On Thu, Dec 23, 2010 at 2:50 PM, Anthony, Russell (Information Security) <[email protected]> wrote: > Hi, > > > > If anyone has created custom rules for windows events, I would really > appreciate some pointers and examples. I have read the FAQs, bought and > read the book, and googled as much as I could, but I’m stuck. I have also > looked at the msauth rules but most all of them are simply matching an id. > A couple contain match or regex or user strings. Is match, regex and > user the only options I have besides matching the id? > > > > Examples: > > <regex> ID:\s+\p*S-1-5-32-544\p*</regex> > > <match>Target Account Name: None</match> > > <user>^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON</user> > > > > > > > > I would like to create a rule which will alert on a failed or successful > terminal services connection which has event id > > 540 or 4624 with logon type 10. > > > > My first question is how do you pull\format a windows event from the event > viewer so that ossec-logtest will decode and test it. > > > > Below is the rule I made. I used the existing widows decoder. If there is a > better more preferred way to do this, please share. ( I also tried using > <Logon Type>10</Logon Type>) My rule is accepted by OSSEC but it does not > alert on a terminal services connection. > > > > # vi local_rules.xml > > > > <group name="custom-windows-event-alert"> > > <rule id="700005" level="0"> > > <decoded_as>windows</decoded_as> > > <description>custom-windows-event-alert</description> > > </rule> > > > > > > <!-- Alert if terminal session attempted --> > > <rule id="700006" level="12"> > > <if_sid>700005</if_sid> > > <id>^540|^4624</id> > > <match>Logon Type: 10</match> > > </rule> > > </group> > > > > > > Thanks for the help and have a Happy Holiday. > > > > > > Russ > >
You can turn on the <logall> option and pull the alerts you want out of archives.log. There's a small "header" on the messages that you'll have to get rid of, but that's pretty easy. Once you get an example writing a rule will be a lot easier.
