no >>>>> domain: workstation: The Windows Filtering Platform blocked a packet. >>>>> Application Information: Process ID: 0 Application Name: - Network >>>>> Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: >>>>> 143 >>>>> Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter >>>>> Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer >>>>> Run-Time >>>>> ID: 13' >>>>> hostname: 'securityonion' >>>>> program_name: '(null)' >>>>> log: '2017 Jul 03 11:17:37 WinEvtLog: Security: >>>>> AUDIT_FAILURE(5152): >>>>> Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: >>>>> The >>>>> Windows Filtering Platform blocked a packet. Application Information: >>>>> Process ID: 0 Application Name: - Network Information: Direction: >>>>> %%14592 >>>>> Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 >>>>> Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time >>>>> ID: >>>>> 93069 Layer Name: %%14597 Layer Run-Time ID: 13' >>>>> >>>>> **Phase 2: Completed decoding. >>>>> decoder: 'windows' >>>>> srcip: '1.2.3.4' >>>>> dstip: '5.6.7.8' >>>>> >>>>> **Rule debugging: >>>>> Trying rule: 6 - Generic template for all windows rules. >>>>> *Rule 6 matched. >>>>> *Trying child rules. >>>>> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. >>>>> Trying rule: 18100 - Group of windows rules. >>>>> *Rule 18100 matched. >>>>> *Trying child rules. >>>>> Trying rule: 18101 - Windows informational event. >>>>> Trying rule: 18102 - Windows warning event. >>>>> Trying rule: 18104 - Windows audit success event. >>>>> Trying rule: 18103 - Windows error event. >>>>> Trying rule: 18105 - Windows audit failure event. >>>>> >>>>> **Phase 3: Completed filtering (rules). >>>>> Rule id: '18100' >>>>> Level: '0' >>>>> Description: 'Group of windows rules.' >>>>> ------------- >>>>> >>>>> This is Phase 2 without those additional decoders: >>>>> >>>>> **Phase 2: Completed decoding. >>>>> decoder: 'windows' >>>>> status: 'AUDIT_FAILURE' >>>>> id: '5152' >>>>> extra_data: 'Microsoft-Windows-Security-Auditing' >>>>> dstuser: '(no user)' >>>>> system_name: 'workstation' >>>>> >>>>> Do your decoders still inherit the matching of those fields and logtest >>>>> just >>>>> doesn't show this? >>>>> >>>> It works on mine: >>>> **Phase 1: Completed pre-decoding. >>>> full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: >>>> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): >>>> no domain: workstation: The Windows Filtering Platform blocked a >>>> packet. Application Information: Process ID: 0 Application Name: - >>>> Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source >>>> Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 >>>> Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: >>>> %%14597 Layer Run-Time ID: 13' >>>> hostname: 'ix' >>>> program_name: 'WinEvtLog' >>>> log: 'Security: AUDIT_FAILURE(5152): >>>> Microsoft-Windows-Security-Auditing: (no user): no domain: >>>> workstation: The Windows Filtering Platform blocked a packet. >>>> Application Information: Process ID: 0 Application Name: - Network >>>> Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: >>>> 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 >>>> Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 >>>> Layer Run-Time ID: 13' >>>> >>>> **Phase 2: Completed decoding. >>>> decoder: 'windows' >>>> status: 'AUDIT_FAILURE' >>>> id: '5152' >>>> extra_data: 'Microsoft-Windows-Security-Auditing' >>>> dstuser: '(no user)' >>>> system_name: 'workstation' >>>> srcip: '1.2.3.4' >>>> dstip: '5.6.7.8' >>>> >>>> **Phase 3: Completed filtering (rules). >>>> Rule id: '18105' >>>> Level: '4' >>>> Description: 'Windows audit failure event.' >>>> **Alert to be generated. >>>> >>>> Which version are you using? >>>> >>>> Here's a clean room test, before the additions: >>>> ossec-testrule: Type one log per line. >>>> >>>> **Phase 1: Completed pre-decoding. >>>> full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: >>>> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): >>>> no domain: workstation: The Windows Filtering Platform blocked a >>>> packet. Application Information: Process ID: 0 Application Name: - >>>> Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source >>>> Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 >>>> Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: >>>> %%14597 Layer Run-Time ID: 13' >>>> hostname: 'ossec-test' >>>> program_name: 'WinEvtLog' >>>> log: 'Security: AUDIT_FAILURE(5152): >>>> Microsoft-Windows-Security-Auditing: (no user): no domain: >>>> workstation: The Windows Filtering Platform blocked a packet. >>>> Application Information: Process ID: 0 Application Name: - Network >>>> Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: >>>> 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 >>>> Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 >>>> Layer Run-Time ID: 13' >>>> >>>> **Phase 2: Completed decoding. >>>> decoder: 'windows' >>>> status: 'AUDIT_FAILURE' >>>> id: '5152' >>>> extra_data: 'Microsoft-Windows-Security-Auditing' >>>> dstuser: '(no user)' >>>> system_name: 'workstation' >>>> >>>> **Phase 3: Completed filtering (rules). >>>> Rule id: '18105' >>>> Level: '4' >>>> Description: 'Windows audit failure event.' >>>> **Alert to be generated. >>>> >>>> >>>> After the additions: >>>> **Phase 1: Completed pre-decoding. >>>> full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: >>>> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): >>>> no domain: workstation: The Windows Filtering Platform blocked a >>>> packet. Application Information: Process ID: 0 Application Name: - >>>> Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source >>>> Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 >>>> Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: >>>> %%14597 Layer Run-Time ID: 13' >>>> hostname: 'ossec-test' >>>> program_name: 'WinEvtLog' >>>> log: 'Security: AUDIT_FAILURE(5152): >>>> Microsoft-Windows-Security-Auditing: (no user): no domain: >>>> workstation: The Windows Filtering Platform blocked a packet. >>>> Application Information: Process ID: 0 Application Name: - Network >>>> Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: >>>> 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 >>>> Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 >>>> Layer Run-Time ID: 13' >>>> >>>> **Phase 2: Completed decoding. >>>> decoder: 'windows' >>>> status: 'AUDIT_FAILURE' >>>> id: '5152' >>>> extra_data: 'Microsoft-Windows-Security-Auditing' >>>> dstuser: '(no user)' >>>> system_name: 'workstation' >>>> srcip: '1.2.3.4' >>>> dstip: '5.6.7.8' >>>> >>>> **Phase 3: Completed filtering (rules). >>>> Rule id: '18105' >>>> Level: '4' >>>> Description: 'Windows audit failure event.' >>>> **Alert to be generated. >>>> >>>> >>>> This was using the latest code in github. >>>> >>>> >>>>> On 7/5/2017 6:51 PM, dan (ddp) wrote: >>>>>> >>>>>> On Mon, Jul 3, 2017 at 2:52 PM, Ian Brown <zestys...@gmail.com> wrote: >>>>>>> >>>>>>> There is a decoder that isn't quite handling some log entries the >>>>>>> want >>>>>>> I >>>>>>> need. I want to augment an existing decoder, but apparently I'm not >>>>>>> doing >>>>>>> this correctly. >>>>>>> Here's an example log entry: >>>>>>> 2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): >>>>>>> Microsoft-Windows-Security-Auditing: (no user): no domain: >>>>>>> workstation: >>>>>>> The >>>>>>> Windows Filtering Platform blocked a packet. Application Information: >>>>>>> Process ID: 0 Application Name: - Network Information: Direction: >>>>>>> %%14592 >>>>>>> Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 >>>>>>> Destination Port: 2619 Protocol: 6 Filter Information: Filter >>>>>>> Run-Time >>>>>>> ID: >>>>>>> 93069 Layer Name: %%14597 Layer Run-Time ID: 13 >>>>>>> >>>>>>> Using this as a guild: >>>>>>> >>>>>>> >>>>>>> >>>>>>> http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/create-custom.html >>>>>>> >>>>>>> I've created a new decoder that inherits from this existing one: >>>>>>> >>>>>>> <decoder name="windows"> >>>>>>> <type>windows</type> >>>>>>> <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: >>>>>>> |^WinEvtLog: >>>>>>> </prematch> >>>>>>> <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): >>>>>>> </regex> >>>>>>> <regex>(\.+): \.+: (\S+): </regex> >>>>>>> <order>status, id, extra_data, user, system_name</order> >>>>>>> <fts>name, location, user, system_name</fts> >>>>>>> </decoder> >>>>>>> >>>>>>> I've tried an number of different versions of this -- below was my >>>>>>> last >>>>>>> attempt: >>>>>>> >>>>>>> <decoder name="windows-filtering-platform"> >>>>>>> <parent>windows</parent> >>>>>>> <prematch offset="after_parent">The Windows Filtering >>>>>>> Platform</prematch> >>>>>>> <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): >>>>>>> </regex> >>>>>>> <regex>(\.+): \.+: (\S+): Thee Windows Filtering >>>>>>> Platform</regex> >>>>>>> <regex>Source Address: (\S+) Source Port: (\d+) Destination >>>>>>> Address: >>>>>>> (\S+) >>>>>>> Destination Port: (\d+)</regex> >>>>>>> <order>status, id, extra_data, user, system_name, srcip, >>>>>>> srcport, >>>>>>> dstip, >>>>>>> dstport</order> >>>>>>> </decoder> >>>>>>> >>>>>>> All I'm trying to do is match for the source and destination >>>>>>> information >>>>>>> that's in these particular log entries. However, when I added my >>>>>>> decoder, >>>>>>> it "took over" for all the windows decoder matches instead of just >>>>>>> for >>>>>>> the >>>>>>> log entries I was hoping to match against -- any log entry that >>>>>>> contained >>>>>>> "The Windows Filtering Platform." >>>>>>> >>>>>>> On top of that, my decoder's regex doesn't seem to be matching any of >>>>>>> the >>>>>>> fields -- phase 2 just states: >>>>>>> >>>>>>> **Phase 2: Completed decoding. >>>>>>> decoder: 'windows' >>>>>>> >>>>>>> instead of at least: >>>>>>> **Phase 2: Completed decoding. >>>>>>> decoder: 'windows' >>>>>>> status: 'AUDIT_FAILURE' >>>>>>> id: '5152' >>>>>>> extra_data: 'Microsoft-Windows-Security-Auditing' >>>>>>> dstuser: '(no user)' >>>>>>> system_name: 'workstation' >>>>>>> >>>>>>> How far off the rails am I in achieving the solution I'm looking for? >>>>>>> >>>>>> Adding these 2 decoders gives me the source and destination IP >>>>>> addresses: >>>>>> <decoder name="windows1"> >>>>>> <parent>windows</parent> >>>>>> <regex>Source Address: (\S+)</regex> >>>>>> <order>srcip</order> >>>>>> </decoder> >>>>>> >>>>>> <decoder name="windows1"> >>>>>> <parent>windows</parent> >>>>>> <regex>Destination Address: (\S+) </regex> >>>>>> <order>dstip</order> >>>>>> </decoder> >>>>>> >>>>>> >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups >>>>>>> "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send >>>>>>> an >>>>>>> email to ossec-list+unsubscr...@googlegroups.com. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> --- You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an >>>>> email to ossec-list+unsubscr...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> >>> -- >>> >>> --- You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. > > > > -- > > --- You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
