Re: [ossec-list] What is the best method to augment an existing decoder?

On Mon, Jul 3, 2017 at 2:52 PM, Ian Brown wrote: > There is a decoder that isn't quite handling some log entries the want I > need. I want to augment an existing decoder, but apparently I'm not doing > this correctly. > Here's an example log entry: > 2017 Jul 03 11:17:37

Re: [ossec-list] OSSEC rule match time and timeframe

On Mon, Jul 3, 2017 at 6:10 AM, Fredrik Hilmersson wrote: > Hello, > > Lets say I have a script which runs once every half an hour. With a latency > difference in about 10-20 seconds. > Would it be possible to match the following: > > 1. Time > 2. Hostname > 3.

Re: [ossec-list] Re: I'm unclear why my rule is not matching...

On Mon, Jul 3, 2017 at 11:28 AM, Ian Brown wrote: > I believe I've figured it out -- I think the decoder isn't matching the full > log string and is thus stripping the ip address information. Also after > looking at the regex in the decoder, I've discovered that it doesn't

Re: [ossec-list] I'm unclear why my rule is not matching...

On Mon, Jul 3, 2017 at 2:28 AM, Ian Brown wrote: > I've got this event log in windows: > > 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The > Windows Filtering Platform blocked a packet.

Re: [ossec-list] Active-response firewall-drop server IP instead of agent IP when fired an agent rule

On Wed, Jul 5, 2017 at 12:52 AM, Tunguyen wrote: > Hi everyone, here is my ossec.conf on the server: > > > > firewall-drop > server,all > 31152 > 600 > 30,60,90,120,150 > > > rule 31152 is: > > > 31103 > > Multiple SQL

Re: [ossec-list] Re: OSSEC rule not firing

On Wed, Jul 5, 2017 at 11:41 AM, Bob Boklewski wrote: > Also, what does the "if_sid" match too? I am trying to understand how to > create custom rules and it seems this "if_sid" is unique and defined > somewhere. I see that rule id and description can be whatever

Re: [ossec-list] OSSEC rule not firing

On Wed, Jul 5, 2017 at 11:27 AM, Bob Boklewski wrote: > In the OSSEC.conf file I have level 3 logging set. I can't seem to get this > rule to fire that is a predefined rule in the msauth_rules.xml file. I can > see in the windows log event id: 4624, but it won't

[ossec-list] Re: OSSEC rule not firing

Also, what does the "if_sid" match too? I am trying to understand how to create custom rules and it seems this "if_sid" is unique and defined somewhere. I see that rule id and description can be whatever you want and "id" is the event id number you want to monitor. Any help is much

[ossec-list] OSSEC rule not firing

In the OSSEC.conf file I have level 3 logging set. I can't seem to get this rule to fire that is a predefined rule in the msauth_rules.xml file. I can see in the windows log event id: 4624, but it won't fire. 18104 ^528$|^540$|^673$|^4624$|^4769$ Windows Logon Success.