On Thu, Sep 28, 2017 at 12:35 AM, amar haq <amar....@gmail.com> wrote:
> hi i have ossec manager 2.9.2 on ubuntu and ossec agent on windows v2.9.0.
> sysmon installed and has been configured, and for example i tried to acces
> powershell, agent's log.
> so I tried to use ossec-logtest and have result :
>
> **Phase 1: Completed pre-decoding.
> full event: '2017 Sep 28 11:15:28 WinEvtLog:
> Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process Create:
> UtcTime: 2017-09-28 04:15:28.884 ProcessGuid:
> {6B166207-7760-59CC-0000-0010F1E00800} ProcessId: 732 Image:
> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine:
> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
> CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser LogonGuid:
> {6B166207-76B9-59CC-0000-0020FDE40100} LogonId: 0x1e4fd TerminalSessionId:
> 1 IntegrityLevel: High Hashes:
> MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
> ParentProcessGuid: {6B166207-76E1-59CC-0000-0010BA5F0600} ParentProcessId:
> 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine:
> C:\Windows\Explorer.EXE'
> hostname: 'ubuntu'
> program_name: 'WinEvtLog'
> log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process Create:
> UtcTime: 2017-09-28 04:15:28.884 ProcessGuid:
> {6B166207-7760-59CC-0000-0010F1E00800} ProcessId: 732 Image:
> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine:
> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
> CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser LogonGuid:
> {6B166207-76B9-59CC-0000-0020FDE40100} LogonId: 0x1e4fd TerminalSessionId:
> 1 IntegrityLevel: High Hashes:
> MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
> ParentProcessGuid: {6B166207-76E1-59CC-0000-0010BA5F0600} ParentProcessId:
> 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine:
> C:\Windows\Explorer.EXE'
>
> **Phase 2: Completed decoding.
> decoder: 'windows'
> status: 'INFORMATION'
> id: '1'
> extra_data: 'Microsoft-Windows-Sysmon'
> dstuser: 'SYSTEM'
> system_name: 'IE11Win7'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '99999'
> Level: '3'
> Description: 'Windows Rule Triggered'
> **Alert to be generated.
>
>
> here is sysmon decoder by default:
>
> <decoder name="Sysmon-EventID#1">
> <type>windows</type>
> <prematch>INFORMATION\(1\)</prematch>
> <regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User:
> (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S*
> \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S*
> \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:</regex>
> <order>status,user,url,data</order>
> </decoder>
>
There's a few things in the decoder that don't match the sysmon
message you posted. You don't have "HashType," "Hash:" is "Hashes:"
for you, etc. I'll play around with it.
>
>
> as I know , there is Sysmon decoder and sysmon rules on Ossec 2.9.2
> could anyone help me how to fix it so sysmon decoder and sysmon rules is
> triggered?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
