Hi Ian,
Here you have the syntax of the OSSEC
regexs:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
Another difference I've discovered is that Perl's regex is greedy --
> it'll match all it can. It looks like this regex will only match the
> least
On Wed, Jul 5, 2017 at 10:41 PM, Ian Brown wrote:
> Dan,
>
> All my regex experience comes from Perl. It's clear this regex does things
> a bit differently than how I expected. In Perl \.+ means only match 1 or
> more periods.
>
> Another difference I've discovered is that
On Mon, Jul 3, 2017 at 11:28 AM, Ian Brown wrote:
> I believe I've figured it out -- I think the decoder isn't matching the full
> log string and is thus stripping the ip address information. Also after
> looking at the regex in the decoder, I've discovered that it doesn't
Hi Ian,
try this rule:
18105
192.168.1.120
ignore 192.168.1.120.
ossec-logtest:
2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-
Windows-Security-Auditing: (no user): no domain: leaf-1: The Windows
Filtering Platform blocked a packet.
I believe I've figured it out -- I think the decoder isn't matching the
full log string and is thus stripping the ip address information. Also
after looking at the regex in the decoder, I've discovered that it doesn't
even match against the first three example strings provided:
Here's an
No effect. I tried dstip too, but I don't think either of those tags
contain data due to the decoder used?
windows
^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog:
^\.+: (\w+)\((\d+)\): (\.+):
(\.+): \.+: (\S+):
status, id, extra_data, user, system_name
name,
What happens if you change using 192.168.1.255?
Den måndag 3 juli 2017 kl. 14:29:48 UTC+2 skrev Ian Brown:
>
> I've got this event log in windows:
>
> 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The
>