[ossec-list] Windows Defender Decoder ?

2016-04-22 Thread Rob B
Hello All, Does anyone have a decoder for Windows Defender floating around out there?? Im having a heck of a time... Here is the event channel event example if anyone is curious or can help: (Win10 box) Log Name: Microsoft-Windows-Windows Defender/Operational Source:

Re: [ossec-list] Applocker Local Rule Help

2016-04-22 Thread Rob B
dan, quick question for : What is the best way to take care of whitespace and a quote in string example?, such as: ^route-null.cmd" delete Thanks!, Rob On Friday, April 22, 2016 at 12:44:25 PM UTC-4, dan (ddpbsd) wrote: > > On Fri, Apr 22, 2016 at 12:42 PM, Rob B

Re: [ossec-list] What's your favorite rules?

2016-04-22 Thread namobuddhaonion
These worked great, just wondering if you have any updates. On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote: > > Good thread idea. I’ve copied a few Windows-centric rules below. Some of > the rules that lean heavily on could no doubt be improved, but they > don’t bother

Re: [ossec-list] Applocker Local Rule Help

2016-04-22 Thread dan (ddp)
On Fri, Apr 22, 2016 at 12:42 PM, Rob B wrote: > Very interesting and thanks a lot dan > > I guess I need to fix my logtest too, it probably would have helped me > figure it out.Thanks again!! ;-) > No problem. If you post which version of OSSEC you're using,

Re: [ossec-list] Applocker Local Rule Help

2016-04-22 Thread Rob B
Very interesting and thanks a lot dan I guess I need to fix my logtest too, it probably would have helped me figure it out.Thanks again!! ;-) Rob On Friday, April 22, 2016 at 12:21:48 PM UTC-4, dan (ddpbsd) wrote: > > On Fri, Apr 22, 2016 at 11:50 AM, Rob B

Re: [ossec-list] Applocker Local Rule Help

2016-04-22 Thread dan (ddp)
On Fri, Apr 22, 2016 at 11:50 AM, Rob B wrote: > dan, > > I have this from the alerts log: > > ** Alert 1461339927.2762520: - windows,system_error, > 2016 Apr 22 08:45:27 (VICTIM0) 10.0.1.100->WinEvtLog > Rule: 18103 (level 5) -> 'Windows error event.' > User: cuckoo > 2016

Re: [ossec-list] Applocker Local Rule Help

2016-04-22 Thread Rob B
dan, I have this from the alerts log: ** Alert 1461339927.2762520: - windows,system_error, 2016 Apr 22 08:45:27 (VICTIM0) 10.0.1.100->WinEvtLog Rule: 18103 (level 5) -> 'Windows error event.' User: cuckoo 2016 Apr 22 11:46:32 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004):

Re: [ossec-list] Applocker Local Rule Help

2016-04-22 Thread dan (ddp)
Can you provide a log sample? On Fri, Apr 22, 2016 at 11:30 AM, Rob B wrote: > Hi Folks, > >I have a rule for applocker created as follows: > > > 18103 > ^8004$ > AppLocker - blocked program. > > > Problem: I only see the windows "error event" as a level "5"

[ossec-list] Applocker Local Rule Help

2016-04-22 Thread Rob B
Hi Folks, I have a rule for applocker created as follows: 18103 ^8004$ AppLocker - blocked program. Problem: I only see the windows "error event" as a level "5" coming in from sid 18103, the error event contains all teh information I am looking for. But my rule 100046 above does

Re: [ossec-list] Disk usage monitor not working in RHEL5

2016-04-22 Thread Victor Fernandez
I think the problem is the option "-h", because it introduces arbitrary line feeds in order to be more readable by people, but it makes more difficult to decode. This happened in RHEL5 but it can happen at any system with a long filesystem path. "-P" is an interesting option to preserve