[ossec-list] OSSEC-LOGTEST yet Alert Generated yet: **Alert to be generated

santa rocks Fri, 13 Apr 2012 11:08:24 -0700

Any Ideas what my next step is?   No Alert logged even though rule
tests and seems to work.
Can this be a bug?


Here is a record from the archives.log showing the win7 ossec.conf is
sending alerts to the OSSEC HIDS Server, (server configured with
logall option)

2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog WinEvtLog:
OAlerts: INFORMATION(300): Microsoft Office 14 Alerts: (no user): no
domain: tp-e420s-1546.mydomain.net: Microsoft Word The password is
incorrect. Word cannot open the document.  (C:\...\PW-
linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3:  P4:

When I paste this log line into ossec-logtest it seems to pass.


[root@it-mgmt bin]# ./ossec-logtest
2012/04/13 10:57:17 ossec-testrule: INFO: Reading local decoder file.
2012/04/13 10:57:17 ossec-testrule: INFO: Started (pid: 3107).
ossec-testrule: Type one log per line.

2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog WinEvtLog:
OAlerts: INFORMATION(300): Microsoft Office 14 Alerts: (no user): no
domain: tp-e420s-1546.mydomain.net: Microsoft Word The password is
incorrect. Word cannot open the document.  (C:\...\PW-
linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3:  P4:


**Phase 1: Completed pre-decoding.
       full event: '2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0-
>WinEvtLog WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 14
Alerts: (no user): no domain: tp-e420s-1546.mydomain.net: Microsoft
Word The password is incorrect. Word cannot open the document.  (C:\...
\PW-linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3:
P4:'
       hostname: 'it-mgmt'
       program_name: '(null)'
       log: '2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog
WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 14 Alerts: (no
user): no domain: tp-e420s-1546.mydomain.net: Microsoft Word The
password is incorrect. Word cannot open the document.  (C:\...\PW-
linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3:  P4:'

**Phase 2: Completed decoding.
       decoder: 'Office-Alerts'
       dstuser: 'Microsoft Office 14 Alerts: '
       status: 'tp-e420s-1546.mydomain.net:'
       action: 'Microsoft Word The password is incorrect. Word cannot
open the document.'

**Phase 3: Completed filtering (rules).
       Rule id: '109101'
       Level: '14'
       Description: 'Password Protected Document was submitted'
**Alert to be generated.

[ossec-list] OSSEC-LOGTEST yet Alert Generated yet: **Alert to be generated

Reply via email to