On Thu, Sep 28, 2017 at 12:35 AM, amar haq <amar....@gmail.com> wrote: > hi i have ossec manager 2.9.2 on ubuntu and ossec agent on windows v2.9.0. > sysmon installed and has been configured, and for example i tried to acces > powershell, agent's log. > so I tried to use ossec-logtest and have result : > > **Phase 1: Completed pre-decoding. > full event: '2017 Sep 28 11:15:28 WinEvtLog: > Microsoft-Windows-Sysmon/Operational: INFORMATION(1): > Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process Create: > UtcTime: 2017-09-28 04:15:28.884 ProcessGuid: > {6B166207-7760-59CC-0000-0010F1E00800} ProcessId: 732 Image: > C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine: > "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" > CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser LogonGuid: > {6B166207-76B9-59CC-0000-0020FDE40100} LogonId: 0x1e4fd TerminalSessionId: > 1 IntegrityLevel: High Hashes: > MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7 > ParentProcessGuid: {6B166207-76E1-59CC-0000-0010BA5F0600} ParentProcessId: > 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine: > C:\Windows\Explorer.EXE' > hostname: 'ubuntu' > program_name: 'WinEvtLog' > log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1): > Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process Create: > UtcTime: 2017-09-28 04:15:28.884 ProcessGuid: > {6B166207-7760-59CC-0000-0010F1E00800} ProcessId: 732 Image: > C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine: > "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" > CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser LogonGuid: > {6B166207-76B9-59CC-0000-0020FDE40100} LogonId: 0x1e4fd TerminalSessionId: > 1 IntegrityLevel: High Hashes: > MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7 > ParentProcessGuid: {6B166207-76E1-59CC-0000-0010BA5F0600} ParentProcessId: > 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine: > C:\Windows\Explorer.EXE' > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'INFORMATION' > id: '1' > extra_data: 'Microsoft-Windows-Sysmon' > dstuser: 'SYSTEM' > system_name: 'IE11Win7' > > **Phase 3: Completed filtering (rules). > Rule id: '99999' > Level: '3' > Description: 'Windows Rule Triggered' > **Alert to be generated. > > > here is sysmon decoder by default: > > <decoder name="Sysmon-EventID#1"> > <type>windows</type> > <prematch>INFORMATION\(1\)</prematch> > <regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User: > (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* > \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* > \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:</regex> > <order>status,user,url,data</order> > </decoder> >
There's a few things in the decoder that don't match the sysmon message you posted. You don't have "HashType," "Hash:" is "Hashes:" for you, etc. I'll play around with it. > > > as I know , there is Sysmon decoder and sysmon rules on Ossec 2.9.2 > could anyone help me how to fix it so sysmon decoder and sysmon rules is > triggered? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.