subject:"\[ossec\-list\] Extending the windows decoder"

Re: [ossec-list] Extending the windows decoder

2017-09-27 Thread dan (ddp)

On Fri, Sep 22, 2017 at 3:49 AM, Nico MT  wrote:
> Hi all,
>
> I've been trying to create a decoder for the new version of TrendMicro,
> which is not supported by OSSEC or by Wazuh yet. The sample event I want to
> decode is like this:
>
> 2017 Sep 20 16:12:10 WinEvtLog: Application: WARNING(500): Trend Micro
> OfficeScan Server: SYSTEM: NT AUTHORITY: server.fqdn.com: Virus/Malware:
> TROJ_GEN.R0EBC0ED616  Computer: HOSTNAME Domain: Default\  File:
> C:\Path\to\malicious\file.exe (file.exe)  Date/Time: 20/09/2017 16:11:11
> Result: Virus successfully detected, cannot perform the Clean action
> (Quarantine)
>
> If I start testing this event at the logtest tool, I get this output:
>
> **Phase 1: Completed pre-decoding.
>full event: '2017 Sep 20 16:12:10 WinEvtLog: Application:
> WARNING(500): Trend Micro OfficeScan Server: SYSTEM: NT AUTHORITY:
> server.fqdn.com: Virus/Malware: TROJ_GEN.R0EBC0ED616  Computer: HOSTNAME
> Domain: Default\  File: C:\Path\to\malicious\file.exe (file.exe)  Date/Time:
> 20/09/2017 16:11:11  Result: Virus successfully detected, cannot perform the
> Clean action (Quarantine)'
>hostname: 'srvlossec01'
>program_name: 'WinEvtLog'
>log: 'Application: WARNING(500): Trend Micro OfficeScan Server:
> SYSTEM: NT AUTHORITY: server.fqdn.com: Virus/Malware: TROJ_GEN.R0EBC0ED616
> Computer: HOSTNAME Domain: Default\  File: C:\Path\to\malicious\file.exe
> (file.exe)  Date/Time: 20/09/2017 16:11:11  Result: Virus successfully
> detected, cannot perform the Clean action (Quarantine)'
>
> **Phase 2: Completed decoding.
>decoder: 'windows'
>type: 'Application'
>status: 'WARNING'
>id: '500'
>extra_data: 'Trend Micro OfficeScan Server'
>dstuser: 'SYSTEM'
>system_name: 'server.fqdn.com'
>
> **Rule debugging:
> Trying rule: 6 - Generic template for all windows rules.
>*Rule 6 matched.
>*Trying child rules.
> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
> Trying rule: 18100 - Group of windows rules.
>*Rule 18100 matched.
>*Trying child rules.
> Trying rule: 18101 - Windows informational event.
> Trying rule: 18102 - Windows warning event.
>*Rule 18102 matched.
>*Trying child rules.
> Trying rule: 7500 - Grouping of McAfee Windows AV rules.
> Trying rule: 7701 - Grouping of Microsoft Security Essentials rules.
> Trying rule: 18155 - Multiple Windows warning events.
> Trying rule: 18141 - Unexpected Windows shutdown.
> Trying rule: 18125 - Windows: Remote access login failure.
> Trying rule: 18258 - Windows: TS Gateway login failure.
>
> **Phase 3: Completed filtering (rules).
>Rule id: '18102'
>Level: '0'
>Description: 'Windows warning event.'
>
> When I try to add my first decoder, which I deduce it needs to inherit data
> from the windows decoder, any of my data gets extracted. Here's the decoder
> I've generated:
>
> 
> windows
> windows
> Application: \S+\(500\): Trend Micro OfficeScan
> Server:
> Application: \S+\(\d+\): Trend Micro OfficeScan Server: SYSTEM: NT
> AUTHORITY: \S+:\s*Virus/Malware: (\S+)\t*\s*Computer: (\S+)
> virus,victimhost
> 
>
> But if I add my decoder inside the windows decoders file
> (/var/ossec/ruleset/decoders/0380-windows_decoders.xml), the event get's
> decoded as I want:
>
> **Phase 2: Completed decoding.
>decoder: 'windows'
>type: 'Application'
>status: 'WARNING'
>id: '500'
>extra_data: 'Trend Micro OfficeScan Server'
>dstuser: 'SYSTEM'
>system_name: 'server.fqdn.com'
>virus: 'TROJ_GEN.R0EBC0ED616'
>victimhost: 'HOSTNAME'
>
> The only requirement for my decoder to work is to place it before this rule:
>
> ...
> -->
>
> 
>
> 
>   windows
>   windows
>   Source Network Address:\t*\s*(\S+.\S+.\S+.\S+)|Source Network
> Address:\t*\s*(\S*:\S*:\S*:\S*:\S*:\S*:\S*:\S*)|[CLIENT: (\S+\d)]
>   srcip
> 
>
> 
>
> 
> ...
>
> I've observed that this decoder stops working if I place my decoder before
> it, so I don't want to modify my decoder set like that, as I'd lose part of
> the default OSSEC functionality.
>
> Anyone knows how to solve my problem or how to get more accurate information
> to help me achieve the solution?
>

I tried adding this to local_decoders:

windows
windows
Application: \S+\(\d+\): Trend Micro OfficeScan Server:
SYSTEM: NT AUTHORITY: \S+:\s*Virus/Malware: (\S+)\t*\s*Computer:
(\S+)
extra_data,dstip


It seems to work, but I can't test it thoroughly right now.

> Thanks in advance for your help.
>
> Nico.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You

[ossec-list] Extending the windows decoder

2017-09-22 Thread Nico MT

Hi all,

I've been trying to create a decoder for the new version of TrendMicro, 
which is not supported by OSSEC or by Wazuh yet. The sample event I want to 
decode is like this:

2017 Sep 20 16:12:10 WinEvtLog: Application: WARNING(500): Trend Micro 
OfficeScan Server: SYSTEM: NT AUTHORITY: server.fqdn.com: Virus/Malware: 
TROJ_GEN.R0EBC0ED616  Computer: HOSTNAME Domain: Default\  File: 
C:\Path\to\malicious\file.exe (file.exe)  Date/Time: 20/09/2017 16:11:11  
Result: Virus successfully detected, cannot perform the Clean action 
(Quarantine)

If I start testing this event at the logtest tool, I get this output:

**Phase 1: Completed pre-decoding.
   full event: '2017 Sep 20 16:12:10 WinEvtLog: Application: 
WARNING(500): Trend Micro OfficeScan Server: SYSTEM: NT AUTHORITY: 
server.fqdn.com: Virus/Malware: TROJ_GEN.R0EBC0ED616  Computer: HOSTNAME 
Domain: Default\  File: C:\Path\to\malicious\file.exe (file.exe)  
Date/Time: 20/09/2017 16:11:11  Result: Virus successfully detected, cannot 
perform the Clean action (Quarantine)'
   hostname: 'srvlossec01'
   program_name: 'WinEvtLog'
   log: 'Application: WARNING(500): Trend Micro OfficeScan Server: 
SYSTEM: NT AUTHORITY: server.fqdn.com: Virus/Malware: TROJ_GEN.R0EBC0ED616  
Computer: HOSTNAME Domain: Default\  File: C:\Path\to\malicious\file.exe 
(file.exe)  Date/Time: 20/09/2017 16:11:11  Result: Virus successfully 
detected, cannot perform the Clean action (Quarantine)'

**Phase 2: Completed decoding.
   decoder: 'windows'
   type: 'Application'
   status: 'WARNING'
   id: '500'
   extra_data: 'Trend Micro OfficeScan Server'
   dstuser: 'SYSTEM'
   system_name: 'server.fqdn.com'

**Rule debugging:
Trying rule: 6 - Generic template for all windows rules.
   *Rule 6 matched.
   *Trying child rules.
Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
Trying rule: 18100 - Group of windows rules.
   *Rule 18100 matched.
   *Trying child rules.
Trying rule: 18101 - Windows informational event.
Trying rule: 18102 - Windows warning event.
   *Rule 18102 matched.
   *Trying child rules.
Trying rule: 7500 - Grouping of McAfee Windows AV rules.
Trying rule: 7701 - Grouping of Microsoft Security Essentials rules.
Trying rule: 18155 - Multiple Windows warning events.
Trying rule: 18141 - Unexpected Windows shutdown.
Trying rule: 18125 - Windows: Remote access login failure.
Trying rule: 18258 - Windows: TS Gateway login failure.

**Phase 3: Completed filtering (rules).
   Rule id: '18102'
   Level: '0'
   Description: 'Windows warning event.'

When I try to add my first decoder, which I deduce it needs to inherit data 
from the windows decoder, any of my data gets extracted. Here's the decoder 
I've generated:


windows
windows
Application: \S+\(500\): Trend Micro OfficeScan 
Server:
Application: \S+\(\d+\): Trend Micro OfficeScan Server: SYSTEM: NT 
AUTHORITY: \S+:\s*Virus/Malware: (\S+)\t*\s*Computer: (\S+)
virus,victimhost


But if I add my decoder inside the windows decoders file 
(/var/ossec/ruleset/decoders/0380-windows_decoders.xml), the event get's 
decoded as I want:

**Phase 2: Completed decoding.
   decoder: 'windows'
   type: 'Application'
   status: 'WARNING'
   id: '500'
   extra_data: 'Trend Micro OfficeScan Server'
   dstuser: 'SYSTEM'
   system_name: 'server.fqdn.com'
   virus: 'TROJ_GEN.R0EBC0ED616'
   victimhost: 'HOSTNAME'

The only requirement for my decoder to work is to place it before this rule:

...
-->




  windows
  windows
  Source Network Address:\t*\s*(\S+.\S+.\S+.\S+)|Source Network 
Address:\t*\s*(\S*:\S*:\S*:\S*:\S*:\S*:\S*:\S*)|[CLIENT: (\S+\d)]
  srcip





...

I've observed that this decoder stops working if I place my decoder before 
it, so I don't want to modify my decoder set like that, as I'd lose part of 
the default OSSEC functionality.

Anyone knows how to solve my problem or how to get more accurate 
information to help me achieve the solution?

Thanks in advance for your help.

Nico.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Extending the windows decoder

[ossec-list] Extending the windows decoder

2 matches

Site Navigation

Mail list logo

Footer information