Since my first post, I did some more expiramenting with ossec-logtest. I ran the Windows Event log entry from archives.log:
ossec-testrule: Type one log per line. WinEvtLog: System: WARNING(1006): Microsoft Antimalware: (no user): no domain: JAMKO: %%861 has detected spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&; threatid=2147519003 Name: Virus:DOS/EICAR_Test_File ID: 2147519003 Severity: Severe Category: Virus Path: containerfile:C:\Downloads\eicar_com.zip;file:C:\DOCUME~1\ADMINI~1\LOCALS~1\ Temp\oXouwUnS.zip.part->(Zip);file:C:\Downloads\eicar_com.zip->eicar.com Detection Origin: %%845 Detection Type: %%822 Detection Source: %%818 Status: %%813 User: JAMKO\Administrator Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Signature Version: AV: 1.81.966.0, AS: 1.81.966.0 Engine Version: 1.1.5703.0 **Phase 1: Completed pre-decoding. full event: 'WinEvtLog: System: WARNING(1006): Microsoft Antimalware: (no user): no domain: JAMKO: %%861 has detected spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&; threatid=2147519003 Name: Virus:DOS/EICAR_Test_File ID: 2147519003 Severity: Severe Category: Virus Path: containerfile:C:\Downloads\eicar_com.zip;file:C:\DOCUME~1\ADMINI~1\LOCALS~1\ Temp\oXouwUnS.zip.part->(Zip);file:C:\Downloads\eicar_com.zip->eicar.com Detection Origin: %%845 Detection Type: %%822 Detection Source: %%818 Status: %%813 User: JAMKO\Administrator Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Signature Version: AV: 1.81.966.0, AS: 1.81.966.0 Engine Version: 1.1.5703.0' hostname: 'lithium' program_name: '(null)' log: 'WinEvtLog: System: WARNING(1006): Microsoft Antimalware: (no user): no domain: JAMKO: %%861 has detected spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&; threatid=2147519003 Name: Virus:DOS/EICAR_Test_File ID: 2147519003 Severity: Severe Category: Virus Path: containerfile:C:\Downloads\eicar_com.zip;file:C:\DOCUME~1\ADMINI~1\LOCALS~1\ Temp\oXouwUnS.zip.part->(Zip);file:C:\Downloads\eicar_com.zip->eicar.com Detection Origin: %%845 Detection Type: %%822 Detection Source: %%818 Status: %%813 User: JAMKO\Administrator Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Signature Version: AV: 1.81.966.0, AS: 1.81.966.0 Engine Version: 1.1.5703.0' **Phase 2: Completed decoding. decoder: 'windows' status: 'WARNING' id: '1006' extra_data: 'Microsoft Antimalware' dstuser: '(no user)' system_name: 'JAMKO' **Phase 3: Completed filtering (rules). Rule id: '18102' Level: '0' Description: 'Windows warning event.' So this looks to me like OSSEC reads the ID correctly, but only reports it as a Windows warning event and not as a Level 7 Virus Detected Alert (rule 7712) In fact, it should also throw a Level 5 (rule7731) which matches the Virus:DOS/EICAR_Test_File string right? Anybody help clue me in how to get it to fire the alerts? Thanks, Ed From: [email protected] [mailto:[email protected]] On Behalf Of Edward Welch Sent: Wednesday, May 05, 2010 10:46 AM To: [email protected] Subject: [ossec-list] Microsoft Security Essentials Rules Not Alerting Hi! I'm fairly new to ossec and this is my first mailing list post. I'm having problems getting ossec to alert on MS security Essentials events. Security Essentials makes entries into the windows System event log. I turned on <logall> and verified these log events are making it to the server, however when I run: cat archives.log | /var/ossec/bin/ossec-logtest -a No alerts are generated from events which should be generating alerts (I have been downloading the eicar test file and verified it creates an entry in the System eventlog when found, and I have verified that entry is sent to the server and exists in archives.log) I checked to make sure the ms-se_rules.xml is included in the server config. I've only started looking into how rules are created and processed so thus far I haven't seen any errors with the ms-se_rules.xml file Any thoughts? Thanks, Ed
