Hello, I am having issues with decoding sysmon generated process creation logs and alerting. I am using below decoder:
https://github.com/defensivedepth/Sysmon_OSSEC/blob/master/Sysmon_OSSEC-Decoders.xml I have also loaded rules below: https://github.com/defensivedepth/Sysmon_OSSEC/blob/master/Alert-On-Image-Name_OSSEC-Ruleset.txt When doing the ossec-logtest and pasting the message captured in the archives.log received from my desktop it works correctly, however alerts.log doesn't have an alert: /var/ossec/bin/ossec-logtest 2015/11/24 00:38:00 ossec-testrule: INFO: Reading local decoder file. 2015/11/24 00:38:00 ossec-testrule: INFO: Started (pid: 21832). ossec-testrule: Type one log per line. 2015 Nov 24 00:31:12 (TESTPC1) 192.168.1.24->WinEvtLog 2015 Nov 23 19:31:09 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: TESTPC1: Process Create: UtcTime: 2015-11-24 00:31:09.674 ProcessGuid: {CD81AE75-AFCD-5653-0000-00100FF1E900} ProcessId: 7680 Image: C:\Windows\System32\cmd.exe CommandLine: "C:\Windows\system32\cmd.exe" CurrentDirectory: C:\Users\testuser\ User: TESTPC1\testuser LogonGuid: {CD81AE75-675B-5653-0000-0020B22A0800} LogonId: 0x82ab2 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8 ParentProcessGuid: {CD81AE75-675D-5653-0000-00107AE60800} ParentProcessId: 4368 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE **Phase 1: Completed pre-decoding. full event: '2015 Nov 24 00:31:12 (TESTPC1) 192.168.1.24->WinEvtLog 2015 Nov 23 19:31:09 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: TESTPC1: Process Create: UtcTime: 2015-11-24 00:31:09.674 ProcessGuid: {CD81AE75-AFCD-5653-0000-00100FF1E900} ProcessId: 7680 Image: C:\Windows\System32\cmd.exe CommandLine: "C:\Windows\system32\cmd.exe" CurrentDirectory: C:\Users\testuser\ User: TESTPC1\testuser LogonGuid: {CD81AE75-675B-5653-0000-0020B22A0800} LogonId: 0x82ab2 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8 ParentProcessGuid: {CD81AE75-675D-5653-0000-00107AE60800} ParentProcessId: 4368 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE' hostname: 'SO-Sensor1' program_name: '(null)' log: '2015 Nov 24 00:31:12 (TESTPC1) 192.168.1.24->WinEvtLog 2015 Nov 23 19:31:09 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: TESTPC1: Process Create: UtcTime: 2015-11-24 00:31:09.674 ProcessGuid: {CD81AE75-AFCD-5653-0000-00100FF1E900} ProcessId: 7680 Image: C:\Windows\System32\cmd.exe CommandLine: "C:\Windows\system32\cmd.exe" CurrentDirectory: C:\Users\testuser\ User: TESTPC1\testuser LogonGuid: {CD81AE75-675B-5653-0000-0020B22A0800} LogonId: 0x82ab2 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8 ParentProcessGuid: {CD81AE75-675D-5653-0000-00107AE60800} ParentProcessId: 4368 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE' **Phase 2: Completed decoding. decoder: 'SysmonV3-EventID#1' status: 'C:\Windows\System32\cmd.exe' dstuser: 'TESTPC1\testuser' url: 'SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8' extra_data: 'C:\Windows\explorer.exe' **Phase 3: Completed filtering (rules). Rule id: '182669' Level: '12' Description: 'cmd usage' **Alert to be generated. As per the earlier blog post (https://groups.google.com/forum/#!topic/ossec-list/dSKSRpx_olQ) Dan advised to test the decoder starting at 2nd timestamp, which when I do that I am matching wrong decoder and that is why rules are not matching, see below: /var/ossec/bin/ossec-logtest -v 2015/11/24 00:41:44 ossec-testrule: INFO: Reading local decoder file. 2015/11/24 00:41:44 ossec-testrule: INFO: Started (pid: 23805). ossec-testrule: Type one log per line. 2015 Nov 23 19:31:09 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: TESTPC1: Process Create: UtcTime: 2015-11-24 00:31:09.674 ProcessGuid: {CD81AE75-AFCD-5653-0000-00100FF1E900} ProcessId: 7680 Image: C:\Windows\System32\cmd.exe CommandLine: "C:\Windows\system32\cmd.exe" CurrentDirectory: C:\Users\testuser\ User: TESTPC1\testuser LogonGuid: {CD81AE75-675B-5653-0000-0020B22A0800} LogonId: 0x82ab2 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8 ParentProcessGuid: {CD81AE75-675D-5653-0000-00107AE60800} ParentProcessId: 4368 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE **Phase 1: Completed pre-decoding. full event: '2015 Nov 23 19:31:09 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: TESTPC1: Process Create: UtcTime: 2015-11-24 00:31:09.674 ProcessGuid: {CD81AE75-AFCD-5653-0000-00100FF1E900} ProcessId: 7680 Image: C:\Windows\System32\cmd.exe CommandLine: "C:\Windows\system32\cmd.exe" CurrentDirectory: C:\Users\testuser\ User: TESTPC1\testuser LogonGuid: {CD81AE75-675B-5653-0000-0020B22A0800} LogonId: 0x82ab2 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8 ParentProcessGuid: {CD81AE75-675D-5653-0000-00107AE60800} ParentProcessId: 4368 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE' hostname: 'SO-Sensor1' program_name: '(null)' log: '2015 Nov 23 19:31:09 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: TESTPC1: Process Create: UtcTime: 2015-11-24 00:31:09.674 ProcessGuid: {CD81AE75-AFCD-5653-0000-00100FF1E900} ProcessId: 7680 Image: C:\Windows\System32\cmd.exe CommandLine: "C:\Windows\system32\cmd.exe" CurrentDirectory: C:\Users\testuser\ User: TESTPC1\testuser LogonGuid: {CD81AE75-675B-5653-0000-0020B22A0800} LogonId: 0x82ab2 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8 ParentProcessGuid: {CD81AE75-675D-5653-0000-00107AE60800} ParentProcessId: 4368 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE' **Phase 2: Completed decoding. decoder: 'windows' status: 'INFORMATION' id: '1' extra_data: 'Microsoft-Windows-Sysmon' dstuser: 'SYSTEM' system_name: 'TESTPC1' **Rule debugging: Trying rule: 6 - Generic template for all windows rules. *Rule 6 matched. *Trying child rules. Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. Trying rule: 18100 - Group of windows rules. *Rule 18100 matched. *Trying child rules. Trying rule: 18101 - Windows informational event. *Rule 18101 matched. *Trying child rules. Trying rule: 7500 - Grouping of McAfee Windows AV rules. Trying rule: 18146 - Application Uninstalled. Trying rule: 18147 - Application Installed. Trying rule: 18126 - Remote access login success. Trying rule: 18145 - Service startup type was changed. **Phase 3: Completed filtering (rules). Rule id: '18101' Level: '0' Description: 'Windows informational event.' I am running OSSEC client version 2.8.3 on Windows 7 and server is part of the Security Onion deployment. Windows is running sysmon version 3.1. Josh (DefensiveDepth) thanks for looking into this again. Konrad -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
