My apologies in advances, as this is a lengthy message.
I have been working on custom decoders for Windows events to try to extract
some of the information that is deeper in the body of an event. I have
successfully been able to create a decoder to pull information into the decoded
fields. However, these decoders seem to have problems working when there is
more than one of these 'deep' (for lack of a better word) custom decoders in
local_decoder.xml. All of the log examples below have been sanitized.
Excerpt from local_decoder:
<decoder name="winserver">
<type>windows</type>
<prematch>\d+.\d+.\d+.\d+->WinEvtLog WinEvtLog: </prematch>
</decoder>
<!-- This will parse out the user account making the change -->
<!-- as well as the user account that was altered (Event 4738) -->
<decoder name="win-1">
<parent>winserver</parent>
<prematch offset="after_parent">Security: </prematch>
<regex offset="after_prematch">(\w+_\w+)\((\d+)\): </regex>
<regex>Microsoft-Windows-Security-Auditing: </regex>
<regex>\.+:\s+\.+:\s+(\.+):\s+</regex>
<regex>A user account was changed.\.+Account Name:\s+(\S+)\s</regex>
<regex>\.+:\.+:\.+Target Account:\.+Account Name:\s+(\S+)\s</regex>
<regex>\.+:\.+Changed Attributes:(\.+)</regex>
<order>status, id, system_name, srcuser, dstuser, extra_data</order>
</decoder>
<decoder name="win-2">
<parent>winserver</parent>
<prematch offset="after_parent">Security: </prematch>
<regex offset="after_prematch">(\w+_\w+)\((\d+)\): </regex>
<regex>Microsoft-Windows-Security-Auditing: </regex>
<regex>\.+:\s+\.+:\s+(\.+):\s+</regex>
<regex>Kerberos pre-authentication failed.\s+</regex>
<regex>Account Information:\s+Security ID:\s+</regex>
<regex>\.+:\s+(\S+)\s+Service Information:\s+</regex>
<regex>\.+:\.+:\.+:\s+::ffff:(\d+.\d+.\d+.\d+)\s+(\.+)</regex>
<order>status, id, system_name, srcuser, srcip, extra_data</order>
</decoder>
Decoder win-1 works correctly by itself with decoder win-2 commented out:
alienvault:/var/ossec/bin# ./ossec-logtest
2012/04/16 16:34:40 ossec-testrule: INFO: Reading local decoder file.
2012/04/16 16:34:40 ossec-testrule: INFO: Started (pid: 18592).
ossec-testrule: Type one log per line.
2012 Apr 13 11:18:19 (dc.domain.local) 2.2.2.2->WinEvtLog WinEvtLog: Security:
AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user): no domain:
dc.domain.local: A user account was changed. Subject: Security ID:
S-1-5-21-299502267-854245398-682003330-5771 Account Name: account1 Account
Domain: DOMAIN Logon ID: 0x6170380 Target Account: Security ID:
S-1-5-21-299502267-854245398-682003330-7127 Account Name: account2 Account
Domain: DOMAIN Changed Attributes: SAM Account Name: - Display Name: -
User Principal Name: - Home Directory: - Home Drive: - Script Path: -
Profile Path: - User Workstations: - Password Last Set: - Account Expires:
- Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC
Value: - User Account Control: - User Parameters: - SID History: - Logon
Hours: - Additional Information: Privileges: -
**Phase 1: Completed pre-decoding.
full event: '2012 Apr 13 11:18:19 (dc.domain.local) 2.2.2.2->WinEvtLog
WinEvtLog: Security: AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing:
(no user): no domain: dc.domain.local: A user account was changed. Subject:
Security ID: S-1-5-21-299502267-854245398-682003330-5771 Account Name:
account1 Account Domain: DOMAIN Logon ID: 0x6170380 Target Account:
Security ID: S-1-5-21-299502267-854245398-682003330-7127 Account Name:
account2 Account Domain: DOMAIN Changed Attributes: SAM Account Name: -
Display Name: - User Principal Name: - Home Directory: - Home Drive: -
Script Path: - Profile Path: - User Workstations: - Password Last Set: -
Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC
Value: - New UAC Value: - User Account Control: - User Parameters: - SID
History: - Logon Hours: - Additional Information: Privileges: -'
hostname: 'alienvault'
program_name: '(null)'
log: '2012 Apr 13 11:18:19 (dc.domain.local) 2.2.2.2->WinEvtLog
WinEvtLog: Security: AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing:
(no user): no domain: dc.domain.local: A user account was changed. Subject:
Security ID: S-1-5-21-299502267-854245398-682003330-5771 Account Name:
account1 Account Domain: DOMAIN Logon ID: 0x6170380 Target Account:
Security ID: S-1-5-21-299502267-854245398-682003330-7127 Account Name:
account2 Account Domain: DOMAIN Changed Attributes: SAM Account Name: -
Display Name: - User Principal Name: - Home Directory: - Home Drive: -
Script Path: - Profile Path: - User Workstations: - Password Last Set: -
Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC
Value: - New UAC Value: - User Account Control: - User Parameters: - SID
History: - Logon Hours: - Additional Information: Privileges: -'
**Phase 2: Completed decoding.
decoder: 'winserver'
status: 'AUDIT_SUCCESS'
id: '4738'
system_name: 'dc.domain.local'
srcuser: 'account1'
dstuser: 'account2'
extra_data: ' SAM Account Name: - Display Name: - User Principal
Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: -
User Workstations: - Password Last Set: - Account Expires: - Primary Group
ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User
Account Control: - User Parameters: - SID History: - Logon Hours: -
Additional Information: Privileges: -'
**Phase 3: Completed filtering (rules).
Rule id: '101102'
Level: '3'
Description: 'Event ID 4738: A user account was [successfully] changed.'
**Alert to be generated.
Decoder win-2 works with decoder win-1 commented out:
alienvault:/var/ossec/etc# ../bin/ossec-logtest
2012/04/17 13:11:47 ossec-testrule: INFO: Reading local decoder file.
2012/04/17 13:11:47 ossec-testrule: INFO: Started (pid: 20553).
ossec-testrule: Type one log per line.
2012 Apr 17 13:09:00 syslog->/var/log/messages|(dc.domain.local)
2.2.2.2->WinEvtLog WinEvtLog: Security: AUDIT_FAILURE(4771):
Microsoft-Windows-Security-Auditing: (no user): no domain: dc.domain.local:
Kerberos pre-authentication failed. Account Information: Security ID:
S-1-5-21-299502267-854245398-682003330-500 Account Name: Administrator
Service Information: Service Name: krbtgt/DOMAIN Network Information:
Client Address: ::ffff:1.1.1.1 Client Port: 4826 Additional Information:
Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2
Certificate Information: Certificate Issuer Name: Certificate Serial
Number: Certificate Thumbprint: Certificate information is only provided
if a certificate was used for pre-authentication. Pre-authentication types,
ticket options and failure codes are defined in RFC 4120. If the ticket was
malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
**Phase 1: Completed pre-decoding.
full event: '2012 Apr 17 13:09:00
syslog->/var/log/messages|(dc.domain.local) 2.2.2.2->WinEvtLog WinEvtLog:
Security: AUDIT_FAILURE(4771): Microsoft-Windows-Security-Auditing: (no user):
no domain: dc.domain.local: Kerberos pre-authentication failed. Account
Information: Security ID: S-1-5-21-299502267-854245398-682003330-500 Account
Name: Administrator Service Information: Service Name: krbtgt/DOMAIN
Network Information: Client Address: ::ffff:1.1.1.1 Client Port: 4826
Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18
Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name:
Certificate Serial Number: Certificate Thumbprint: Certificate
information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC
4120. If the ticket was malformed or damaged during transit and could not be
decrypted, then many fields in this event might not be present.'
hostname: 'alienvault'
program_name: '(null)'
log: '2012 Apr 17 13:09:00 syslog->/var/log/messages|(dc.domain.local)
2.2.2.2->WinEvtLog WinEvtLog: Security: AUDIT_FAILURE(4771):
Microsoft-Windows-Security-Auditing: (no user): no domain: dc.domain.local:
Kerberos pre-authentication failed. Account Information: Security ID:
S-1-5-21-299502267-854245398-682003330-500 Account Name: Administrator
Service Information: Service Name: krbtgt/DOMAIN Network Information:
Client Address: ::ffff:1.1.1.1 Client Port: 4826 Additional Information:
Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2
Certificate Information: Certificate Issuer Name: Certificate Serial
Number: Certificate Thumbprint: Certificate information is only provided
if a certificate was used for pre-authentication. Pre-authentication types,
ticket options and failure codes are defined in RFC 4120. If the ticket was
malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.'
**Phase 2: Completed decoding.
decoder: 'winserver'
status: 'AUDIT_FAILURE'
id: '4771'
system_name: 'dc.domain.local'
srcuser: 'Administrator'
srcip: '1.1.1.1'
extra_data: ' Client Port: 4826 Additional Information: Ticket
Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2
Certificate Information: Certificate Issuer Name: Certificate Serial
Number: Certificate Thumbprint: Certificate information is only provided
if a certificate was used for pre-authentication. Pre-authentication types,
ticket options and failure codes are defined in RFC 4120. If the ticket was
malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.'
**Phase 3: Completed filtering (rules).
Rule id: '101209'
Level: '3'
Description: 'Event ID 4771: Kerberos pre-authentication failed.'
**Alert to be generated.
However, they do not work when both are in local_decoder.xml at the same time.
The decoder that is listed first under the parent will work, but the other
child decoder falls to the parent. I have tried different orders, trying to go
from most specific to most general in the decoders under a parent. Any ideas
on how (or if) this can be made to work? I know that I could just take the
same approach as the default Windows rules and just alert on Event ID, but if I
can pull out those specific details it would be more useful since this is
feeding into OSSIM and I'd love to be able to pass some of the discrete fields
for reporting.
Thanks in advance for any ideas.
David Mashburn
IT Security Manager
U.S. Pharmacopeia
