Re: [ossec-list] Two match in the same rule

Thu, 18 Mar 2010 09:08:13 -0700 

Yes, this is possible. There already is a rule matching for "System Time
Changed" in msauth_rules.xml. It has the rule id 18140 and looks for an id
of 520 decoded in a log entry. If you want a rule with a severity of 10 for
example that also matches
"C:\Program Files\VMware\VMware Tools\VMwareService.exe" you can create a
rule like this in your local_rules.xml:

  <rule id="100001" level="10">
    <if_sid>18140</if_sid>
    <match>C:\Program Files\VMware\VMware Tools\VMwareService.exe</match>
    <description>System time changed by VMwareService.exe</description>
    <group>time_changed,</group>
  </rule>

After saving your local_rules.xml, restart the manager.

If you want to have rules matching multiple strings, you generally create a
"chain" of rules and use the <if_sid> tags for the lower elements to link
them to that chain. The <if_sid> tag specifies that the rule is only
considered for events that also match for the rule whose number is specified
within the tag.

E.g. if you have saved the rule above and have the same event coming in
again, the analysisd would first see that the event matches rule 18100, then
rule 18104, the rule 18140 and finally the new rule 100001.


On Wed, Mar 17, 2010 at 2:09 PM, rafael.gomes <[email protected]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Guys,
>
> How can I create a rule with two match parameter?
>
> Ex:
>
> WinEvtLog: Security: AUDIT_SUCCESS(520): Security: SYSTEM: NT AUTHORITY:
> SERVER01: The system time was changed.    Process ID:   2201    Process
> Name:   C:\Program Files\VMware\VMware Tools\VMwareService.exe    Primary
> User Name: SERVER1$    Primary Domain:  DOMAIN    Primary Logon ID:
> (0x0,0x3E6)    Client User Name:        SERVER$    Client Domain:
> DOMAIN
> Client Logon ID:        (0x0,0x3E6)    Previous Time:   9:52:29 AM
> 3/17/2010
>  New Time:      9:53:30 AM 3/17/2010
>
> I wanna match "The system time was changed." and "C:\Program
> Files\VMware\VMware Tools\VMwareService.exe" in the same rule.
>
> Is it possible?
>
> Thanks!
> - --
> Rafael Brito Gomes
> Analista de Segurança
> LPIC-1 MCSO
> DISUP/CPD/UFBA
> Tel : +55 71 3283 6100
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkug1GoACgkQmcKAeZZwz2b9IgCfWNwgSzIxr1ONMdX67PZeKbwp
> jBMAn1MpKO4CjmQxnA5CTVIhrdNJffVa
> =f5dN
> -----END PGP SIGNATURE-----
>

Reply via email to