Re: [ossec-list] Re: 2WoO Day 6: Time to dream: what does the future of OSSEC look like?

Fri, 22 Oct 2010 10:04:55 -0700 

> With sample logs (*wink wink nudge nudge*) we can support websense,
> bluecoat, etc. I think most of them will do syslog. If anyone wants to
> send me the hardware, let me know. :P

While not hardware I've managed to reverse a few AV logs
Symantec SEP 11.x should be a 80-90% complete "Rosetta stone"

Logs can be found under:
...All Users\Application Data\Symantec\Symantec Endpoint
Protection\Logs\date_name.log

date/time, event, category, logger, computer, username, virus, virus
location, primary action, secondary action, action taken, virus type,
flags, description, scan ID, new ext, group ID, event data, vbin ID,
virus ID, quarantine status, operation flags, send status, compressed,
depth, still infected, virus definition info, virus definition
sequence, cleanable, deletable, backup ID, parent, GUID, client group,
address, domain name, NT name, MAC address, software version

Example-log
28091603331E,7,3,8,SEC-OPS01,user_1,,,,,,,16777216,"New virus
definition file loaded. Version:
121021aw.",0,,0,,,,,0,,,,,,,,,,,{03160000-0000-0000-0000-000000000000},,,,OPS,00:1E:4F:54:9A:8F,11.0.6000.419,,,,,,,,,,,,,,,,0,,,,,

2809160C0004,3,2,0,SEC-OPS01,user_1,,,,,,,16777216,"Scan started on
selected drives and folders and all
extensions.",1287763207,,0,,,,,0,,,,,,,,,,,{0C160000-0000-0000-0000-000000000000},,,,OPS,00:1E:4F:54:9A:8F,11.0.6000.419,,,,,,,,,,,,,,,,0,,,,,

3F0B1703321A = 11-23-2033 3:50:26AM
1A0B170332 A = 11-23-1996 3:50:26AM
190B1703321A = 11-23-1995 3:50:26AM

year, month, day, hour, minute, second
3F 0B 17 03 32 1A
63 11 23   3  50 26

All years are from 1970
base_16 3f = 63      63 + 1970 = 2033
base_16 1a = 26... 26 + 70 = 96 thus 1996
base_16 28 = 40... 40 + 70 = 110 thus 2010
------------------------------------------
action taken/primary/secondary action 1 = Quarantine
action taken/primary/secondary action 2 = Rename
action taken/primary/secondary action 3 = Delete
action taken/primary/secondary action 4 = Log Only
action taken/primary/secondary action 5 = Clean Security Risk
action taken/primary/secondary action 6 = Clean or Delete Macros
action taken 12 = General Failure
action taken 13 = Backup
action taken 14 = Pending Analysis
action taken 15 = Partial
action taken 16 = Process or Service must be Halted
action taken 17 = Exclusion Generated
action taken 18 = Restart Processing
action taken 19 = Cleaned by Deletion
action taken 20 = Access Denied
action taken 21 = Process Terminated
action taken 22 = No Repair currently available
action taken 23 = Failed
------------------------------------------
event 6 = could not scan
event 13 = service shut down successful
event 14 = service start successful
event 21 = scan cancelled
event 46 = manual scan
event 47 = cookie detection
event 50 = remediation
------------------------------------------
category 1 = Actions?
category 2 = Start/Stop
category 3 = update?
------------------------------------------
logger 0 = scheduled scan
logger 1 = manual scan
logger 2 = auto-protect scan
logger 3 = Integrity Sheild
logger 4 = auto-protect scan
logger 6 = console
logger 7 = definition downloader
logger 8 = system
logger 9 = startup
logger 10 = idle scan
logger 11 = defwatch scan
logger 12 = licensing
logger 13 = manual quarantine scan
logger 14 = tamper protection
logger 15 = restart processing
------------------------------------------

Reply via email to