On Fri, Sep 22, 2017 at 3:49 AM, Nico MT wrote:
> Hi all,
>
> I've been trying to create a decoder for the new version of TrendMicro,
> which is not supported by OSSEC or by Wazuh yet. The sample event I want to
> decode is like this:
>
> 2017 Sep 20 16:12:10 WinEvtLog: Application: WARNING(500): Trend Micro
> OfficeScan Server: SYSTEM: NT AUTHORITY: server.fqdn.com: Virus/Malware:
> TROJ_GEN.R0EBC0ED616 Computer: HOSTNAME Domain: Default\ File:
> C:\Path\to\malicious\file.exe (file.exe) Date/Time: 20/09/2017 16:11:11
> Result: Virus successfully detected, cannot perform the Clean action
> (Quarantine)
>
> If I start testing this event at the logtest tool, I get this output:
>
> **Phase 1: Completed pre-decoding.
>full event: '2017 Sep 20 16:12:10 WinEvtLog: Application:
> WARNING(500): Trend Micro OfficeScan Server: SYSTEM: NT AUTHORITY:
> server.fqdn.com: Virus/Malware: TROJ_GEN.R0EBC0ED616 Computer: HOSTNAME
> Domain: Default\ File: C:\Path\to\malicious\file.exe (file.exe) Date/Time:
> 20/09/2017 16:11:11 Result: Virus successfully detected, cannot perform the
> Clean action (Quarantine)'
>hostname: 'srvlossec01'
>program_name: 'WinEvtLog'
>log: 'Application: WARNING(500): Trend Micro OfficeScan Server:
> SYSTEM: NT AUTHORITY: server.fqdn.com: Virus/Malware: TROJ_GEN.R0EBC0ED616
> Computer: HOSTNAME Domain: Default\ File: C:\Path\to\malicious\file.exe
> (file.exe) Date/Time: 20/09/2017 16:11:11 Result: Virus successfully
> detected, cannot perform the Clean action (Quarantine)'
>
> **Phase 2: Completed decoding.
>decoder: 'windows'
>type: 'Application'
>status: 'WARNING'
>id: '500'
>extra_data: 'Trend Micro OfficeScan Server'
>dstuser: 'SYSTEM'
>system_name: 'server.fqdn.com'
>
> **Rule debugging:
> Trying rule: 6 - Generic template for all windows rules.
>*Rule 6 matched.
>*Trying child rules.
> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
> Trying rule: 18100 - Group of windows rules.
>*Rule 18100 matched.
>*Trying child rules.
> Trying rule: 18101 - Windows informational event.
> Trying rule: 18102 - Windows warning event.
>*Rule 18102 matched.
>*Trying child rules.
> Trying rule: 7500 - Grouping of McAfee Windows AV rules.
> Trying rule: 7701 - Grouping of Microsoft Security Essentials rules.
> Trying rule: 18155 - Multiple Windows warning events.
> Trying rule: 18141 - Unexpected Windows shutdown.
> Trying rule: 18125 - Windows: Remote access login failure.
> Trying rule: 18258 - Windows: TS Gateway login failure.
>
> **Phase 3: Completed filtering (rules).
>Rule id: '18102'
>Level: '0'
>Description: 'Windows warning event.'
>
> When I try to add my first decoder, which I deduce it needs to inherit data
> from the windows decoder, any of my data gets extracted. Here's the decoder
> I've generated:
>
>
> windows
> windows
> Application: \S+\(500\): Trend Micro OfficeScan
> Server:
> Application: \S+\(\d+\): Trend Micro OfficeScan Server: SYSTEM: NT
> AUTHORITY: \S+:\s*Virus/Malware: (\S+)\t*\s*Computer: (\S+)
> virus,victimhost
>
>
> But if I add my decoder inside the windows decoders file
> (/var/ossec/ruleset/decoders/0380-windows_decoders.xml), the event get's
> decoded as I want:
>
> **Phase 2: Completed decoding.
>decoder: 'windows'
>type: 'Application'
>status: 'WARNING'
>id: '500'
>extra_data: 'Trend Micro OfficeScan Server'
>dstuser: 'SYSTEM'
>system_name: 'server.fqdn.com'
>virus: 'TROJ_GEN.R0EBC0ED616'
>victimhost: 'HOSTNAME'
>
> The only requirement for my decoder to work is to place it before this rule:
>
> ...
> -->
>
>
>
>
> windows
> windows
> Source Network Address:\t*\s*(\S+.\S+.\S+.\S+)|Source Network
> Address:\t*\s*(\S*:\S*:\S*:\S*:\S*:\S*:\S*:\S*)|[CLIENT: (\S+\d)]
> srcip
>
>
>
>
>
> ...
>
> I've observed that this decoder stops working if I place my decoder before
> it, so I don't want to modify my decoder set like that, as I'd lose part of
> the default OSSEC functionality.
>
> Anyone knows how to solve my problem or how to get more accurate information
> to help me achieve the solution?
>
I tried adding this to local_decoders:
windows
windows
Application: \S+\(\d+\): Trend Micro OfficeScan Server:
SYSTEM: NT AUTHORITY: \S+:\s*Virus/Malware: (\S+)\t*\s*Computer:
(\S+)
extra_data,dstip
It seems to work, but I can't test it thoroughly right now.
> Thanks in advance for your help.
>
> Nico.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You