Re: [ossec-list] Re: I'm unclear why my rule is not matching...

2017-07-07 Thread Jesus Linares
Hi Ian, Here you have the syntax of the OSSEC regexs: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html Another difference I've discovered is that Perl's regex is greedy -- > it'll match all it can. It looks like this regex will only match the > least

Re: [ossec-list] Re: I'm unclear why my rule is not matching...

2017-07-06 Thread dan (ddp)
On Wed, Jul 5, 2017 at 10:41 PM, Ian Brown wrote: > Dan, > > All my regex experience comes from Perl. It's clear this regex does things > a bit differently than how I expected. In Perl \.+ means only match 1 or > more periods. > > Another difference I've discovered is that

Re: [ossec-list] Re: I'm unclear why my rule is not matching...

2017-07-05 Thread dan (ddp)
On Mon, Jul 3, 2017 at 11:28 AM, Ian Brown wrote: > I believe I've figured it out -- I think the decoder isn't matching the full > log string and is thus stripping the ip address information. Also after > looking at the regex in the decoder, I've discovered that it doesn't

[ossec-list] Re: I'm unclear why my rule is not matching...

2017-07-04 Thread Jesus Linares
Hi Ian, try this rule: 18105 192.168.1.120 ignore 192.168.1.120. ossec-logtest: 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft- Windows-Security-Auditing: (no user): no domain: leaf-1: The Windows Filtering Platform blocked a packet.

[ossec-list] Re: I'm unclear why my rule is not matching...

2017-07-03 Thread Ian Brown
I believe I've figured it out -- I think the decoder isn't matching the full log string and is thus stripping the ip address information. Also after looking at the regex in the decoder, I've discovered that it doesn't even match against the first three example strings provided: Here's an

[ossec-list] Re: I'm unclear why my rule is not matching...

2017-07-03 Thread Ian Brown
No effect. I tried dstip too, but I don't think either of those tags contain data due to the decoder used? windows ^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: ^\.+: (\w+)\((\d+)\): (\.+): (\.+): \.+: (\S+): status, id, extra_data, user, system_name name,

[ossec-list] Re: I'm unclear why my rule is not matching...

2017-07-03 Thread Fredrik Hilmersson
What happens if you change using 192.168.1.255? Den måndag 3 juli 2017 kl. 14:29:48 UTC+2 skrev Ian Brown: > > I've got this event log in windows: > > 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The >