Re: [ossec-list] Custom decoder to pull source IP for rule 18152

Fri, 16 Mar 2012 06:29:19 -0700 

<decoder name="windows">
  <type>windows</type>
  <parent>windows</parent>
  <regex>Security: (\S+)\((\d+)\): (\S+): (\.+): \.+: (\S+): </regex>
  <order>status, id, extra_data, user, system_name</order>
  <fts>name, location, user, system_name</fts>
</decoder>

<decoder name="windows">
  <type>windows</type>
  <parent>windows</parent>
  <regex offset="after_regex">Source Network Address: (\S+)</regex>
  <order>srcip</order>
</decoder>

# cat /tmp/xxx | /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf
2012/03/16 09:10:06 ossec-analysisd(1226): ERROR: Error reading XML
file 'etc/decoder.xml': XML ERR: Element not closed: parent (line
2454).
2012/03/16 09:10:06 ossec-testrule(1202): ERROR: Configuration error
at '/etc/decoder.xml'. Exiting.
# cat /tmp/xxx | /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf
2012/03/16 09:10:25 ossec-testrule: INFO: Reading local decoder file.
2012/03/16 09:10:25 ossec-testrule: INFO: Started (pid: 561).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
       full event: 'WinEvtLog: Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain: System01:
An account failed to log on. Subject:  Security ID:  S-1-5-18  Account
Name:  System01$  Account Domain:  WORKGROUP  Logon ID:  0x3e7  Logon
Type:   10  Account For Which Logon Failed:  Security ID:  S-1-0-0
Account Name:  test  Account Domain:  System01 Failure Information:
Failure Reason:  %%2313  Status:   0xc000006d  Sub Status:  0xc0000064
 Process Information:  Caller Process ID: 0x2f4  Caller Process Name:
C:\Windows\System32\winlogon.exe  Network Information:  Workstation
Name: System01  Source Network Address: 111.222.333.444  Source Port:
1234 Detailed Authentication Information:  Logon Process:  User32
Authentication Package: Negotiate  Transited Services: -  Package Name
(NTLM only): -  Key Length:  0  This event is generated when a logon
request fails. It is generated on the computer where access was
attempted. '
       hostname: 'arrakis'
       program_name: '(null)'
       log: 'WinEvtLog: Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain: System01:
An account failed to log on. Subject:  Security ID:  S-1-5-18  Account
Name:  System01$  Account Domain:  WORKGROUP  Logon ID:  0x3e7  Logon
Type:   10  Account For Which Logon Failed:  Security ID:  S-1-0-0
Account Name:  test  Account Domain:  System01 Failure Information:
Failure Reason:  %%2313  Status:   0xc000006d  Sub Status:  0xc0000064
 Process Information:  Caller Process ID: 0x2f4  Caller Process Name:
C:\Windows\System32\winlogon.exe  Network Information:  Workstation
Name: System01  Source Network Address: 111.222.333.444  Source Port:
1234 Detailed Authentication Information:  Logon Process:  User32
Authentication Package: Negotiate  Transited Services: -  Package Name
(NTLM only): -  Key Length:  0  This event is generated when a logon
request fails. It is generated on the computer where access was
attempted. '

**Phase 2: Completed decoding.
       decoder: 'windows'
       status: 'AUDIT_FAILURE'
       id: '4625'
       extra_data: 'Microsoft-Windows-Security-Auditing'
       dstuser: '(no user)'
       system_name: 'System01'
       srcip: '111.222.333.444'

**Phase 3: Completed filtering (rules).
       Rule id: '18106'
       Level: '5'
       Description: 'Windows Logon Failure.'
**Alert to be generated.




On Fri, Mar 16, 2012 at 7:22 AM, Frank Devlin <[email protected]> wrote:
> I have been receiving alerts from a Windows 2008 server for rule 18152
> (multiple logon failures) and I was wondering why the server was not using
> active response to blackhole the source IP. I found a few responses on here
> stating that rule 18152 does not pull the source IP from the log files and
> that a custom decoder was needed to do so. I tried, and failed, so I am
> seeking any help that someone can give.
>
> Here is the sanitized alert:
>
> WinEvtLog: Security: AUDIT_FAILURE(4625):
> Microsoft-Windows-Security-Auditing: (no user): no domain: System01: An
> account failed to log on. Subject:  Security ID:  S-1-5-18  Account Name:
>  System01$  Account Domain:  WORKGROUP  Logon ID:  0x3e7  Logon Type:   10
>  Account For Which Logon Failed:  Security ID:  S-1-0-0  Account Name:  test
>  Account Domain:  System01 Failure Information:  Failure Reason:  %%2313
>  Status:   0xc000006d  Sub Status:  0xc0000064  Process Information:  Caller
> Process ID: 0x2f4  Caller Process Name: C:\Windows\System32\winlogon.exe
>  Network Information:  Workstation Name: System01  Source Network Address:
> 111.222.333.444  Source Port:  1234 Detailed Authentication Information:
>  Logon Process:  User32   Authentication Package: Negotiate  Transited
> Services: -  Package Name (NTLM only): -  Key Length:  0  This event is
> generated when a logon request fails. It is generated on the computer where
> access was attempted.
>
> Here is the closest I have made it using a custom decoder:
>
> <decoder name="windows">
>   <type>windows</type>
>   <prematch>^WinEvtLog: </prematch>
>   <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex>
>   <regex>(\.+): \.+: (\S+): \.+: \.+: \.+: \.+: \.+: \.+: \.+: </regex>
>   <regex> \.+: \.+: \.+: \.+: \.+: \.+: \.+: \.+: (\.+): \.+: (\.+):</regex>
>   <order>status, id, extra_data, user, system_name, srcip, srcip2 </order>
>   <fts>name, location, user, system_name, srcip, srcip2</fts>
> </decoder>
>
> When I test this using the ossec-logtest program, this is the response:
>
> **Phase 2: Completed decoding.
>        decoder: 'windows'
>        status: 'AUDIT_FAILURE'
>        id: '4625'
>        extra_data: 'Microsoft-Windows-Security-Auditing'
>        dstuser: '(no user)'
>        system_name: 'web01'
>        srcip: ' Caller Process ID'
>        srcip: 'C'
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '18106'
>        Level: '5'
>        Description: 'Windows Logon Failure.'
> **Alert to be generated.
>
> And after testing it multiple times, I get the 18152 rule:
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '18152'
>        Level: '10'
>        Description: 'Multiple Windows Logon Failures.'
> **Alert to be generated.
>
> I used srcip2 to see where the decoder was failing at. It appears that it is
> failing at the windows path "C:\Windows\System32\winlogon.exe". I can get it
> to read the C, but I cannot get it to get past that section in the decoder.
>  If I use the standard "\.+:" to skip to the next : (colon), it changes the
> decoding to this:
>
> **Phase 2: Completed decoding.
>        decoder: 'windows'
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '18100'
>        Level: '0'
>        Description: 'Group of windows rules.'
>
> Any ideas on how to write a decoder and pull the source IP address from that
> event?
>
> Frank

Reply via email to