Here is the latest and *hopefully* final version. I've created three
separate decoders for Windows DHCP server. One for Windows 2003 IPv4, one
for Windows 2008 IPv4 and the last one for Windows 2008 IPv6. I'm not using
IPv6, so I could only test a few log entries against the decoder. If someone
is using 2K8 IPv6 and you can send me more logs, I'd be happy to test. Also,
I'm pretty new to writing rules in regular expression. If you look at my
decoders and think "WTF!", please let me know what I could do to make it
better. ;)
I've moved my decoders from decoder.xml to local_decoder.xml as was
recommended on the mailing list.
I've updated the ms_dhcp_rules.xml file to include 2 new rules from 2008
IPv4 as well as a separate section for 2008 IPv6 rules. I've changed them
from the 12200/12300 range to 120200 for 2k3/2k8 IPv4 and 120300 for 2k8
IPv6. I also updated the alert levels to a little more reasonable level and
I've changed the groups to match predefined groups when applicable.
The decoders also fixed a "bug" when trying to filter out the MAC address or
"extra data". In the last decoder I posted, it didn't always get it right.
If you've followed my previous instructions, please remove the decoder from
your OSSEC server's decoder.xml file and use the attached local_decoder.xml.
If you're already using a local_decoder.xml file, then don't overwrite your
copy with mine! Copy and paste the contents of mine into yours... Otherwise,
the rest of the previous instructions still apply.
I'm still working out some possible bugs with the OSSEC agent monitoring the
Windows logs. When I told the agent to monitor
c:\windows\system32\dhcp\*.log it stopped monitoring on Sunday at Midnight.
I'm not sure if that was due to timestamps not being updated or not. I've
since added an entry in the OSSEC agent's ossec.conf file for each day's log
and we'll see if that works better.
Will the dev team take notice of this on the list and decide if they want to
include it in their project or do I need to send it elsewhere?
<!--Microsoft Windows 2003 ipv4, Windows 2008 ipv4/ipv6 DHCP rules for OSSEC.
- Author: [email protected]
- License: http://www.ossec.net/en/licensing.html (http://gplv3.fsf.org)
- Last modified May 12th, 2009
-->
<!--Server 2003 and 2008 IPv4 Event ID Meaning
00 The log was started.
01 The log was stopped.
02 The log was temporarily paused due to low disk space.
10 A new IP address was leased to a client.
11 A lease was renewed by a client.
12 A lease was released by a client.
13 An IP address was found to be in use on the network.
14 A lease request could not be satisfied because the scope's address pool was exhausted.
15 A lease was denied.
16 A lease was deleted.
17 A lease was expired.
18 A lease was expired and DNS records were deleted. (Server 2008 Only)
20 A BOOTP address was leased to a client.
21 A dynamic BOOTP address was leased to a client.
22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.
23 A BOOTP IP address was deleted after checking to see it was not in use.
24 IP address cleanup operation has began.
25 IP address cleanup statistics.
30 DNS update request to the named DNS server
31 DNS update failed
32 DNS update successful
33 Packet dropped due to NAP policy. Server 2008 Only)
50+ Codes above 50 are used for Rogue Server Detection information.
-->
<!--Server 2003 IPv4 Log Sample
ID,Date,Time,Description,IP Address,Host Name,MAC Address
24,3/10/2009,0:00:46,Database Cleanup Begin,,,,
31,3/10/2009,0:00:46,DNS Update Failed,192.168.10.201,OPS03W034.,2,
30,3/10/2009,0:00:46,DNS Update Request,201.10.168.192,OPS03W034.,,
25,3/10/2009,0:00:46,0 leases expired and 0 leases deleted,,,,
11,3/10/2009,0:01:40,Renew,192.168.10.201,OPS03W034.,001AA0DA3062,
32,3/10/2009,0:01:55,DNS Update Successful,192.168.10.204,ex03.domain.local,,
15,3/10/2009,8:49:10,NACK,192.168.10.205,,000B97A0B7E8,
10,3/10/2009,8:49:10,Assign,192.168.10.205,6ftya92251.domain.local,000B97A0B7E8,
12,3/10/2009,15:52:38,Release,192.168.112.32,6ftya91701.,000B97A0B41D,
18,3/10/2009,19:59:11,Expired,192.168.10.205,,,
17,3/10/2009,23:59:16,DNS record not deleted,192.168.10.205,,,
-->
<group name="ms,dhcp,">
<rule id="120200" level="0">
<decoded_as>ms-dhcp-ipv4</decoded_as>
<description>Grouping for the MS-DHCP rules.</description>
</rule>
<rule id="120201" level="2">
<if_sid>120200</if_sid>
<match>^00,</match>
<description>The log was started.</description>
<group>service_start,</group>
</rule>
<rule id="120202" level="2">
<if_sid>120200</if_sid>
<match>^01,</match>
<description>The log was stopped.</description>
<group>service_availability,</group>
</rule>
<rule id="120203" level="2">
<if_sid>120200</if_sid>
<match>^02,</match>
<description>The log was temporarily paused due to low disk space.</description>
<group>system_error,</group>
</rule>
<rule id="120204" level="3">
<if_sid>120200</if_sid>
<match>^10,</match>
<description>A new IP address was leased to a client.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="120205" level="3">
<if_sid>120200</if_sid>
<match>^11,</match>
<description>A lease was renewed by a client.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="120206" level="3">
<if_sid>120200</if_sid>
<match>^12,</match>
<description>A lease was released by a client.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="120207" level="7">
<if_sid>120200</if_sid>
<match>^13,</match>
<description>An IP address was found to be in use on the network.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="120208" level="12">
<if_sid>120200</if_sid>
<match>^14,</match>
<description>A lease request could not be satisfied because the scope's address pool was exhausted.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="120209" level="7">
<if_sid>120200</if_sid>
<match>^15,</match>
<description>A lease was denied.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="120210" level="7">
<if_sid>120200</if_sid>
<match>^16,</match>
<description>A lease was deleted.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="120211" level="7">
<if_sid>120200</if_sid>
<match>^17,</match>
<description>A lease was expired and DNS records for an expired leases have not been deleted.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="120222" level="3">
<if_sid>120200</if_sid>
<match>^18,</match>
<description>A lease was expired and DNS records were deleted..</description>
<group>dhcp_lease_action,dhcp_dns_maintenance</group>
</rule>
<rule id="120212" level="3">
<if_sid>120200</if_sid>
<match>^20,</match>
<description>A BOOTP address was leased to a client.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="120213" level="3">
<if_sid>120200</if_sid>
<match>^21,</match>
<description>A dynamic BOOTP address was leased to a client.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="120214" level="12">
<if_sid>120200</if_sid>
<match>^22,</match>
<description>A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="120215" level="3">
<if_sid>120200</if_sid>
<match>^23,</match>
<description>A BOOTP IP address was deleted after checking to see it was not in use.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="120216" level="2">
<if_sid>120200</if_sid>
<match>^24,</match>
<description>IP address cleanup operation has began.</description>
<group>dhcp_maintenance,</group>
</rule>
<rule id="120217" level="2">
<if_sid>120200</if_sid>
<match>^25,</match>
<description>IP address cleanup statistics.</description>
<group>dhcp_maintenance,</group>
</rule>
<rule id="120218" level="3">
<if_sid>120200</if_sid>
<match>^30,</match>
<description>DNS update request to the named DNS server.</description>
<group>dhcp_dns_maintenance,</group>
</rule>
<rule id="120219" level="7">
<if_sid>120200</if_sid>
<match>^31,</match>
<description>DNS update failed.</description>
<group>dhcp_dns_maintenance,</group>
</rule>
<rule id="120220" level="3">
<if_sid>120200</if_sid>
<match>^32,</match>
<description>DNS update successful</description>
<group>dhcp_dns_maintenance,</group>
</rule>
<rule id="120223" level="12">
<if_sid>120200</if_sid>
<match>^33,</match>
<description>Packet dropped due to NAP policy.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="120221" level="12">
<if_sid>120200</if_sid>
<match>^5</match>
<description>Codes above 50 are used for Rogue Server Detection information.</description>
<group>dhcp_rogue_server,</group>
</rule>
</group>
<!--
Server 2008 IPv6 Event ID Meaning
11000 Solicit.
11001 Advertise.
11002 Request.
11003 Confirm.
11004 Renew.
11005 Rebind.
11006 Decline.
11007 Release.
11008 Information Request.
11009 Scope Full.
11010 Started.
11011 Stopped.
11012 Audit log paused.
11013 DHCP Log File.
11014 Bad Address.
11015 Address is already in use.
11016 Client deleted.
11017 DNS record not deleted.
11018 Expired.
11019 Expired and Deleted count.
11020 Database cleanup begin.
11021 Database cleanup end.
11023 Service not authorized in AD.
11024 Service authorized in AD.
11025 Service has not determined if it authorized in AD.
-->
<!--Server 2008 IPv6 Log Sample (short on samples, not currently using)
11020,05/05/09,00:00:38,DHCPV6 Database Cleanup Begin,,,,,,
11019,05/05/09,00:00:38,DHCPV6 0 leases expired and 0 leases deleted,,,,,,
11021,05/05/09,00:00:38,DHCPV6 Database Cleanup End,,,,,,
11011,05/05/09,10:50:55,DHCPV6 Stopped,,,,,,
11010,05/05/09,10:55:58,DHCPV6 Started,,,,,,
-->
<group name="ms,dhcp,">
<rule id="120300" level="0">
<decoded_as>ms-dhcp-ipv6</decoded_as>
<description>Grouping for the MS-DHCP rules.</description>
</rule>
<rule id="120301" level="3">
<if_sid>120300</if_sid>
<match>^11000,</match>
<description>Solicit.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120302" level="3">
<if_sid>120300</if_sid>
<match>^11001,</match>
<description>Advertise.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120303" level="3">
<if_sid>120300</if_sid>
<match>^11002,</match>
<description>Advertise.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120304" level="3">
<if_sid>120300</if_sid>
<match>^11003,</match>
<description>Confirm.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120305" level="3">
<if_sid>120300</if_sid>
<match>^11004,</match>
<description>Renew.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120306" level="3">
<if_sid>120300</if_sid>
<match>^11005,</match>
<description>Rebind.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120307" level="7">
<if_sid>120300</if_sid>
<match>^11006,</match>
<description>Decline.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120308" level="3">
<if_sid>120300</if_sid>
<match>^11007,</match>
<description>Release.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120309" level="3">
<if_sid>120300</if_sid>
<match>^11008,</match>
<description>Information Request.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120310" level="12">
<if_sid>120300</if_sid>
<match>^11009,</match>
<description>Scope Full.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120311" level="2">
<if_sid>120300</if_sid>
<match>^11010,</match>
<description>Started.</description>
<group>service_start,</group>
</rule>
<rule id="120312" level="2">
<if_sid>120300</if_sid>
<match>^11011,</match>
<description>Stopped.</description>
<group>service_availability,</group>
</rule>
<rule id="120313" level="7">
<if_sid>120300</if_sid>
<match>^11012,</match>
<description>Audit log paused.</description>
<group>service_availability,</group>
</rule>
<rule id="120314" level="7">
<if_sid>120300</if_sid>
<match>^11013,</match>
<description>DHCP Log File.</description>
<group>system_error,</group>
</rule>
<rule id="120315" level="7">
<if_sid>120300</if_sid>
<match>^11014,</match>
<description>Bad Address.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120316" level="7">
<if_sid>120300</if_sid>
<match>^11015,</match>
<description>Address is already in use.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120317" level="7">
<if_sid>120300</if_sid>
<match>^11016,</match>
<description>Client deleted.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120318" level="7">
<if_sid>120300</if_sid>
<match>^11017,</match>
<description>DNS record not deleted.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120319" level="2">
<if_sid>120300</if_sid>
<match>^11018,</match>
<description>Expired.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120320" level="2">
<if_sid>120300</if_sid>
<match>^11019,</match>
<description>Expired and Deleted count.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120321" level="2">
<if_sid>120300</if_sid>
<match>^11020,</match>
<description>Database cleanup begin.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120322" level="2">
<if_sid>120300</if_sid>
<match>^11021,</match>
<description>Database cleanup end.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120323" level="12">
<if_sid>120300</if_sid>
<match>^11023,</match>
<description>Service not authorized in AD.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120324" level="3">
<if_sid>120300</if_sid>
<match>^11024,</match>
<description>Service authorized in AD.</description>
<group>dhcp_ipv6,</group>
</rule>
<rule id="120326" level="12">
<if_sid>120300</if_sid>
<match>^11025,</match>
<description>Service has not determined if it authorized in AD.</description>
<group>dhcp_ipv6,</group>
</rule>
</group><!--Microsoft Windows 2003 ipv4, 2008 ipv4/ipv6 DHCP decoder for OSSEC
- Author: [email protected]
- License: http://www.ossec.net/en/licensing.html (http://gplv3.fsf.org)
- Last modified May 12th, 2009
-->
<!--
Server 2008 DHCP IPv4 Decoder (must go first)
ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID.
-->
<decoder name="ms-dhcp-ipv4">
<prematch>\d+,\d+/\d+/\d+,\d+\p\d+\p\d+,\.*,\.*,\.*,\.*,\.*,\.*,\.*,\.*,\.*$</prematch>
<regex>(\d+),\d+/\d+/\d+,\d+\p\d+\p\d+,(\.*),(\.*),(\.*),(\w*),(\.*),\.*,\.*,\.*,\.*</regex>
<order>id, action, srcip, system_name, extra_data, user</order>
</decoder>
<!--
Server 2008 DHCP IPv6 Decoder (must go second)
ID,Date,Time,Description,IPV6 Address,Host Name,Error Code, Duid Length, Duid Bytes(Hex),User Name.
-->
<decoder name="ms-dhcp-ipv6">
<prematch>\d+,\d+/\d+/\d+,\d+\p\d+\p\d+,\.*,\.*,\.*,\.*,\.*,\.*$</prematch>
<regex>(\d+),\d+/\d+/\d+,\d+\p\d+\p\d+,(\.*),(\.*),(\.*),(\.*),\.*,(\w*)</regex>
<order>id, action, srcip, system_name, status, user</order>
</decoder>
<!--
Server 2003 DHCP Decoder (must go third)
ID,Date,Time,Description,IP Address,Host Name,MAC Address,Username
-->
<decoder name="ms-dhcp-ipv4">
<prematch>\d+,\d+/\d+/\d+,\d+\p\d+\p\d+,\.*,\.*,\.*,\.*,\.*$</prematch>
<regex>(\d+),\d+/\d+/\d+,\d+\p\d+\p\d+,(\.*),(\.*),(\.*),(\w*),(\.*)</regex>
<order>id, action, srcip, system_name, extra_data, user</order>
</decoder>
