Re: [ossec-list] sysmon decoder and rules not triggered

2017-09-29 Thread dan (ddp) 
On Fri, Sep 29, 2017 at 12:32 AM, amar haq  wrote:
> Hi dan (ddpbsd),
>
> thanks for noticing it,I add the decoder at local_decoder to avoid damaging
> default decoder. this is my custom decoder right now
>
>
> 
> windows
> windows
> INFORMATION\(1\)
> Image:\s* (\S+) \.* CommandLine: \S+\s*
> CurrentDirectory:
> \S+\s*User:\s*(\S+)\s*LogonGuid:\s\S*\s*LogonId:\s\S+\s*TerminalSessionId:\s*\S*\s*IntegrityLevel:\s*\S+\s*Hashes:\s*MD5=\w*,SHA256=(\S+)\s*\w*:\s*\S*\s*\w*:\s*\w*\s*ParentImage:\s*(\S+)
> status,user,url,extra_data
> 
>
>
> what i want to get is :
> 1. Image =status
> 2. User = user
> 3. SHA256 = url
> 4. ParentImage = extra_data
>
> i'm kind of new and get that regex with trial and error at regex101.com
> is it the correct one to try regex?
>

Unfortunately our regex is a subset of standard regexes. So these
sites are pretty much useless for testing OSSEC.

> i don't really understand how to make it match with this decoder. is it
> because the ? or could the decoder executed after windows decode
> it?
>

I think the windows1 decoder is taking over, denying any chance of
getting to this decoder. I haven't figured out a way to make it match
other than putting it in front of windows1.

>
> On Thursday, September 28, 2017 at 7:42:40 PM UTC+7, dan (ddpbsd) wrote:
>>
>> I'm not happy with this one:
>> 
>>   windows
>>   windows
>>   INFORMATION\(1\): 
>> ^Microsoft-Windows-Sysmon:\.*
>> Image: (\.*)\s*CommandLine: "\.+"\.+User:
>> (\S+)\s+LogonGuid:\.*LogonId:\.*TerminalSessionId
>> :\.*IntegrityLevel:\s*\S+\s*Hashes:
>> MD5=(\S+),SHA\d+=(\S+)\.*ParentProcessGuid: \S+\s+ParentProcessId:
>> \d+\s+ParentImage: (\.*)\s+ParentCommand
>>   status, user, url, url, data
>> 
>>
>> I had to add it after the windows decoder, and before windows1. So I'm
>> not sure how much damage it would do to other windows decoders/rules.
>>
>>
>> On Thu, Sep 28, 2017 at 8:02 AM, dan (ddp)  wrote:
>> > On Thu, Sep 28, 2017 at 12:35 AM, amar haq  wrote:
>> >> hi i have ossec manager 2.9.2 on ubuntu and ossec agent on windows
>> >> v2.9.0.
>> >> sysmon installed and has been configured, and for example i tried to
>> >> acces
>> >> powershell, agent's log.
>> >> so I tried to use ossec-logtest and have result :
>> >>
>> >> **Phase 1: Completed pre-decoding.
>> >>full event: '2017 Sep 28 11:15:28 WinEvtLog:
>> >> Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
>> >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process
>> >> Create:
>> >> UtcTime: 2017-09-28 04:15:28.884  ProcessGuid:
>> >> {6B166207-7760-59CC--0010F1E00800}  ProcessId: 732  Image:
>> >> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  CommandLine:
>> >> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
>> >> CurrentDirectory: C:\Windows\system32\  User: IE11WIN7\IEUser
>> >> LogonGuid:
>> >> {6B166207-76B9-59CC--0020FDE40100}  LogonId: 0x1e4fd
>> >> TerminalSessionId:
>> >> 1  IntegrityLevel: High  Hashes:
>> >>
>> >> MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
>> >> ParentProcessGuid: {6B166207-76E1-59CC--0010BA5F0600}
>> >> ParentProcessId:
>> >> 2920  ParentImage: C:\Windows\explorer.exe  ParentCommandLine:
>> >> C:\Windows\Explorer.EXE'
>> >>hostname: 'ubuntu'
>> >>program_name: 'WinEvtLog'
>> >>log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
>> >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process
>> >> Create:
>> >> UtcTime: 2017-09-28 04:15:28.884  ProcessGuid:
>> >> {6B166207-7760-59CC--0010F1E00800}  ProcessId: 732  Image:
>> >> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  CommandLine:
>> >> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
>> >> CurrentDirectory: C:\Windows\system32\  User: IE11WIN7\IEUser
>> >> LogonGuid:
>> >> {6B166207-76B9-59CC--0020FDE40100}  LogonId: 0x1e4fd
>> >> TerminalSessionId:
>> >> 1  IntegrityLevel: High  Hashes:
>> >>
>> >> MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
>> >> ParentProcessGuid: {6B166207-76E1-59CC--0010BA5F0600}
>> >> ParentProcessId:
>> >> 2920  ParentImage: C:\Windows\explorer.exe  ParentCommandLine:
>> >> C:\Windows\Explorer.EXE'
>> >>
>> >> **Phase 2: Completed decoding.
>> >>decoder: 'windows'
>> >>status: 'INFORMATION'
>> >>id: '1'
>> >>extra_data: 'Microsoft-Windows-Sysmon'
>> >>dstuser: 'SYSTEM'
>> >>system_name: 'IE11Win7'
>> >>
>> >> **Phase 3: Completed filtering (rules).
>> >>Rule id: '9'
>> >>Level: '3'
>> >>Description: 'Windows Rule Triggered'
>> >> **Alert to be generated.
>> >>
>> >>
>> >> here is sysmon decoder by default:
>> >>
>> >> 
>> >> windows
>> >> INFORMATION\(1\)
>> >> Image: (\.*) \s*CommandLine: \.*
>> >> \s*User:
>> >> (\.*) \s*LogonGuid: \S* \s*LogonId: \S*

Re: [ossec-list] sysmon decoder and rules not triggered

2017-09-29 Thread amar haq 
well i think, there is only 1 think i can do, i just add this decoder after 
windows decoder and before windows1. and it works.



windows

windows

*Microsoft-Windows-Sysmon*

^Image:\s* (\S+) \.* 
CommandLine: \S+\s* CurrentDirectory: 
\S+\s*User:\s*(\S+)\s*LogonGuid:\s\S*\s*LogonId:\s\S+\s*TerminalSessionId:\s*\S*\s*IntegrityLevel:\s*\S+\s*Hashes:\s*MD5=\w*,SHA256=(\S+)\s*\w*:\s*\S*\s*\w*:\s*\w*\s*ParentImage:\s*(\S+)

status,user,url,extra_data


thanks for the idea.

On Friday, September 29, 2017 at 11:32:56 AM UTC+7, amar haq wrote:
>
> Hi dan (ddpbsd),
>
> thanks for noticing it,I add the decoder at local_decoder to avoid 
> damaging default decoder. this is my custom decoder right now
>
>
> 
> windows
> windows
> INFORMATION\(1\)
> Image:\s* (\S+) \.* CommandLine: \S+\s* 
> CurrentDirectory: 
> \S+\s*User:\s*(\S+)\s*LogonGuid:\s\S*\s*LogonId:\s\S+\s*TerminalSessionId:\s*\S*\s*IntegrityLevel:\s*\S+\s*Hashes:\s*MD5=\w*,SHA256=(\S+)\s*\w*:\s*\S*\s*\w*:\s*\w*\s*ParentImage:\s*(\S+)
> status,user,url,extra_data
> 
>
>
> what i want to get is :
> 1. Image =status
> 2. User = user
> 3. SHA256 = url
> 4. ParentImage = extra_data
>
> i'm kind of new and get that regex with trial and error at regex101.com
> is it the correct one to try regex?
>
> i don't really understand how to make it match with this decoder. is it 
> because the ? or could the decoder executed after windows decode 
> it?
>
>
> On Thursday, September 28, 2017 at 7:42:40 PM UTC+7, dan (ddpbsd) wrote:
>>
>> I'm not happy with this one: 
>>  
>>   windows 
>>   windows 
>>   INFORMATION\(1\):  
>> ^Microsoft-Windows-Sysmon:\.* 
>> Image: (\.*)\s*CommandLine: "\.+"\.+User: 
>> (\S+)\s+LogonGuid:\.*LogonId:\.*TerminalSessionId 
>> :\.*IntegrityLevel:\s*\S+\s*Hashes: 
>> MD5=(\S+),SHA\d+=(\S+)\.*ParentProcessGuid: \S+\s+ParentProcessId: 
>> \d+\s+ParentImage: (\.*)\s+ParentCommand 
>>   status, user, url, url, data 
>>  
>>
>> I had to add it after the windows decoder, and before windows1. So I'm 
>> not sure how much damage it would do to other windows decoders/rules. 
>>
>>
>> On Thu, Sep 28, 2017 at 8:02 AM, dan (ddp)  wrote: 
>> > On Thu, Sep 28, 2017 at 12:35 AM, amar haq  wrote: 
>> >> hi i have ossec manager 2.9.2 on ubuntu and ossec agent on windows 
>> v2.9.0. 
>> >> sysmon installed and has been configured, and for example i tried to 
>> acces 
>> >> powershell, agent's log. 
>> >> so I tried to use ossec-logtest and have result : 
>> >> 
>> >> **Phase 1: Completed pre-decoding. 
>> >>full event: '2017 Sep 28 11:15:28 WinEvtLog: 
>> >> Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
>> >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process 
>> Create: 
>> >> UtcTime: 2017-09-28 04:15:28.884  ProcessGuid: 
>> >> {6B166207-7760-59CC--0010F1E00800}  ProcessId: 732  Image: 
>> >> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 
>>  CommandLine: 
>> >> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" 
>> >> CurrentDirectory: C:\Windows\system32\  User: IE11WIN7\IEUser 
>>  LogonGuid: 
>> >> {6B166207-76B9-59CC--0020FDE40100}  LogonId: 0x1e4fd 
>>  TerminalSessionId: 
>> >> 1  IntegrityLevel: High  Hashes: 
>> >> 
>> MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
>>  
>>
>> >> ParentProcessGuid: {6B166207-76E1-59CC--0010BA5F0600} 
>>  ParentProcessId: 
>> >> 2920  ParentImage: C:\Windows\explorer.exe  ParentCommandLine: 
>> >> C:\Windows\Explorer.EXE' 
>> >>hostname: 'ubuntu' 
>> >>program_name: 'WinEvtLog' 
>> >>log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
>> >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process 
>> Create: 
>> >> UtcTime: 2017-09-28 04:15:28.884  ProcessGuid: 
>> >> {6B166207-7760-59CC--0010F1E00800}  ProcessId: 732  Image: 
>> >> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 
>>  CommandLine: 
>> >> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" 
>> >> CurrentDirectory: C:\Windows\system32\  User: IE11WIN7\IEUser 
>>  LogonGuid: 
>> >> {6B166207-76B9-59CC--0020FDE40100}  LogonId: 0x1e4fd 
>>  TerminalSessionId: 
>> >> 1  IntegrityLevel: High  Hashes: 
>> >> 
>> MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
>>  
>>
>> >> ParentProcessGuid: {6B166207-76E1-59CC--0010BA5F0600} 
>>  ParentProcessId: 
>> >> 2920  ParentImage: C:\Windows\explorer.exe  ParentCommandLine: 
>> >> C:\Windows\Explorer.EXE' 
>> >> 
>> >> **Phase 2: Completed decoding. 
>> >>decoder: 'windows' 
>> >>status: 'INFORMATION' 
>> >>id: '1' 
>> >>extra_data: 'Microsoft-Windows-Sysmon' 
>> >>dstuser: 'SYSTEM' 
>> >>system_name: 'IE11Win7' 
>> >> 
>> >> **Phase 3: Completed filtering (rules). 
>> >>Rule id:

Re: [ossec-list] sysmon decoder and rules not triggered

2017-09-28 Thread amar haq 
Hi dan (ddpbsd),

thanks for noticing it,I add the decoder at local_decoder to avoid damaging 
default decoder. this is my custom decoder right now



windows
windows
INFORMATION\(1\)
Image:\s* (\S+) \.* CommandLine: \S+\s* 
CurrentDirectory: 
\S+\s*User:\s*(\S+)\s*LogonGuid:\s\S*\s*LogonId:\s\S+\s*TerminalSessionId:\s*\S*\s*IntegrityLevel:\s*\S+\s*Hashes:\s*MD5=\w*,SHA256=(\S+)\s*\w*:\s*\S*\s*\w*:\s*\w*\s*ParentImage:\s*(\S+)
status,user,url,extra_data



what i want to get is :
1. Image =status
2. User = user
3. SHA256 = url
4. ParentImage = extra_data

i'm kind of new and get that regex with trial and error at regex101.com
is it the correct one to try regex?

i don't really understand how to make it match with this decoder. is it 
because the ? or could the decoder executed after windows decode 
it?


On Thursday, September 28, 2017 at 7:42:40 PM UTC+7, dan (ddpbsd) wrote:
>
> I'm not happy with this one: 
>  
>   windows 
>   windows 
>   INFORMATION\(1\):  
> ^Microsoft-Windows-Sysmon:\.* 
> Image: (\.*)\s*CommandLine: "\.+"\.+User: 
> (\S+)\s+LogonGuid:\.*LogonId:\.*TerminalSessionId 
> :\.*IntegrityLevel:\s*\S+\s*Hashes: 
> MD5=(\S+),SHA\d+=(\S+)\.*ParentProcessGuid: \S+\s+ParentProcessId: 
> \d+\s+ParentImage: (\.*)\s+ParentCommand 
>   status, user, url, url, data 
>  
>
> I had to add it after the windows decoder, and before windows1. So I'm 
> not sure how much damage it would do to other windows decoders/rules. 
>
>
> On Thu, Sep 28, 2017 at 8:02 AM, dan (ddp)  
> wrote: 
> > On Thu, Sep 28, 2017 at 12:35 AM, amar haq  > wrote: 
> >> hi i have ossec manager 2.9.2 on ubuntu and ossec agent on windows 
> v2.9.0. 
> >> sysmon installed and has been configured, and for example i tried to 
> acces 
> >> powershell, agent's log. 
> >> so I tried to use ossec-logtest and have result : 
> >> 
> >> **Phase 1: Completed pre-decoding. 
> >>full event: '2017 Sep 28 11:15:28 WinEvtLog: 
> >> Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
> >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process 
> Create: 
> >> UtcTime: 2017-09-28 04:15:28.884  ProcessGuid: 
> >> {6B166207-7760-59CC--0010F1E00800}  ProcessId: 732  Image: 
> >> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  CommandLine: 
> >> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" 
> >> CurrentDirectory: C:\Windows\system32\  User: IE11WIN7\IEUser 
>  LogonGuid: 
> >> {6B166207-76B9-59CC--0020FDE40100}  LogonId: 0x1e4fd 
>  TerminalSessionId: 
> >> 1  IntegrityLevel: High  Hashes: 
> >> 
> MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
>  
>
> >> ParentProcessGuid: {6B166207-76E1-59CC--0010BA5F0600} 
>  ParentProcessId: 
> >> 2920  ParentImage: C:\Windows\explorer.exe  ParentCommandLine: 
> >> C:\Windows\Explorer.EXE' 
> >>hostname: 'ubuntu' 
> >>program_name: 'WinEvtLog' 
> >>log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
> >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process 
> Create: 
> >> UtcTime: 2017-09-28 04:15:28.884  ProcessGuid: 
> >> {6B166207-7760-59CC--0010F1E00800}  ProcessId: 732  Image: 
> >> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  CommandLine: 
> >> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" 
> >> CurrentDirectory: C:\Windows\system32\  User: IE11WIN7\IEUser 
>  LogonGuid: 
> >> {6B166207-76B9-59CC--0020FDE40100}  LogonId: 0x1e4fd 
>  TerminalSessionId: 
> >> 1  IntegrityLevel: High  Hashes: 
> >> 
> MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
>  
>
> >> ParentProcessGuid: {6B166207-76E1-59CC--0010BA5F0600} 
>  ParentProcessId: 
> >> 2920  ParentImage: C:\Windows\explorer.exe  ParentCommandLine: 
> >> C:\Windows\Explorer.EXE' 
> >> 
> >> **Phase 2: Completed decoding. 
> >>decoder: 'windows' 
> >>status: 'INFORMATION' 
> >>id: '1' 
> >>extra_data: 'Microsoft-Windows-Sysmon' 
> >>dstuser: 'SYSTEM' 
> >>system_name: 'IE11Win7' 
> >> 
> >> **Phase 3: Completed filtering (rules). 
> >>Rule id: '9' 
> >>Level: '3' 
> >>Description: 'Windows Rule Triggered' 
> >> **Alert to be generated. 
> >> 
> >> 
> >> here is sysmon decoder by default: 
> >> 
> >>  
> >> windows 
> >> INFORMATION\(1\) 
> >> Image: (\.*) \s*CommandLine: \.* 
> \s*User: 
> >> (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* 
> >> \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) 
> \s*ParentProcessGuid: \S* 
> >> \s*ParentProcessID: \S* \s*ParentImage: (\.*) 
> \s*ParentCommandLine: 
> >> status,user,url,data 
> >>  
> >> 
> > 
> > There's a few things in the decoder that don't match the sysmon 
> > message you posted. You don't have "HashType," "Hash:" is "Hashes:" 
> > for you, etc. I'll play around with it. 
> > 
> >> 
> >> 
> >> as I know ,