RE: [ossec-list] eventchannel decoder testing

2016-08-03 Thread lostinthetubez 
Response inline

> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
> On Behalf Of dan (ddp)
> Sent: Wednesday, August 3, 2016 5:52 AM
> To: ossec-list@googlegroups.com
> Subject: Re: [ossec-list] eventchannel decoder testing
> 
> On Tue, Aug 2, 2016 at 10:40 PM, lostinthetubez
> <lostinthetu...@gmail.com> wrote:
> > I’d give Wazuh a whirl, if I were you. They’ve got decoders and rules for
> > sysmon, as well as eventchannel working (or I assume they do, if they have
> > that stuff setup for sysmon).
> >
> >
> >
> > My current decoder/rule development server and agents have been
> around long
> > enough that I don’t recall what sort of Frankenstein mixture of agent and
> > server versions I am running. Now that I think back on it, I’m fairly
> > certain I had to track down a fixed version of the Windows agent in the
> > listserv archives to make 2.8.3 work.
> >
> 
> Do you have more information on this? It doesn't sound familiar.

Pretty sure I snagged Josh's fixed binary, back when the onedrive link in this 
thread still worked:
https://groups.google.com/forum/#!topic/ossec-list/o1SXX5Wk0A0

I will try to do more testing with the current 2.9 beta code in a week or two, 
see if I can validate any of the issues I observed earlier in the thread.

> 
> >
> >
> > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
> On
> > Behalf Of Craig Mitchell
> > Sent: Tuesday, August 2, 2016 7:13 PM
> > To: ossec-list@googlegroups.com
> >
> >
> > Subject: Re: [ossec-list] eventchannel decoder testing
> >
> >
> >
> > Thanks for the input! I'll take a closer look at 2.8.3 but the whole reason
> > I was looking at 2.9RC2 was because it supported the eventchannel log
> type.
> > From what I understand, 2.8.x had trouble with this and therefore had
> > trouble with sysmon. Has that been your experience with 2.8.3? Thanks
> again
> > everyone for the help.
> >
> >
> >
> > On Tue, Aug 2, 2016 at 8:49 PM, lostinthetubez
> <lostinthetu...@gmail.com>
> > wrote:
> >
> > Craig,
> >
> >
> >
> > Hm... I just now noticed your exact symptoms while playing with a test
> OSSEC
> > server that was created from a relatively recent git clone of the repository
> > (cloned within the last month or two?). Take a look at your original output
> > of ossec-logtest, under “Prepended Data Removed”. Look at the parsed
> “log:”
> > field. Ossec-logtest is stripping “2016 Jul 29 22:32:24 WinEvtLog:” before
> > processing it against the decoders. It isn’t supposed to be doing this. At
> > least, this was not the behavior under 2.8.3. I do not have time to test the
> > latest build from the repo to see if this problem has been fixed, though you
> > might give that a whirl if you have the luxury of time. If you just want to
> > make things work correctly, build your OSSEC server from the last known-
> good
> > release, which is 2.8.3, or just follow Jesus’ suggestion and try out the
> > Wazuh build.
> >
> >
> >
> >
> >
> > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
> On
> > Behalf Of Craig
> > Sent: Sunday, July 31, 2016 3:14 PM
> > To: ossec-list <ossec-list@googlegroups.com>
> > Subject: Re: [ossec-list] eventchannel decoder testing
> >
> >
> >
> > Great, thank you. That does help troubleshoot. So, I do have a follow up
> > question. Here is the default decoder:
> >
> >
> >
> > 
> >
> >   windows
> >
> >   INFORMATION\(1\)
> >
> >   Image: (\.*) \s*CommandLine: \.*
> \s*User:
> > (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S*
> > \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid:
> \S*
> > \s*ParentProcessID: \S* \s*ParentImage: (\.*)
> \s*ParentCommandLine:
> >
> >   status,user,url,data
> >
> > 
> >
> >
> >
> > However, when I remove the prepended data from my archives.log file
> and send
> > it through logtest, the decoder doesn't work (if I leave the prepended data
> > there, the decoder works). Any ideas why this might be happening? See
> below
> > for my logtest:
> >
> >
> >
> > Prepended Data Removed:
> >
> >
> >
> > **Phase 1: Completed pre-decoding.
> >
> >full event: '2016 Jul 29 22:32:24 WinEvtLog:
> > Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
> > Microsoft-Windows-Sysmon: SYSTEM:

Re: [ossec-list] eventchannel decoder testing

2016-08-03 Thread Jesus Linares 
Hi Craig, 

did you try to use the new decoders?. I think it could be work.

Steps:

   - Create a backup of your decoder.xml
   - Replace "windows decoder" copying from line 174 to 417 of this file

(https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml#L174)
   - Restart ossec

Let me know if it works.

On Wednesday, August 3, 2016 at 4:40:29 AM UTC+2, LostInThe Tubez wrote:
>
> I’d give Wazuh a whirl, if I were you. They’ve got decoders and rules for 
> sysmon, as well as eventchannel working (or I assume they do, if they have 
> that stuff setup for sysmon). 
>
>  
>
> My current decoder/rule development server and agents have been around 
> long enough that I don’t recall what sort of Frankenstein mixture of agent 
> and server versions I am running. Now that I think back on it, I’m fairly 
> certain I had to track down a fixed version of the Windows agent in the 
> listserv archives to make 2.8.3 work. 
>
>  
>
> *From:* ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] *On Behalf Of *Craig Mitchell
> *Sent:* Tuesday, August 2, 2016 7:13 PM
> *To:* ossec...@googlegroups.com 
> *Subject:* Re: [ossec-list] eventchannel decoder testing
>
>  
>
> Thanks for the input! I'll take a closer look at 2.8.3 but the whole 
> reason I was looking at 2.9RC2 was because it supported the eventchannel 
> log type. From what I understand, 2.8.x had trouble with this and therefore 
> had trouble with sysmon. Has that been your experience with 2.8.3? Thanks 
> again everyone for the help.
>
>  
>
> On Tue, Aug 2, 2016 at 8:49 PM, lostinthetubez <lostint...@gmail.com 
> > wrote:
>
> Craig,
>
>  
>
> Hm... I just now noticed your exact symptoms while playing with a test 
> OSSEC server that was created from a relatively recent git clone of the 
> repository (cloned within the last month or two?). Take a look at your 
> original output of ossec-logtest, under “Prepended Data Removed”. Look at 
> the parsed “log:” field. Ossec-logtest is stripping “2016 Jul 29 22:32:24 
> WinEvtLog:” before processing it against the decoders. It isn’t supposed to 
> be doing this. At least, this was not the behavior under 2.8.3. I do not 
> have time to test the latest build from the repo to see if this problem has 
> been fixed, though you might give that a whirl if you have the luxury of 
> time. If you just want to make things work correctly, build your OSSEC 
> server from the last known-good release, which is 2.8.3, or just follow 
> Jesus’ suggestion and try out the Wazuh build.
>
>  
>
>  
>
> *From:* ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] *On Behalf Of *Craig
> *Sent:* Sunday, July 31, 2016 3:14 PM
> *To:* ossec-list <ossec...@googlegroups.com >
> *Subject:* Re: [ossec-list] eventchannel decoder testing
>
>  
>
> Great, thank you. That does help troubleshoot. So, I do have a follow up 
> question. Here is the default decoder:
>
>  
>
> 
>
>   windows
>
>   INFORMATION\(1\)
>
>   Image: (\.*) \s*CommandLine: \.* \s*User: 
> (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* 
> \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: 
> \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) 
> \s*ParentCommandLine:
>
>   status,user,url,data
>
> 
>
>  
>
> However, when I remove the prepended data from my archives.log file and 
> send it through logtest, the decoder doesn't work (if I leave the prepended 
> data there, the decoder works). Any ideas why this might be happening? See 
> below for my logtest:
>
>  
>
> *Prepended Data Removed:*
>
>  
>
> **Phase 1: Completed pre-decoding.
>
>full event: '2016 Jul 29 22:32:24 WinEvtLog: 
> Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
> Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
> {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
> C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
> C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
> {67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b 
>  TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
> MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid: 
> {67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 3056  ParentImage: 
> C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'
>
>hostname: 'ubuntu-srv1'
>
>program_name: 'WinEvtLog'
>
>log: 'Microsoft-Windows-S

RE: [ossec-list] eventchannel decoder testing

2016-08-02 Thread lostinthetubez 
I’d give Wazuh a whirl, if I were you. They’ve got decoders and rules for 
sysmon, as well as eventchannel working (or I assume they do, if they have that 
stuff setup for sysmon). 

 

My current decoder/rule development server and agents have been around long 
enough that I don’t recall what sort of Frankenstein mixture of agent and 
server versions I am running. Now that I think back on it, I’m fairly certain I 
had to track down a fixed version of the Windows agent in the listserv archives 
to make 2.8.3 work. 

 

From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of Craig Mitchell
Sent: Tuesday, August 2, 2016 7:13 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] eventchannel decoder testing

 

Thanks for the input! I'll take a closer look at 2.8.3 but the whole reason I 
was looking at 2.9RC2 was because it supported the eventchannel log type. From 
what I understand, 2.8.x had trouble with this and therefore had trouble with 
sysmon. Has that been your experience with 2.8.3? Thanks again everyone for the 
help.

 

On Tue, Aug 2, 2016 at 8:49 PM, lostinthetubez <lostinthetu...@gmail.com 
<mailto:lostinthetu...@gmail.com> > wrote:

Craig,

 

Hm... I just now noticed your exact symptoms while playing with a test OSSEC 
server that was created from a relatively recent git clone of the repository 
(cloned within the last month or two?). Take a look at your original output of 
ossec-logtest, under “Prepended Data Removed”. Look at the parsed “log:” field. 
Ossec-logtest is stripping “2016 Jul 29 22:32:24 WinEvtLog:” before processing 
it against the decoders. It isn’t supposed to be doing this. At least, this was 
not the behavior under 2.8.3. I do not have time to test the latest build from 
the repo to see if this problem has been fixed, though you might give that a 
whirl if you have the luxury of time. If you just want to make things work 
correctly, build your OSSEC server from the last known-good release, which is 
2.8.3, or just follow Jesus’ suggestion and try out the Wazuh build.

 

 

From: ossec-list@googlegroups.com <mailto:ossec-list@googlegroups.com>  
[mailto:ossec-list@googlegroups.com <mailto:ossec-list@googlegroups.com> ] On 
Behalf Of Craig
Sent: Sunday, July 31, 2016 3:14 PM
To: ossec-list <ossec-list@googlegroups.com 
<mailto:ossec-list@googlegroups.com> >
Subject: Re: [ossec-list] eventchannel decoder testing

 

Great, thank you. That does help troubleshoot. So, I do have a follow up 
question. Here is the default decoder:

 



  windows

  INFORMATION\(1\)

  Image: (\.*) \s*CommandLine: \.* \s*User: 
(\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* 
\s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* 
\s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:

  status,user,url,data



 

However, when I remove the prepended data from my archives.log file and send it 
through logtest, the decoder doesn't work (if I leave the prepended data there, 
the decoder works). Any ideas why this might be happening? See below for my 
logtest:

 

Prepended Data Removed:

 

**Phase 1: Completed pre-decoding.

   full event: '2016 Jul 29 22:32:24 WinEvtLog: 
Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: 
SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: Process Create:  UtcTime: 
2016-07-30 03:32:24.846  ProcessGuid: {67C360F4-1FC8-579C--001017F41E00}  
ProcessId: 3988  Image: C:\Users\administrator\Desktop\svchost.exe  
CommandLine: "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
{67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 
3056  ParentImage: C:\Windows\explorer.exe  ParentCommandLine: 
C:\Windows\Explorer.EXE'

   hostname: 'ubuntu-srv1'

   program_name: 'WinEvtLog'

   log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
{67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
"C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
{67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 
3056  ParentImage: C:\Windows\explorer.exe  ParentCommandLine: 
C:\Windows\Explorer.EXE'

 

**Phase 2: Completed decoding.

   No decoder matched.

 

Prep

Re: [ossec-list] eventchannel decoder testing

2016-08-02 Thread Craig Mitchell 
Thanks for the input! I'll take a closer look at 2.8.3 but the whole reason
I was looking at 2.9RC2 was because it supported the eventchannel log type.
>From what I understand, 2.8.x had trouble with this and therefore had
trouble with sysmon. Has that been your experience with 2.8.3? Thanks again
everyone for the help.

On Tue, Aug 2, 2016 at 8:49 PM, lostinthetubez <lostinthetu...@gmail.com>
wrote:

> Craig,
>
>
>
> Hm... I just now noticed your exact symptoms while playing with a test
> OSSEC server that was created from a relatively recent git clone of the
> repository (cloned within the last month or two?). Take a look at your
> original output of ossec-logtest, under “Prepended Data Removed”. Look at
> the parsed “log:” field. Ossec-logtest is stripping “2016 Jul 29 22:32:24
> WinEvtLog:” before processing it against the decoders. It isn’t supposed to
> be doing this. At least, this was not the behavior under 2.8.3. I do not
> have time to test the latest build from the repo to see if this problem has
> been fixed, though you might give that a whirl if you have the luxury of
> time. If you just want to make things work correctly, build your OSSEC
> server from the last known-good release, which is 2.8.3, or just follow
> Jesus’ suggestion and try out the Wazuh build.
>
>
>
>
>
> *From:* ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] *On
> Behalf Of *Craig
> *Sent:* Sunday, July 31, 2016 3:14 PM
> *To:* ossec-list <ossec-list@googlegroups.com>
> *Subject:* Re: [ossec-list] eventchannel decoder testing
>
>
>
> Great, thank you. That does help troubleshoot. So, I do have a follow up
> question. Here is the default decoder:
>
>
>
> 
>
>   windows
>
>   INFORMATION\(1\)
>
>   Image: (\.*) \s*CommandLine: \.* \s*User:
> (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S*
> \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid:
> \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*)
> \s*ParentCommandLine:
>
>   status,user,url,data
>
> 
>
>
>
> However, when I remove the prepended data from my archives.log file and
> send it through logtest, the decoder doesn't work (if I leave the prepended
> data there, the decoder works). Any ideas why this might be happening? See
> below for my logtest:
>
>
>
> *Prepended Data Removed:*
>
>
>
> **Phase 1: Completed pre-decoding.
>
>full event: '2016 Jul 29 22:32:24 WinEvtLog:
> Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local:
> Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid:
> {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image:
> C:\Users\administrator\Desktop\svchost.exe  CommandLine:
> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory:
> C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid:
> {67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b
>  TerminalSessionId: 1  IntegrityLevel: High  Hashes:
> MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid:
> {67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 3056  ParentImage:
> C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'
>
>hostname: 'ubuntu-srv1'
>
>program_name: 'WinEvtLog'
>
>log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local:
> Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid:
> {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image:
> C:\Users\administrator\Desktop\svchost.exe  CommandLine:
> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory:
> C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid:
> {67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b
>  TerminalSessionId: 1  IntegrityLevel: High  Hashes:
> MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid:
> {67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 3056  ParentImage:
> C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'
>
>
>
> ***Phase 2: Completed decoding.*
>
> *   No decoder matched.*
>
>
>
> *Prepended Data Intact:*
>
>
>
> **Phase 1: Completed pre-decoding.
>
>full event: '*2016 Jul 29 22:32:25 (WIN7-X64-PC1)
> 172.16.213.5->WinEvtLog* 2016 Jul 29 22:32:24 WinEvtLog:
> Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local:
> Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid:
> {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image:
>

RE: [ossec-list] eventchannel decoder testing

2016-08-02 Thread lostinthetubez 
Craig,

 

Hm... I just now noticed your exact symptoms while playing with a test OSSEC 
server that was created from a relatively recent git clone of the repository 
(cloned within the last month or two?). Take a look at your original output of 
ossec-logtest, under “Prepended Data Removed”. Look at the parsed “log:” field. 
Ossec-logtest is stripping “2016 Jul 29 22:32:24 WinEvtLog:” before processing 
it against the decoders. It isn’t supposed to be doing this. At least, this was 
not the behavior under 2.8.3. I do not have time to test the latest build from 
the repo to see if this problem has been fixed, though you might give that a 
whirl if you have the luxury of time. If you just want to make things work 
correctly, build your OSSEC server from the last known-good release, which is 
2.8.3, or just follow Jesus’ suggestion and try out the Wazuh build.

 

 

From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of Craig
Sent: Sunday, July 31, 2016 3:14 PM
To: ossec-list <ossec-list@googlegroups.com>
Subject: Re: [ossec-list] eventchannel decoder testing

 

Great, thank you. That does help troubleshoot. So, I do have a follow up 
question. Here is the default decoder:

 



  windows

  INFORMATION\(1\)

  Image: (\.*) \s*CommandLine: \.* \s*User: 
(\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* 
\s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* 
\s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:

  status,user,url,data



 

However, when I remove the prepended data from my archives.log file and send it 
through logtest, the decoder doesn't work (if I leave the prepended data there, 
the decoder works). Any ideas why this might be happening? See below for my 
logtest:

 

Prepended Data Removed:

 

**Phase 1: Completed pre-decoding.

   full event: '2016 Jul 29 22:32:24 WinEvtLog: 
Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: 
SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: Process Create:  UtcTime: 
2016-07-30 03:32:24.846  ProcessGuid: {67C360F4-1FC8-579C--001017F41E00}  
ProcessId: 3988  Image: C:\Users\administrator\Desktop\svchost.exe  
CommandLine: "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
{67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 
3056  ParentImage: C:\Windows\explorer.exe  ParentCommandLine: 
C:\Windows\Explorer.EXE'

   hostname: 'ubuntu-srv1'

   program_name: 'WinEvtLog'

   log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
{67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
"C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
{67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 
3056  ParentImage: C:\Windows\explorer.exe  ParentCommandLine: 
C:\Windows\Explorer.EXE'

 

**Phase 2: Completed decoding.

   No decoder matched.

 

Prepended Data Intact:

 

**Phase 1: Completed pre-decoding.

   full event: '2016 Jul 29 22:32:25 (WIN7-X64-PC1) 172.16.213.5->WinEvtLog 
2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: 
INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: 
Win7-x64-PC1.hackme.local: Process Create:  UtcTime: 2016-07-30 03:32:24.846  
ProcessGuid: {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
"C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
{67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 
3056  ParentImage: C:\Windows\explorer.exe  ParentCommandLine: 
C:\Windows\Explorer.EXE'

   hostname: '(WIN7-X64-PC1)'

   program_name: '(null)'

   log: '172.16.213.5->WinEvtLog 2016 Jul 29 22:32:24 WinEvtLog: 
Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: 
SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: Process Create:  UtcTime: 
2016-07-30 03:32:24.846  ProcessGuid: {67C360F4-1FC8-579C--001017F41E00}  
ProcessId: 3

Re: [ossec-list] eventchannel decoder testing

2016-08-02 Thread dan (ddp) 
On Mon, Aug 1, 2016 at 9:11 AM, Craig  wrote:
> So, interesting. I guess that is my question. In my testing (using 2.9RC2),
> the decoder below won't recognize the log entry unless I keep the header
> from archives.log (you can see the output in my post above). If I remove the
> header, the decoder doesn't work. What version were you running with your
> testing of my log entry?
> 
>   windows
>   INFORMATION\(1\)
>   Image: (\.*) \s*CommandLine: \.* \s*User:
> (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S*
> \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S*
> \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:
>   status,user,url,data
> 
>
>

Try this: https://github.com/ossec/ossec-hids/pull/880

>
> On Monday, August 1, 2016 at 2:50:22 AM UTC-5, Jesus Linares wrote:
>>
>> It seems the output of ossec-logtest is cut in the previous post. I paste
>> it here again:
>>
>>
>> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational:
>> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY:
>> Win7-x64-PC1.hackme.local: Process Create:  UtcTime: 2016-07-30 03:32:24.846
>> ProcessGuid: {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image:
>> C:\Users\administrator\Desktop\svchost.exe  CommandLine:
>> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory:
>> C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid:
>> {67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId:
>> 1  IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076
>> ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  ParentProcessId:
>> 3056  ParentImage: C:\Windows\explorer.exe  ParentCommandLine:
>> C:\Windows\Explorer.EXE
>>
>>
>>
>>
>> **Phase 1: Completed pre-decoding.
>>full event: '2016 Jul 29 22:32:24 WinEvtLog:
>> Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
>> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local:
>> Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid:
>> {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image:
>> C:\Users\administrator\Desktop\svchost.exe  CommandLine:
>> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory:
>> C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid:
>> {67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId:
>> 1  IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076
>> ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  ParentProcessId:
>> 3056  ParentImage: C:\Windows\explorer.exe  ParentCommandLine:
>> C:\Windows\Explorer.EXE'
>>hostname: 'ip-10-0-0-10'
>>program_name: '(null)'
>>log: '2016 Jul 29 22:32:24 WinEvtLog:
>> Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
>> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local:
>> Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid:
>> {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image:
>> C:\Users\administrator\Desktop\svchost.exe  CommandLine:
>> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory:
>> C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid:
>> {67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId:
>> 1  IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076
>> ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  ParentProcessId:
>> 3056  ParentImage: C:\Windows\explorer.exe  ParentCommandLine:
>> C:\Windows\Explorer.EXE'
>>
>>
>> **Phase 2: Completed decoding.
>>decoder: 'windows'
>>status: 'C:\Users\administrator\Desktop\svchost.exe'
>>dstuser: 'HACKME\Administrator'
>>url: 'C019D10F80409FC4C7D45EBFA48B0076'
>>extra_data: 'C:\Windows\explorer.exe'
>>
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '184666'
>>Level: '12'
>>Description: 'Sysmon - Suspicious Process - svchost.exe'
>>
>> You can find decoders for all sysmon events here.
>>
>> Regards.
>>
>>
>>
>>
>>
>>
>> On Monday, August 1, 2016 at 9:46:31 AM UTC+2, Jesus Linares wrote:
>>>
>>> Hi Craig,
>>>
>>> the raw event is:
>>> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational:
>>> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY:
>>> Win7-x64-PC1.hackme.local: Process Create:  UtcTime: 2016-07-30 03:32:24.846
>>> ProcessGuid: {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image:
>>> C:\Users\administrator\Desktop\svchost.exe  CommandLine:
>>> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory:
>>> C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid:
>>> {67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId:
>>> 1  IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076
>>> ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  ParentProcessId:

Re: [ossec-list] eventchannel decoder testing

2016-08-01 Thread Jesus Linares 
Hi Craig,

I'm running ossec-wazuh . Try to copy 
sysmon decoders from 
https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml#L197
 
to your decoder.xml.

Let me know if it works.

Regards.

On Monday, August 1, 2016 at 3:11:35 PM UTC+2, Craig wrote:
>
> So, interesting. I guess that is my question. In my testing (using 
> 2.9RC2), the decoder below won't recognize the log entry unless I keep the 
> header from archives.log (you can see the output in my post above). If I 
> remove the header, the decoder doesn't work. What version were you running 
> with your testing of my log entry?
> 
>   windows
>   INFORMATION\(1\)
>   Image: (\.*) \s*CommandLine: \.* \s*User: 
> (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* 
> \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: 
> \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) 
> \s*ParentCommandLine:
>   status,user,url,data
> 
>
>
>
> On Monday, August 1, 2016 at 2:50:22 AM UTC-5, Jesus Linares wrote:
>>
>> It seems the output of ossec-logtest is cut in the previous post. I paste 
>> it here again:
>>
>>
>> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: 
>> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-
>> PC1.hackme.local: Process Create:  UtcTime: 2016-07-30 03:32:24.846  
>> ProcessGuid: {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  
>> Image: C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
>> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: C:\Users
>> \administrator\Desktop\  User: HACKME\Administrator  LogonGuid: {67C360F4
>> -1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
>> IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
>> ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  
>> ParentProcessId: 3056  ParentImage: C:\Windows\explorer.exe  
>> ParentCommandLine: C:\Windows\Explorer.EXE
>>
>>
>>
>>
>> **Phase 1: Completed pre-decoding.
>>full event: '2016 Jul 29 22:32:24 WinEvtLog: 
>> Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
>> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
>> Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
>> {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
>> C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
>> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
>> C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
>> {67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b 
>>  TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
>> MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid: 
>> {67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 3056  ParentImage: 
>> C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'
>>hostname: 'ip-10-0-0-10'
>>program_name: '(null)'
>>log: '2016 Jul 29 22:32:24 WinEvtLog: 
>> Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
>> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
>> Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
>> {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
>> C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
>> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
>> C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
>> {67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b 
>>  TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
>> MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid: 
>> {67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 3056  ParentImage: 
>> C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'
>>
>>
>> **Phase 2: Completed decoding.
>>decoder: 'windows'
>>status: 'C:\Users\administrator\Desktop\svchost.exe'
>>dstuser: 'HACKME\Administrator'
>>url: 'C019D10F80409FC4C7D45EBFA48B0076'
>>extra_data: 'C:\Windows\explorer.exe'
>>
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '184666'
>>Level: '12'
>>Description: 'Sysmon - Suspicious Process - svchost.exe'
>>
>> You can find decoders for all sysmon events here 
>> 
>> .
>>
>> Regards.
>>
>>
>>
>>
>>
>>
>> On Monday, August 1, 2016 at 9:46:31 AM UTC+2, Jesus Linares wrote:
>>>
>>> Hi Craig,
>>>
>>> the raw event is:
>>> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: 
>>> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64
>>> -PC1.hackme.local: Process Create:  UtcTime: 2016-07-30 03:32:24.846  
>>> ProcessGuid: {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  
>>> Image: C:\Users\administrator\Desktop\svchost.exe

Re: [ossec-list] eventchannel decoder testing

2016-08-01 Thread Craig 
So, interesting. I guess that is my question. In my testing (using 2.9RC2), 
the decoder below won't recognize the log entry unless I keep the header 
from archives.log (you can see the output in my post above). If I remove 
the header, the decoder doesn't work. What version were you running with 
your testing of my log entry?

  windows
  INFORMATION\(1\)
  Image: (\.*) \s*CommandLine: \.* \s*User: 
(\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* 
\s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: 
\S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) 
\s*ParentCommandLine:
  status,user,url,data




On Monday, August 1, 2016 at 2:50:22 AM UTC-5, Jesus Linares wrote:
>
> It seems the output of ossec-logtest is cut in the previous post. I paste 
> it here again:
>
>
> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: 
> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-
> PC1.hackme.local: Process Create:  UtcTime: 2016-07-30 03:32:24.846  
> ProcessGuid: {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  
> Image: C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: C:\Users\
> administrator\Desktop\  User: HACKME\Administrator  LogonGuid: {67C360F4-
> 1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
> IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
> ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  ParentProcessId
> : 3056  ParentImage: C:\Windows\explorer.exe  ParentCommandLine: C:\
> Windows\Explorer.EXE
>
>
>
>
> **Phase 1: Completed pre-decoding.
>full event: '2016 Jul 29 22:32:24 WinEvtLog: 
> Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
> Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
> {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
> C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
> C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
> {67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b 
>  TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
> MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid: 
> {67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 3056  ParentImage: 
> C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'
>hostname: 'ip-10-0-0-10'
>program_name: '(null)'
>log: '2016 Jul 29 22:32:24 WinEvtLog: 
> Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
> Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
> {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
> C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
> C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
> {67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b 
>  TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
> MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid: 
> {67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 3056  ParentImage: 
> C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'
>
>
> **Phase 2: Completed decoding.
>decoder: 'windows'
>status: 'C:\Users\administrator\Desktop\svchost.exe'
>dstuser: 'HACKME\Administrator'
>url: 'C019D10F80409FC4C7D45EBFA48B0076'
>extra_data: 'C:\Windows\explorer.exe'
>
>
> **Phase 3: Completed filtering (rules).
>Rule id: '184666'
>Level: '12'
>Description: 'Sysmon - Suspicious Process - svchost.exe'
>
> You can find decoders for all sysmon events here 
> 
> .
>
> Regards.
>
>
>
>
>
>
> On Monday, August 1, 2016 at 9:46:31 AM UTC+2, Jesus Linares wrote:
>>
>> Hi Craig,
>>
>> the raw event is:
>> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: 
>> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-
>> PC1.hackme.local: Process Create:  UtcTime: 2016-07-30 03:32:24.846  
>> ProcessGuid: {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  
>> Image: C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
>> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: C:\Users
>> \administrator\Desktop\  User: HACKME\Administrator  LogonGuid: {67C360F4
>> -1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
>> IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
>> ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  
>> ParentProcessId: 3056  ParentImage: C:\Windows\explorer.exe  
>> ParentCommandLine:

Re: [ossec-list] eventchannel decoder testing

2016-08-01 Thread Jesus Linares 
It seems the output of ossec-logtest is cut in the previous post. I paste 
it here again:


2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: 
INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1
.hackme.local: Process Create:  UtcTime: 2016-07-30 03:32:24.846  
ProcessGuid: {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
"C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: C:\Users\
administrator\Desktop\  User: HACKME\Administrator  LogonGuid: {67C360F4-
1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 
3056  ParentImage: C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\
Explorer.EXE




**Phase 1: Completed pre-decoding.
   full event: '2016 Jul 29 22:32:24 WinEvtLog: 
Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
{67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
"C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
{67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b 
 TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid: 
{67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 3056  ParentImage: 
C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'
   hostname: 'ip-10-0-0-10'
   program_name: '(null)'
   log: '2016 Jul 29 22:32:24 WinEvtLog: 
Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
{67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
"C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
{67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b 
 TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid: 
{67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 3056  ParentImage: 
C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'


**Phase 2: Completed decoding.
   decoder: 'windows'
   status: 'C:\Users\administrator\Desktop\svchost.exe'
   dstuser: 'HACKME\Administrator'
   url: 'C019D10F80409FC4C7D45EBFA48B0076'
   extra_data: 'C:\Windows\explorer.exe'


**Phase 3: Completed filtering (rules).
   Rule id: '184666'
   Level: '12'
   Description: 'Sysmon - Suspicious Process - svchost.exe'

You can find decoders for all sysmon events here 

.

Regards.






On Monday, August 1, 2016 at 9:46:31 AM UTC+2, Jesus Linares wrote:
>
> Hi Craig,
>
> the raw event is:
> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: 
> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-
> PC1.hackme.local: Process Create:  UtcTime: 2016-07-30 03:32:24.846  
> ProcessGuid: {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  
> Image: C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: C:\Users\
> administrator\Desktop\  User: HACKME\Administrator  LogonGuid: {67C360F4-
> 1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
> IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
> ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  ParentProcessId
> : 3056  ParentImage: C:\Windows\explorer.exe  ParentCommandLine: C:\
> Windows\Explorer.EXE
>
> but, OSSEC adds a header in archives.log:
>
> *2016 Jul 29 22:32:25 (WIN7-X64-PC1) 172.16.213.5->WinEvtLog *2016 Jul 29 
> 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
> Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: {67C360F4-
> 1FC8-579C--001017F41E00}  ProcessId: 3988  Image: C:\Users\
> administrator\Desktop\svchost.exe  CommandLine: 
> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: C:\Users\
> administrator\Desktop\  User: HACKME\Administrator  LogonGuid: {67C360F4-
> 1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
> IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
> ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}

Re: [ossec-list] eventchannel decoder testing

2016-08-01 Thread Jesus Linares 
Hi Craig,

the raw event is:
2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: 
INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1
.hackme.local: Process Create:  UtcTime: 2016-07-30 03:32:24.846  
ProcessGuid: {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
"C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: C:\Users\
administrator\Desktop\  User: HACKME\Administrator  LogonGuid: {67C360F4-
1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 
3056  ParentImage: C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\
Explorer.EXE

but, OSSEC adds a header in archives.log:

*2016 Jul 29 22:32:25 (WIN7-X64-PC1) 172.16.213.5->WinEvtLog *2016 Jul 29 22
:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: {67C360F4-
1FC8-579C--001017F41E00}  ProcessId: 3988  Image: C:\Users\administrator
\Desktop\svchost.exe  CommandLine: 
"C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: C:\Users\
administrator\Desktop\  User: HACKME\Administrator  LogonGuid: {67C360F4-
1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 
3056  ParentImage: C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\
Explorer.EXE


So, you must always use *ossec-logtest* without headers:
2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: 
INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1
.hackme.local: Process Create:  UtcTime: 2016-07-30 03:32:24.846  
ProcessGuid: {67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
"C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: C:\Users\
administrator\Desktop\  User: HACKME\Administrator  LogonGuid: {67C360F4-
1C55-579C--00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
ParentProcessGuid: {67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 
3056  ParentImage: C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\
Explorer.EXE

**Phase 1: Completed pre-decoding.
   full event: '2016 Jul 29 22:32:24 WinEvtLog: 
Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
{67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
"C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
{67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b 
 TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid: 
{67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 3056  ParentImage: 
C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'
   hostname: 'ip-10-0-0-10'
   program_name: '(null)'
   log: '2016 Jul 29 22:32:24 WinEvtLog: 
Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
{67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
"C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
{67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b 
 TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid: 
{67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 3056  ParentImage: 
C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'


**Phase 2: Completed decoding.
   decoder: 'windows'
   status: 'C:\Users\administrator\Desktop\svchost.exe'
   dstuser: 'HACKME\Administrator'
   url: 'C019D10F80409FC4C7D45EBFA48B0076'
   extra_data: 'C:\Windows\explorer.exe'


**Phase 3: Completed filtering (rules).
   Rule id: '184666'
   Level: '12'
   Description: 'Sysmon - Suspicious Process - svchost.exe'
**Alert to be generated.


You can find decoders for all sysmon events here 

.



On Monday, August 1, 2016 at 12:14:19 AM UTC+2, Craig

Re: [ossec-list] eventchannel decoder testing

2016-07-31 Thread Craig 
Great, thank you. That does help troubleshoot. So, I do have a follow up 
question. Here is the default decoder:


  windows
  INFORMATION\(1\)
  Image: (\.*) \s*CommandLine: \.* \s*User: 
(\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* 
\s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: 
\S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) 
\s*ParentCommandLine:
  status,user,url,data


However, when I remove the prepended data from my archives.log file and 
send it through logtest, the decoder doesn't work (if I leave the prepended 
data there, the decoder works). Any ideas why this might be happening? See 
below for my logtest:

*Prepended Data Removed:*

**Phase 1: Completed pre-decoding.
   full event: '2016 Jul 29 22:32:24 WinEvtLog: 
Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
{67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
"C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
{67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b 
 TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid: 
{67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 3056  ParentImage: 
C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'
   hostname: 'ubuntu-srv1'
   program_name: 'WinEvtLog'
   log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
{67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
"C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
{67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b 
 TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid: 
{67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 3056  ParentImage: 
C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'

***Phase 2: Completed decoding.*
*   No decoder matched.*

*Prepended Data Intact:*

**Phase 1: Completed pre-decoding.
   full event: '2016 Jul 29 22:32:25 (WIN7-X64-PC1) 
172.16.213.5->WinEvtLog 2016 Jul 29 22:32:24 WinEvtLog: 
Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
{67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
"C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
{67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b 
 TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid: 
{67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 3056  ParentImage: 
C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'
   hostname: '(WIN7-X64-PC1)'
   program_name: '(null)'
   log: '172.16.213.5->WinEvtLog 2016 Jul 29 22:32:24 WinEvtLog: 
Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
{67C360F4-1FC8-579C--001017F41E00}  ProcessId: 3988  Image: 
C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
"C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
{67C360F4-1C55-579C--00206BBC0600}  LogonId: 0x6bc6b 
 TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid: 
{67C360F4-1C57-579C--001092EC0600}  ParentProcessId: 3056  ParentImage: 
C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'

***Phase 2: Completed decoding.*
*   decoder: 'Sysmon-EventID#1'*





On Friday, July 29, 2016 at 11:22:46 AM UTC-5, LostInThe Tubez wrote:
>
> Delving into Sysmon event log parsing reveals just how monumental a task 
> it is to parse out useful information from Windows event logs. The 
> challenge is that nearly each and every Event ID has a different log 
> format, which essentially means that almost every Event ID needs its own 
> decoder... I may be waxing a little dramatic here, but the point is that to 
> properly parse Windows logs, the original decoder needs to be made more 
> generic and LOTS more child decoders need to be developed. At

RE: [ossec-list] eventchannel decoder testing

2016-07-29 Thread lostinthetubez 
Delving into Sysmon event log parsing reveals just how monumental a task it is 
to parse out useful information from Windows event logs. The challenge is that 
nearly each and every Event ID has a different log format, which essentially 
means that almost every Event ID needs its own decoder... I may be waxing a 
little dramatic here, but the point is that to properly parse Windows logs, the 
original decoder needs to be made more generic and LOTS more child decoders 
need to be developed. At least, that is the approach I took, personally. Maybe 
I’m totally off base. Been testing it for a few months and it seems to work OK, 
but I haven’t done any auditing to see if I’ve broken anything. Anyway, here’s 
what I did and what works for me at the moment. If you go this route, you’ll 
need to comment out the original windows decoder in /var/ossec/etc/decoder.xml 
(and whatever else sysmon-related might have made it in there since last I 
looked; I’m not running the latest beta). I put these in local_decoder.xml:

 



windows

^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: 




 



windows

windows

true

^Application: |^Security: |^System: 


^\.+: (\w+)\((\d+)\): (\.+): 

(\.+): \.+: (\S+): 

status, id, extra_data, user, system_name

name, location, user, system_name



 



windows

windows

^Microsoft-Windows-Sysmon/Operational: 
INFORMATION\(1\)

^Microsoft-Windows-Sysmon/Operational: 
(\w+)\((\d)\): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: (\S+): Process 
Create: \.+  ProcessId: \d+  Image: (\.*)  CommandLine: \.*

  User: (\.*)  LogonGuid: \S*  LogonId: \S*  TerminalSessionId: 
\d*  IntegrityLevel: \w*  Hashes: \w+=(\w*)  ParentProcessGuid: \S*  
ParentProcessID: \S*  ParentImage: (\.+)

status, id, system_name, dstuser, srcuser, url, extra_data, 
extra_data



 

 

Put this in your local_rules.xml:



18101

^1$

Sysmon Process Launch Event



 

If you haven’t done so already, it is always helpful to enable logall mode when 
you’re working on new decoders. This will retain a copy of every single log 
line sent to your OSSEC manager. In your ossec.conf on the manager, put 
yes in a global tag somewhere and restart the service. You 
will now have a record of all logs sent to the manager, not just those that 
generate alerts. The current day’s archival logs are in 
/var/ossec/logs/archives/archives.log. Note that in order to run these 
particular logs through ossec-logtest, you’ll need to remove a prepended bit of 
text. So, edit a log entry like this:

 

2016 Jul 29 08:33:17 (hostname) 100.200.123.123->WinEvtLog 2016 Jul 29 08:36:08 
WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: hostname.subdomain.domain.tld: 
Process Create:  UtcTime: 2016-07-29 15:36:08.268  ProcessGuid: 
{A560AB96-77E8-579B--0010B7B17E50}  ProcessId: 50292  Image: C:\Program 
Files (x86)\KeePass Password Safe 2\KeePass.exe  CommandLine: "C:\Program Files 
(x86)\KeePass Password Safe 2\KeePass.exe"   CurrentDirectory: C:\Program Files 
(x86)\KeePass Password Safe 2\  User: domain\username  LogonGuid: 
{A560AB96-40DE-578E--00209886AB02}  LogonId: 0x2AB8698  TerminalSessionId: 
1  IntegrityLevel: Medium  Hashes: 
SHA1=5F5AC91EB83EFB6C4171AFF9EC1ED98EBA1C6A6C  ParentProcessGuid: 
{A560AB96-40E0-578E--0010285AAC02}  ParentProcessId: 7540  ParentImage: 
C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE

 

to become:

2016 Jul 29 08:36:08 WinEvtLog: Microsoft-Windows-Sysmon/Operational: 
INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: 
hostname.subdomain.domain.tld: Process Create:  UtcTime: 2016-07-29 
15:36:08.268  ProcessGuid: {A560AB96-77E8-579B--0010B7B17E50}  ProcessId: 
50292  Image: C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe  
CommandLine: "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe"   
CurrentDirectory: C:\Program Files (x86)\KeePass Password Safe 2\  User: 
domain\username  LogonGuid: {A560AB96-40DE-578E--00209886AB02}  LogonId: 
0x2AB8698  TerminalSessionId: 1  IntegrityLevel: Medium  Hashes: 
SHA1=5F5AC91EB83EFB6C4171AFF9EC1ED98EBA1C6A6C  ParentProcessGuid: 
{A560AB96-40E0-578E--0010285AAC02}  ParentProcessId: 7540  ParentImage: 
C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE

 

before copy/pasting into ossec-logtest. This is the best way to go about 
testing an eventchannel log. You get to see exactly what is decoded and which 
rules are triggered.

 

 

From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of Craig
Sent: Thursday, July 28, 2016 8:24 PM
To: ossec-list 
Subject: [ossec-list] eventchannel decoder testing

 

I am currently running 2.9RC2 on both client and server:

 

What is the best way to go about testing an eventchannel

Re: [ossec-list] eventchannel decoder testing

2016-07-29 Thread dan (ddp) 
On Thu, Jul 28, 2016 at 11:24 PM, Craig  wrote:
> I am currently running 2.9RC2 on both client and server:
>
> What is the best way to go about testing an eventchannel log? I have the
> following set in my local ossec.conf on my windows agent:
>
>
> 
>
>   Microsoft-Windows-Sysmon/Operational
>
>   eventchannel
>
> 
>
>
> I am using the default sysmon decoder included on my server:
>
>
> 
>
> windows
>
> INFORMATION\(1\)
>
> Image: (\.*) \s*CommandLine: \.* \s*User:
> (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S*
> \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S*
> \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:
>
> status,user,url,data
>
> 
>
>
> I modified the default sysmon rule so that I would capture all process
> creates by setting the level to 1:
>
>
>  
>
>   18100
>
>   Sysmon - Process Create Event
>
>  
>
>
>
> I would think that i would now see all process creates in my alerts.log but
> unfortunately I don't see any sysmon events at all. Any idea on the best way
> to troubleshoot this? Thank you!
>

Turn on the logall option on the server, restart the OSSEC processes
on the server, and watch the archives.log.
When you find a sysmon log, you can use that with ossec-logtest to try
and figure out what is going on.

>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.