Hello All,
Does anyone have a decoder for Windows Defender floating around out
there??
Im having a heck of a time... Here is the event channel event example if
anyone is curious or can help: (Win10 box)
Log Name: Microsoft-Windows-Windows Defender/Operational
Source:
dan,
quick question for :
What is the best way to take care of whitespace and a quote in string
example?, such as:
^route-null.cmd" delete
Thanks!, Rob
On Friday, April 22, 2016 at 12:44:25 PM UTC-4, dan (ddpbsd) wrote:
>
> On Fri, Apr 22, 2016 at 12:42 PM, Rob B
These worked great, just wondering if you have any updates.
On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote:
>
> Good thread idea. I’ve copied a few Windows-centric rules below. Some of
> the rules that lean heavily on could no doubt be improved, but they
> don’t bother
On Fri, Apr 22, 2016 at 12:42 PM, Rob B wrote:
> Very interesting and thanks a lot dan
>
> I guess I need to fix my logtest too, it probably would have helped me
> figure it out.Thanks again!! ;-)
>
No problem. If you post which version of OSSEC you're using,
Very interesting and thanks a lot dan
I guess I need to fix my logtest too, it probably would have helped me
figure it out.Thanks again!! ;-)
Rob
On Friday, April 22, 2016 at 12:21:48 PM UTC-4, dan (ddpbsd) wrote:
>
> On Fri, Apr 22, 2016 at 11:50 AM, Rob B
On Fri, Apr 22, 2016 at 11:50 AM, Rob B wrote:
> dan,
>
> I have this from the alerts log:
>
> ** Alert 1461339927.2762520: - windows,system_error,
> 2016 Apr 22 08:45:27 (VICTIM0) 10.0.1.100->WinEvtLog
> Rule: 18103 (level 5) -> 'Windows error event.'
> User: cuckoo
> 2016
dan,
I have this from the alerts log:
** Alert 1461339927.2762520: - windows,system_error,
2016 Apr 22 08:45:27 (VICTIM0) 10.0.1.100->WinEvtLog
Rule: 18103 (level 5) -> 'Windows error event.'
User: cuckoo
2016 Apr 22 11:46:32 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL:
ERROR(8004):
Can you provide a log sample?
On Fri, Apr 22, 2016 at 11:30 AM, Rob B wrote:
> Hi Folks,
>
>I have a rule for applocker created as follows:
>
>
> 18103
> ^8004$
> AppLocker - blocked program.
>
>
> Problem: I only see the windows "error event" as a level "5"
Hi Folks,
I have a rule for applocker created as follows:
18103
^8004$
AppLocker - blocked program.
Problem: I only see the windows "error event" as a level "5" coming in
from sid 18103, the error event contains all teh information I am looking
for.
But my rule 100046 above does
I think the problem is the option "-h", because it introduces arbitrary
line feeds in order to be more readable by people, but it makes more
difficult to decode. This happened in RHEL5 but it can happen at any system
with a long filesystem path.
"-P" is an interesting option to preserve
10 matches
Mail list logo