Hi Ian, change the decoders could be a harmful process. Keep in mind that if you change something in /var/ossec/rules, it will be overwritten during an update.
Wazuh has created the *decoder_exclude* to simulate the *overwrite *option existing in rules but not in decoders. Take a look at the documentation: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html. There are 3 scenarios: - Adding new decoders and rules - Changing an existing rule - Changing an existing decoder I hope it helps. Regards. On Friday, July 7, 2017 at 3:55:18 AM UTC+2, dan (ddpbsd) wrote: > > On Thu, Jul 6, 2017 at 9:52 PM, Ian Brown <zest...@gmail.com <javascript:>> > wrote: > > Dan, > > > > Apparently it isn't compatible: > > > > ../bin/ossec-logtest -v > > 2017/07/07 01:50:33 ossec-analysisd: Invalid element 'accumulate' for > > decoder 'decoder' > > 2017/07/07 01:50:33 ossec-testrule(1202): ERROR: Configuration error at > > '/etc/decoder.xml'. Exiting. > > > > Good to know. > You could try taking the windows decoders out of the newer decoder.xml > file, but that might be a lot of work for little benefit. > > > > > > > On 7/6/2017 6:48 PM, dan (ddp) wrote: > >> > >> On Thu, Jul 6, 2017 at 9:08 PM, Ian Brown <zest...@gmail.com > <javascript:>> wrote: > >>> > >>> Dan, > >>> > >>> It's what comes in SecurityOnion's latest iso > >>> (securityonion-14.04.5.2.iso). > >>> > >>> ./ossec-logtest -V > >>> > >>> OSSEC HIDS v2.8 - Trend Micro Inc. > >>> > >>> This program is free software; you can redistribute it and/or modify > >>> it under the terms of the GNU General Public License (version 2) as > >>> published by the Free Software Foundation. For more details, go to > >>> http://www.ossec.net/main/license/ > >>> > >>> I tried "apt-file search /var/ossec/bin/ossec-logtest" to see if a > >>> package > >>> owns it, but that program returned no results, so I'm going to assume > it > >>> has > >>> been compiled from source. > >>> > >> 2.8 is good enough info. I don't have anything that old to test > >> unfortunately. > >> You could backup your decoder.xml and local_decoder.xml files and > >> download the latest decoders. > >> I think they should be compatible, and you can test them quickly with > >> ossec-logtest without restarting OSSEC. > >> > >>> > >>> On 7/6/2017 5:47 PM, dan (ddp) wrote: > >>>> > >>>> On Wed, Jul 5, 2017 at 10:26 PM, Ian Brown <zest...@gmail.com > <javascript:>> wrote: > >>>>> > >>>>> Dan, that matches for the source and destination IP addresses, but > if I > >>>>> understand logtest's "Phase 2" output correctly, using those > additional > >>>>> decoders drops all the other things that the original windows > decoder > >>>>> found: > >>>>> > >>>>> --------------------------- > >>>>> > >>>>> # ./ossec-logtest -v > >>>>> 2017/07/06 02:19:12 ossec-testrule: INFO: Reading local decoder > file. > >>>>> 2017/07/06 02:19:12 ossec-testrule: INFO: Started (pid: 4227). > >>>>> ossec-testrule: Type one log per line. > >>>>> > >>>>> 2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): > >>>>> Microsoft-Windows-Security-Auditing: (no user): no domain: > workstation: > >>>>> The > >>>>> Windows Filtering Platform blocked a packet. Application > Information: > >>>>> Process ID: 0 Application Name: - Network Information: Direction: > >>>>> %%14592 > >>>>> Source Address: 1.2.3.4 Source Port: 143 Destination Address: > 5.6.7.8 > >>>>> Destination Port: 2619 Protocol: 6 Filter Information: Filter > Run-Time > >>>>> ID: > >>>>> 93069 Layer Name: %%14597 Layer Run-Time ID: 13 > >>>>> > >>>>> > >>>>> **Phase 1: Completed pre-decoding. > >>>>> full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: > >>>>> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): > no > >>>>> domain: workstation: The Windows Filtering Platform blocked a > packet. > >>>>> Application Information: Process ID: 0 Application Name: - Network > >>>>> Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: > >>>>> 143 > >>>>> Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 > Filter > >>>>> Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer > >>>>> Run-Time > >>>>> ID: 13' > >>>>> hostname: 'securityonion' > >>>>> program_name: '(null)' > >>>>> log: '2017 Jul 03 11:17:37 WinEvtLog: Security: > >>>>> AUDIT_FAILURE(5152): > >>>>> Microsoft-Windows-Security-Auditing: (no user): no domain: > workstation: > >>>>> The > >>>>> Windows Filtering Platform blocked a packet. Application > Information: > >>>>> Process ID: 0 Application Name: - Network Information: Direction: > >>>>> %%14592 > >>>>> Source Address: 1.2.3.4 Source Port: 143 Destination Address: > 5.6.7.8 > >>>>> Destination Port: 2619 Protocol: 6 Filter Information: Filter > Run-Time > >>>>> ID: > >>>>> 93069 Layer Name: %%14597 Layer Run-Time ID: 13' > >>>>> > >>>>> **Phase 2: Completed decoding. > >>>>> decoder: 'windows' > >>>>> srcip: '1.2.3.4' > >>>>> dstip: '5.6.7.8' > >>>>> > >>>>> **Rule debugging: > >>>>> Trying rule: 6 - Generic template for all windows rules. > >>>>> *Rule 6 matched. > >>>>> *Trying child rules. > >>>>> Trying rule: 7301 - Grouping of Symantec AV rules from > eventlog. > >>>>> Trying rule: 18100 - Group of windows rules. > >>>>> *Rule 18100 matched. > >>>>> *Trying child rules. > >>>>> Trying rule: 18101 - Windows informational event. > >>>>> Trying rule: 18102 - Windows warning event. > >>>>> Trying rule: 18104 - Windows audit success event. > >>>>> Trying rule: 18103 - Windows error event. > >>>>> Trying rule: 18105 - Windows audit failure event. > >>>>> > >>>>> **Phase 3: Completed filtering (rules). > >>>>> Rule id: '18100' > >>>>> Level: '0' > >>>>> Description: 'Group of windows rules.' > >>>>> ------------- > >>>>> > >>>>> This is Phase 2 without those additional decoders: > >>>>> > >>>>> **Phase 2: Completed decoding. > >>>>> decoder: 'windows' > >>>>> status: 'AUDIT_FAILURE' > >>>>> id: '5152' > >>>>> extra_data: 'Microsoft-Windows-Security-Auditing' > >>>>> dstuser: '(no user)' > >>>>> system_name: 'workstation' > >>>>> > >>>>> Do your decoders still inherit the matching of those fields and > logtest > >>>>> just > >>>>> doesn't show this? > >>>>> > >>>> It works on mine: > >>>> **Phase 1: Completed pre-decoding. > >>>> full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: > >>>> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): > >>>> no domain: workstation: The Windows Filtering Platform blocked a > >>>> packet. Application Information: Process ID: 0 Application Name: - > >>>> Network Information: Direction: %%14592 Source Address: 1.2.3.4 > Source > >>>> Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 > >>>> Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: > >>>> %%14597 Layer Run-Time ID: 13' > >>>> hostname: 'ix' > >>>> program_name: 'WinEvtLog' > >>>> log: 'Security: AUDIT_FAILURE(5152): > >>>> Microsoft-Windows-Security-Auditing: (no user): no domain: > >>>> workstation: The Windows Filtering Platform blocked a packet. > >>>> Application Information: Process ID: 0 Application Name: - Network > >>>> Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: > >>>> 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 > >>>> Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 > >>>> Layer Run-Time ID: 13' > >>>> > >>>> **Phase 2: Completed decoding. > >>>> decoder: 'windows' > >>>> status: 'AUDIT_FAILURE' > >>>> id: '5152' > >>>> extra_data: 'Microsoft-Windows-Security-Auditing' > >>>> dstuser: '(no user)' > >>>> system_name: 'workstation' > >>>> srcip: '1.2.3.4' > >>>> dstip: '5.6.7.8' > >>>> > >>>> **Phase 3: Completed filtering (rules). > >>>> Rule id: '18105' > >>>> Level: '4' > >>>> Description: 'Windows audit failure event.' > >>>> **Alert to be generated. > >>>> > >>>> Which version are you using? > >>>> > >>>> Here's a clean room test, before the additions: > >>>> ossec-testrule: Type one log per line. > >>>> > >>>> **Phase 1: Completed pre-decoding. > >>>> full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: > >>>> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): > >>>> no domain: workstation: The Windows Filtering Platform blocked a > >>>> packet. Application Information: Process ID: 0 Application Name: - > >>>> Network Information: Direction: %%14592 Source Address: 1.2.3.4 > Source > >>>> Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 > >>>> Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: > >>>> %%14597 Layer Run-Time ID: 13' > >>>> hostname: 'ossec-test' > >>>> program_name: 'WinEvtLog' > >>>> log: 'Security: AUDIT_FAILURE(5152): > >>>> Microsoft-Windows-Security-Auditing: (no user): no domain: > >>>> workstation: The Windows Filtering Platform blocked a packet. > >>>> Application Information: Process ID: 0 Application Name: - Network > >>>> Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: > >>>> 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 > >>>> Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 > >>>> Layer Run-Time ID: 13' > >>>> > >>>> **Phase 2: Completed decoding. > >>>> decoder: 'windows' > >>>> status: 'AUDIT_FAILURE' > >>>> id: '5152' > >>>> extra_data: 'Microsoft-Windows-Security-Auditing' > >>>> dstuser: '(no user)' > >>>> system_name: 'workstation' > >>>> > >>>> **Phase 3: Completed filtering (rules). > >>>> Rule id: '18105' > >>>> Level: '4' > >>>> Description: 'Windows audit failure event.' > >>>> **Alert to be generated. > >>>> > >>>> > >>>> After the additions: > >>>> **Phase 1: Completed pre-decoding. > >>>> full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: > >>>> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): > >>>> no domain: workstation: The Windows Filtering Platform blocked a > >>>> packet. Application Information: Process ID: 0 Application Name: - > >>>> Network Information: Direction: %%14592 Source Address: 1.2.3.4 > Source > >>>> Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 > >>>> Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: > >>>> %%14597 Layer Run-Time ID: 13' > >>>> hostname: 'ossec-test' > >>>> program_name: 'WinEvtLog' > >>>> log: 'Security: AUDIT_FAILURE(5152): > >>>> Microsoft-Windows-Security-Auditing: (no user): no domain: > >>>> workstation: The Windows Filtering Platform blocked a packet. > >>>> Application Information: Process ID: 0 Application Name: - Network > >>>> Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: > >>>> 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 > >>>> Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 > >>>> Layer Run-Time ID: 13' > >>>> > >>>> **Phase 2: Completed decoding. > >>>> decoder: 'windows' > >>>> status: 'AUDIT_FAILURE' > >>>> id: '5152' > >>>> extra_data: 'Microsoft-Windows-Security-Auditing' > >>>> dstuser: '(no user)' > >>>> system_name: 'workstation' > >>>> srcip: '1.2.3.4' > >>>> dstip: '5.6.7.8' > >>>> > >>>> **Phase 3: Completed filtering (rules). > >>>> Rule id: '18105' > >>>> Level: '4' > >>>> Description: 'Windows audit failure event.' > >>>> **Alert to be generated. > >>>> > >>>> > >>>> This was using the latest code in github. > >>>> > >>>> > >>>>> On 7/5/2017 6:51 PM, dan (ddp) wrote: > >>>>>> > >>>>>> On Mon, Jul 3, 2017 at 2:52 PM, Ian Brown <zest...@gmail.com > <javascript:>> wrote: > >>>>>>> > >>>>>>> There is a decoder that isn't quite handling some log entries the > >>>>>>> want > >>>>>>> I > >>>>>>> need. I want to augment an existing decoder, but apparently I'm > not > >>>>>>> doing > >>>>>>> this correctly. > >>>>>>> Here's an example log entry: > >>>>>>> 2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): > >>>>>>> Microsoft-Windows-Security-Auditing: (no user): no domain: > >>>>>>> workstation: > >>>>>>> The > >>>>>>> Windows Filtering Platform blocked a packet. Application > Information: > >>>>>>> Process ID: 0 Application Name: - Network Information: Direction: > >>>>>>> %%14592 > >>>>>>> Source Address: 1.2.3.4 Source Port: 143 Destination Address: > 5.6.7.8 > >>>>>>> Destination Port: 2619 Protocol: 6 Filter Information: Filter > >>>>>>> Run-Time > >>>>>>> ID: > >>>>>>> 93069 Layer Name: %%14597 Layer Run-Time ID: 13 > >>>>>>> > >>>>>>> Using this as a guild: > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/create-custom.html > > >>>>>>> > >>>>>>> I've created a new decoder that inherits from this existing one: > >>>>>>> > >>>>>>> <decoder name="windows"> > >>>>>>> <type>windows</type> > >>>>>>> <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: > >>>>>>> |^WinEvtLog: > >>>>>>> </prematch> > >>>>>>> <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): > >>>>>>> </regex> > >>>>>>> <regex>(\.+): \.+: (\S+): </regex> > >>>>>>> <order>status, id, extra_data, user, system_name</order> > >>>>>>> <fts>name, location, user, system_name</fts> > >>>>>>> </decoder> > >>>>>>> > >>>>>>> I've tried an number of different versions of this -- below was my > >>>>>>> last > >>>>>>> attempt: > >>>>>>> > >>>>>>> <decoder name="windows-filtering-platform"> > >>>>>>> <parent>windows</parent> > >>>>>>> <prematch offset="after_parent">The Windows Filtering > >>>>>>> Platform</prematch> > >>>>>>> <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): > >>>>>>> </regex> > >>>>>>> <regex>(\.+): \.+: (\S+): Thee Windows Filtering > >>>>>>> Platform</regex> > >>>>>>> <regex>Source Address: (\S+) Source Port: (\d+) Destination > >>>>>>> Address: > >>>>>>> (\S+) > >>>>>>> Destination Port: (\d+)</regex> > >>>>>>> <order>status, id, extra_data, user, system_name, srcip, > >>>>>>> srcport, > >>>>>>> dstip, > >>>>>>> dstport</order> > >>>>>>> </decoder> > >>>>>>> > >>>>>>> All I'm trying to do is match for the source and destination > >>>>>>> information > >>>>>>> that's in these particular log entries. However, when I added my > >>>>>>> decoder, > >>>>>>> it "took over" for all the windows decoder matches instead of just > >>>>>>> for > >>>>>>> the > >>>>>>> log entries I was hoping to match against -- any log entry that > >>>>>>> contained > >>>>>>> "The Windows Filtering Platform." > >>>>>>> > >>>>>>> On top of that, my decoder's regex doesn't seem to be matching any > of > >>>>>>> the > >>>>>>> fields -- phase 2 just states: > >>>>>>> > >>>>>>> **Phase 2: Completed decoding. > >>>>>>> decoder: 'windows' > >>>>>>> > >>>>>>> instead of at least: > >>>>>>> **Phase 2: Completed decoding. > >>>>>>> decoder: 'windows' > >>>>>>> status: 'AUDIT_FAILURE' > >>>>>>> id: '5152' > >>>>>>> extra_data: 'Microsoft-Windows-Security-Auditing' > >>>>>>> dstuser: '(no user)' > >>>>>>> system_name: 'workstation' > >>>>>>> > >>>>>>> How far off the rails am I in achieving the solution I'm looking > for? > >>>>>>> > >>>>>> Adding these 2 decoders gives me the source and destination IP > >>>>>> addresses: > >>>>>> <decoder name="windows1"> > >>>>>> <parent>windows</parent> > >>>>>> <regex>Source Address: (\S+)</regex> > >>>>>> <order>srcip</order> > >>>>>> </decoder> > >>>>>> > >>>>>> <decoder name="windows1"> > >>>>>> <parent>windows</parent> > >>>>>> <regex>Destination Address: (\S+) </regex> > >>>>>> <order>dstip</order> > >>>>>> </decoder> > >>>>>> > >>>>>> > >>>>>>> -- > >>>>>>> > >>>>>>> --- > >>>>>>> You received this message because you are subscribed to the Google > >>>>>>> Groups > >>>>>>> "ossec-list" group. > >>>>>>> To unsubscribe from this group and stop receiving emails from it, > >>>>>>> send > >>>>>>> an > >>>>>>> email to ossec-list+...@googlegroups.com <javascript:>. > >>>>>>> For more options, visit https://groups.google.com/d/optout. > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> > >>>>> --- You received this message because you are subscribed to the > Google > >>>>> Groups "ossec-list" group. > >>>>> To unsubscribe from this group and stop receiving emails from it, > send > >>>>> an > >>>>> email to ossec-list+...@googlegroups.com <javascript:>. > >>>>> For more options, visit https://groups.google.com/d/optout. > >>> > >>> > >>> > >>> -- > >>> > >>> --- You received this message because you are subscribed to the Google > >>> Groups "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to ossec-list+...@googlegroups.com <javascript:>. > >>> For more options, visit https://groups.google.com/d/optout. > > > > > > > > -- > > > > --- You received this message because you are subscribed to the Google > > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.