Re: [ossec-list] sysmon decoder and rules not triggered
On Fri, Sep 29, 2017 at 12:32 AM, amar haqwrote: > Hi dan (ddpbsd), > > thanks for noticing it,I add the decoder at local_decoder to avoid damaging > default decoder. this is my custom decoder right now > > > > windows > windows > INFORMATION\(1\) > Image:\s* (\S+) \.* CommandLine: \S+\s* > CurrentDirectory: > \S+\s*User:\s*(\S+)\s*LogonGuid:\s\S*\s*LogonId:\s\S+\s*TerminalSessionId:\s*\S*\s*IntegrityLevel:\s*\S+\s*Hashes:\s*MD5=\w*,SHA256=(\S+)\s*\w*:\s*\S*\s*\w*:\s*\w*\s*ParentImage:\s*(\S+) > status,user,url,extra_data > > > > what i want to get is : > 1. Image =status > 2. User = user > 3. SHA256 = url > 4. ParentImage = extra_data > > i'm kind of new and get that regex with trial and error at regex101.com > is it the correct one to try regex? > Unfortunately our regex is a subset of standard regexes. So these sites are pretty much useless for testing OSSEC. > i don't really understand how to make it match with this decoder. is it > because the ? or could the decoder executed after windows decode > it? > I think the windows1 decoder is taking over, denying any chance of getting to this decoder. I haven't figured out a way to make it match other than putting it in front of windows1. > > On Thursday, September 28, 2017 at 7:42:40 PM UTC+7, dan (ddpbsd) wrote: >> >> I'm not happy with this one: >> >> windows >> windows >> INFORMATION\(1\): >> ^Microsoft-Windows-Sysmon:\.* >> Image: (\.*)\s*CommandLine: "\.+"\.+User: >> (\S+)\s+LogonGuid:\.*LogonId:\.*TerminalSessionId >> :\.*IntegrityLevel:\s*\S+\s*Hashes: >> MD5=(\S+),SHA\d+=(\S+)\.*ParentProcessGuid: \S+\s+ParentProcessId: >> \d+\s+ParentImage: (\.*)\s+ParentCommand >> status, user, url, url, data >> >> >> I had to add it after the windows decoder, and before windows1. So I'm >> not sure how much damage it would do to other windows decoders/rules. >> >> >> On Thu, Sep 28, 2017 at 8:02 AM, dan (ddp) wrote: >> > On Thu, Sep 28, 2017 at 12:35 AM, amar haq wrote: >> >> hi i have ossec manager 2.9.2 on ubuntu and ossec agent on windows >> >> v2.9.0. >> >> sysmon installed and has been configured, and for example i tried to >> >> acces >> >> powershell, agent's log. >> >> so I tried to use ossec-logtest and have result : >> >> >> >> **Phase 1: Completed pre-decoding. >> >>full event: '2017 Sep 28 11:15:28 WinEvtLog: >> >> Microsoft-Windows-Sysmon/Operational: INFORMATION(1): >> >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process >> >> Create: >> >> UtcTime: 2017-09-28 04:15:28.884 ProcessGuid: >> >> {6B166207-7760-59CC--0010F1E00800} ProcessId: 732 Image: >> >> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine: >> >> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" >> >> CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser >> >> LogonGuid: >> >> {6B166207-76B9-59CC--0020FDE40100} LogonId: 0x1e4fd >> >> TerminalSessionId: >> >> 1 IntegrityLevel: High Hashes: >> >> >> >> MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7 >> >> ParentProcessGuid: {6B166207-76E1-59CC--0010BA5F0600} >> >> ParentProcessId: >> >> 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine: >> >> C:\Windows\Explorer.EXE' >> >>hostname: 'ubuntu' >> >>program_name: 'WinEvtLog' >> >>log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1): >> >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process >> >> Create: >> >> UtcTime: 2017-09-28 04:15:28.884 ProcessGuid: >> >> {6B166207-7760-59CC--0010F1E00800} ProcessId: 732 Image: >> >> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine: >> >> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" >> >> CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser >> >> LogonGuid: >> >> {6B166207-76B9-59CC--0020FDE40100} LogonId: 0x1e4fd >> >> TerminalSessionId: >> >> 1 IntegrityLevel: High Hashes: >> >> >> >> MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7 >> >> ParentProcessGuid: {6B166207-76E1-59CC--0010BA5F0600} >> >> ParentProcessId: >> >> 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine: >> >> C:\Windows\Explorer.EXE' >> >> >> >> **Phase 2: Completed decoding. >> >>decoder: 'windows' >> >>status: 'INFORMATION' >> >>id: '1' >> >>extra_data: 'Microsoft-Windows-Sysmon' >> >>dstuser: 'SYSTEM' >> >>system_name: 'IE11Win7' >> >> >> >> **Phase 3: Completed filtering (rules). >> >>Rule id: '9' >> >>Level: '3' >> >>Description: 'Windows Rule Triggered' >> >> **Alert to be generated. >> >> >> >> >> >> here is sysmon decoder by default: >> >> >> >> >> >> windows >> >> INFORMATION\(1\) >> >> Image: (\.*) \s*CommandLine: \.* >> >> \s*User: >> >> (\.*) \s*LogonGuid: \S* \s*LogonId: \S*
Re: [ossec-list] sysmon decoder and rules not triggered
well i think, there is only 1 think i can do, i just add this decoder after windows decoder and before windows1. and it works. windows windows *Microsoft-Windows-Sysmon* ^Image:\s* (\S+) \.* CommandLine: \S+\s* CurrentDirectory: \S+\s*User:\s*(\S+)\s*LogonGuid:\s\S*\s*LogonId:\s\S+\s*TerminalSessionId:\s*\S*\s*IntegrityLevel:\s*\S+\s*Hashes:\s*MD5=\w*,SHA256=(\S+)\s*\w*:\s*\S*\s*\w*:\s*\w*\s*ParentImage:\s*(\S+) status,user,url,extra_data thanks for the idea. On Friday, September 29, 2017 at 11:32:56 AM UTC+7, amar haq wrote: > > Hi dan (ddpbsd), > > thanks for noticing it,I add the decoder at local_decoder to avoid > damaging default decoder. this is my custom decoder right now > > > > windows > windows > INFORMATION\(1\) > Image:\s* (\S+) \.* CommandLine: \S+\s* > CurrentDirectory: > \S+\s*User:\s*(\S+)\s*LogonGuid:\s\S*\s*LogonId:\s\S+\s*TerminalSessionId:\s*\S*\s*IntegrityLevel:\s*\S+\s*Hashes:\s*MD5=\w*,SHA256=(\S+)\s*\w*:\s*\S*\s*\w*:\s*\w*\s*ParentImage:\s*(\S+) > status,user,url,extra_data > > > > what i want to get is : > 1. Image =status > 2. User = user > 3. SHA256 = url > 4. ParentImage = extra_data > > i'm kind of new and get that regex with trial and error at regex101.com > is it the correct one to try regex? > > i don't really understand how to make it match with this decoder. is it > because the ? or could the decoder executed after windows decode > it? > > > On Thursday, September 28, 2017 at 7:42:40 PM UTC+7, dan (ddpbsd) wrote: >> >> I'm not happy with this one: >> >> windows >> windows >> INFORMATION\(1\): >> ^Microsoft-Windows-Sysmon:\.* >> Image: (\.*)\s*CommandLine: "\.+"\.+User: >> (\S+)\s+LogonGuid:\.*LogonId:\.*TerminalSessionId >> :\.*IntegrityLevel:\s*\S+\s*Hashes: >> MD5=(\S+),SHA\d+=(\S+)\.*ParentProcessGuid: \S+\s+ParentProcessId: >> \d+\s+ParentImage: (\.*)\s+ParentCommand >> status, user, url, url, data >> >> >> I had to add it after the windows decoder, and before windows1. So I'm >> not sure how much damage it would do to other windows decoders/rules. >> >> >> On Thu, Sep 28, 2017 at 8:02 AM, dan (ddp)wrote: >> > On Thu, Sep 28, 2017 at 12:35 AM, amar haq wrote: >> >> hi i have ossec manager 2.9.2 on ubuntu and ossec agent on windows >> v2.9.0. >> >> sysmon installed and has been configured, and for example i tried to >> acces >> >> powershell, agent's log. >> >> so I tried to use ossec-logtest and have result : >> >> >> >> **Phase 1: Completed pre-decoding. >> >>full event: '2017 Sep 28 11:15:28 WinEvtLog: >> >> Microsoft-Windows-Sysmon/Operational: INFORMATION(1): >> >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process >> Create: >> >> UtcTime: 2017-09-28 04:15:28.884 ProcessGuid: >> >> {6B166207-7760-59CC--0010F1E00800} ProcessId: 732 Image: >> >> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe >> CommandLine: >> >> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" >> >> CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser >> LogonGuid: >> >> {6B166207-76B9-59CC--0020FDE40100} LogonId: 0x1e4fd >> TerminalSessionId: >> >> 1 IntegrityLevel: High Hashes: >> >> >> MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7 >> >> >> >> ParentProcessGuid: {6B166207-76E1-59CC--0010BA5F0600} >> ParentProcessId: >> >> 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine: >> >> C:\Windows\Explorer.EXE' >> >>hostname: 'ubuntu' >> >>program_name: 'WinEvtLog' >> >>log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1): >> >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process >> Create: >> >> UtcTime: 2017-09-28 04:15:28.884 ProcessGuid: >> >> {6B166207-7760-59CC--0010F1E00800} ProcessId: 732 Image: >> >> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe >> CommandLine: >> >> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" >> >> CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser >> LogonGuid: >> >> {6B166207-76B9-59CC--0020FDE40100} LogonId: 0x1e4fd >> TerminalSessionId: >> >> 1 IntegrityLevel: High Hashes: >> >> >> MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7 >> >> >> >> ParentProcessGuid: {6B166207-76E1-59CC--0010BA5F0600} >> ParentProcessId: >> >> 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine: >> >> C:\Windows\Explorer.EXE' >> >> >> >> **Phase 2: Completed decoding. >> >>decoder: 'windows' >> >>status: 'INFORMATION' >> >>id: '1' >> >>extra_data: 'Microsoft-Windows-Sysmon' >> >>dstuser: 'SYSTEM' >> >>system_name: 'IE11Win7' >> >> >> >> **Phase 3: Completed filtering (rules). >> >>Rule id:
Re: [ossec-list] sysmon decoder and rules not triggered
Hi dan (ddpbsd), thanks for noticing it,I add the decoder at local_decoder to avoid damaging default decoder. this is my custom decoder right now windows windows INFORMATION\(1\) Image:\s* (\S+) \.* CommandLine: \S+\s* CurrentDirectory: \S+\s*User:\s*(\S+)\s*LogonGuid:\s\S*\s*LogonId:\s\S+\s*TerminalSessionId:\s*\S*\s*IntegrityLevel:\s*\S+\s*Hashes:\s*MD5=\w*,SHA256=(\S+)\s*\w*:\s*\S*\s*\w*:\s*\w*\s*ParentImage:\s*(\S+) status,user,url,extra_data what i want to get is : 1. Image =status 2. User = user 3. SHA256 = url 4. ParentImage = extra_data i'm kind of new and get that regex with trial and error at regex101.com is it the correct one to try regex? i don't really understand how to make it match with this decoder. is it because the ? or could the decoder executed after windows decode it? On Thursday, September 28, 2017 at 7:42:40 PM UTC+7, dan (ddpbsd) wrote: > > I'm not happy with this one: > > windows > windows > INFORMATION\(1\): > ^Microsoft-Windows-Sysmon:\.* > Image: (\.*)\s*CommandLine: "\.+"\.+User: > (\S+)\s+LogonGuid:\.*LogonId:\.*TerminalSessionId > :\.*IntegrityLevel:\s*\S+\s*Hashes: > MD5=(\S+),SHA\d+=(\S+)\.*ParentProcessGuid: \S+\s+ParentProcessId: > \d+\s+ParentImage: (\.*)\s+ParentCommand > status, user, url, url, data > > > I had to add it after the windows decoder, and before windows1. So I'm > not sure how much damage it would do to other windows decoders/rules. > > > On Thu, Sep 28, 2017 at 8:02 AM, dan (ddp)> wrote: > > On Thu, Sep 28, 2017 at 12:35 AM, amar haq > wrote: > >> hi i have ossec manager 2.9.2 on ubuntu and ossec agent on windows > v2.9.0. > >> sysmon installed and has been configured, and for example i tried to > acces > >> powershell, agent's log. > >> so I tried to use ossec-logtest and have result : > >> > >> **Phase 1: Completed pre-decoding. > >>full event: '2017 Sep 28 11:15:28 WinEvtLog: > >> Microsoft-Windows-Sysmon/Operational: INFORMATION(1): > >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process > Create: > >> UtcTime: 2017-09-28 04:15:28.884 ProcessGuid: > >> {6B166207-7760-59CC--0010F1E00800} ProcessId: 732 Image: > >> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine: > >> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" > >> CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser > LogonGuid: > >> {6B166207-76B9-59CC--0020FDE40100} LogonId: 0x1e4fd > TerminalSessionId: > >> 1 IntegrityLevel: High Hashes: > >> > MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7 > > > >> ParentProcessGuid: {6B166207-76E1-59CC--0010BA5F0600} > ParentProcessId: > >> 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine: > >> C:\Windows\Explorer.EXE' > >>hostname: 'ubuntu' > >>program_name: 'WinEvtLog' > >>log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1): > >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process > Create: > >> UtcTime: 2017-09-28 04:15:28.884 ProcessGuid: > >> {6B166207-7760-59CC--0010F1E00800} ProcessId: 732 Image: > >> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine: > >> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" > >> CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser > LogonGuid: > >> {6B166207-76B9-59CC--0020FDE40100} LogonId: 0x1e4fd > TerminalSessionId: > >> 1 IntegrityLevel: High Hashes: > >> > MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7 > > > >> ParentProcessGuid: {6B166207-76E1-59CC--0010BA5F0600} > ParentProcessId: > >> 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine: > >> C:\Windows\Explorer.EXE' > >> > >> **Phase 2: Completed decoding. > >>decoder: 'windows' > >>status: 'INFORMATION' > >>id: '1' > >>extra_data: 'Microsoft-Windows-Sysmon' > >>dstuser: 'SYSTEM' > >>system_name: 'IE11Win7' > >> > >> **Phase 3: Completed filtering (rules). > >>Rule id: '9' > >>Level: '3' > >>Description: 'Windows Rule Triggered' > >> **Alert to be generated. > >> > >> > >> here is sysmon decoder by default: > >> > >> > >> windows > >> INFORMATION\(1\) > >> Image: (\.*) \s*CommandLine: \.* > \s*User: > >> (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* > >> \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) > \s*ParentProcessGuid: \S* > >> \s*ParentProcessID: \S* \s*ParentImage: (\.*) > \s*ParentCommandLine: > >> status,user,url,data > >> > >> > > > > There's a few things in the decoder that don't match the sysmon > > message you posted. You don't have "HashType," "Hash:" is "Hashes:" > > for you, etc. I'll play around with it. > > > >> > >> > >> as I know ,