Thanks for the guidance. My first set of tests seems to be working when the prematch is unique. >>> "dan (ddp)" <[email protected]> 4/18/2012 7:55 AM >>> Do they work if you make them each haveunique <prematch> tags?
On Tue, Apr 17, 2012 at 1:26 PM, David Mashburn <[email protected]> wrote: > My apologies in advances, as this is a lengthy message. > > I have been working on custom decoders for Windows events to try to extract > some of the information that is deeper in the body of an event. I have > successfully been able to create a decoder to pull information into the > decoded fields. However, these decoders seem to have problems working when > there is more than one of these 'deep' (for lack of a better word) custom > decoders in local_decoder.xml. All of the log examples below have been > sanitized. > > Excerpt from local_decoder: > > <decoder name="winserver"> > <type>windows</type> > <prematch>\d+.\d+.\d+.\d+->WinEvtLog WinEvtLog: </prematch> > </decoder> > > <!-- This will parse out the user account making the change --> > <!-- as well as the user account that was altered (Event 4738) --> > <decoder name="win-1"> > <parent>winserver</parent> > <prematch offset="after_parent">Security: </prematch> > <regex offset="after_prematch">(\w+_\w+)\((\d+)\): </regex> > <regex>Microsoft-Windows-Security-Auditing: </regex> > <regex>\.+:\s+\.+:\s+(\.+):\s+</regex> > <regex>A user account was changed.\.+Account Name:\s+(\S+)\s</regex> > <regex>\.+:\.+:\.+Target Account:\.+Account Name:\s+(\S+)\s</regex> > <regex>\.+:\.+Changed Attributes:(\.+)</regex> > <order>status, id, system_name, srcuser, dstuser, extra_data</order> > </decoder> > <decoder name="win-2"> > <parent>winserver</parent> > <prematch offset="after_parent">Security: </prematch> > <regex offset="after_prematch">(\w+_\w+)\((\d+)\): </regex> > <regex>Microsoft-Windows-Security-Auditing: </regex> > <regex>\.+:\s+\.+:\s+(\.+):\s+</regex> > <regex>Kerberos pre-authentication failed.\s+</regex> > <regex>Account Information:\s+Security ID:\s+</regex> > <regex>\.+:\s+(\S+)\s+Service Information:\s+</regex> > <regex>\.+:\.+:\.+:\s+::ffff:(\d+.\d+.\d+.\d+)\s+(\.+)</regex> > <order>status, id, system_name, srcuser, srcip, extra_data</order> > </decoder> > > Decoder win-1 works correctly by itself with decoder win-2 commented out: > alienvault:/var/ossec/bin# ./ossec-logtest > 2012/04/16 16:34:40 ossec-testrule: INFO: Reading local decoder file. > 2012/04/16 16:34:40 ossec-testrule: INFO: Started (pid: 18592). > ossec-testrule: Type one log per line. > > 2012 Apr 13 11:18:19 (dc.domain.local) 2.2.2.2->WinEvtLog WinEvtLog: > Security: AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no > user): no domain: dc.domain.local: A user account was changed. Subject: > Security ID: S-1-5-21-299502267-854245398-682003330-5771 Account Name: > account1 Account Domain: DOMAIN Logon ID: 0x6170380 Target Account: > Security ID: S-1-5-21-299502267-854245398-682003330-7127 Account Name: > account2 Account Domain: DOMAIN Changed Attributes: SAM Account Name: - > Display Name: - User Principal Name: - Home Directory: - Home Drive: > - Script Path: - Profile Path: - User Workstations: - Password Last > Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - > Old UAC Value: - New UAC Value: - User Account Control: - User > Parameters: - SID History: - Logon Hours: - Additional Information: > Privileges: - > > > **Phase 1: Completed pre-decoding. > full event: '2012 Apr 13 11:18:19 (dc.domain.local) > 2.2.2.2->WinEvtLog WinEvtLog: Security: AUDIT_SUCCESS(4738): > Microsoft-Windows-Security-Auditing: (no user): no domain: dc.domain.local: > A user account was changed. Subject: Security ID: > S-1-5-21-299502267-854245398-682003330-5771 Account Name: account1 > Account Domain: DOMAIN Logon ID: 0x6170380 Target Account: Security > ID: S-1-5-21-299502267-854245398-682003330-7127 Account Name: account2 > Account Domain: DOMAIN Changed Attributes: SAM Account Name: - Display > Name: - User Principal Name: - Home Directory: - Home Drive: - Script > Path: - Profile Path: - User Workstations: - Password Last Set: - > Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC > Value: - New UAC Value: - User Account Control: - User Parameters: - > SID History: - Logon Hours: - Additional Information: Privileges: -' > hostname: 'alienvault' > program_name: '(null)' > log: '2012 Apr 13 11:18:19 (dc.domain.local) 2.2.2.2->WinEvtLog > WinEvtLog: Security: AUDIT_SUCCESS(4738): > Microsoft-Windows-Security-Auditing: (no user): no domain: dc.domain.local: > A user account was changed. Subject: Security ID: > S-1-5-21-299502267-854245398-682003330-5771 Account Name: account1 > Account Domain: DOMAIN Logon ID: 0x6170380 Target Account: Security > ID: S-1-5-21-299502267-854245398-682003330-7127 Account Name: account2 > Account Domain: DOMAIN Changed Attributes: SAM Account Name: - Display > Name: - User Principal Name: - Home Directory: - Home Drive: - Script > Path: - Profile Path: - User Workstations: - Password Last Set: - > Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC > Value: - New UAC Value: - User Account Control: - User Parameters: - > SID History: - Logon Hours: - Additional Information: Privileges: -' > > **Phase 2: Completed decoding. > decoder: 'winserver' > status: 'AUDIT_SUCCESS' > id: '4738' > system_name: 'dc.domain.local' > srcuser: 'account1' > dstuser: 'account2' > extra_data: ' SAM Account Name: - Display Name: - User Principal > Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: > - User Workstations: - Password Last Set: - Account Expires: - Primary > Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - > User Account Control: - User Parameters: - SID History: - Logon Hours: > - Additional Information: Privileges: -' > > **Phase 3: Completed filtering (rules). > Rule id: '101102' > Level: '3' > Description: 'Event ID 4738: A user account was [successfully] > changed.' > **Alert to be generated. > > Decoder win-2 works with decoder win-1 commented out: > alienvault:/var/ossec/etc# ../bin/ossec-logtest > 2012/04/17 13:11:47 ossec-testrule: INFO: Reading local decoder file. > 2012/04/17 13:11:47 ossec-testrule: INFO: Started (pid: 20553). > ossec-testrule: Type one log per line. > > 2012 Apr 17 13:09:00 syslog->/var/log/messages|(dc.domain.local) > 2.2.2.2->WinEvtLog WinEvtLog: Security: AUDIT_FAILURE(4771): > Microsoft-Windows-Security-Auditing: (no user): no domain: dc.domain.local: > Kerberos pre-authentication failed. Account Information: Security ID: > S-1-5-21-299502267-854245398-682003330-500 Account Name: Administrator > Service Information: Service Name: krbtgt/DOMAIN Network Information: > Client Address: ::ffff:1.1.1.1 Client Port: 4826 Additional > Information: Ticket Options: 0x40810010 Failure Code: 0x18 > Pre-Authentication Type: 2 Certificate Information: Certificate Issuer > Name: Certificate Serial Number: Certificate Thumbprint: > Certificate information is only provided if a certificate was used for > pre-authentication. Pre-authentication types, ticket options and failure > codes are defined in RFC 4120. If the ticket was malformed or damaged > during transit and could not be decrypted, then many fields in this event > might not be present. > > > **Phase 1: Completed pre-decoding. > full event: '2012 Apr 17 13:09:00 > syslog->/var/log/messages|(dc.domain.local) 2.2.2.2->WinEvtLog WinEvtLog: > Security: AUDIT_FAILURE(4771): Microsoft-Windows-Security-Auditing: (no > user): no domain: dc.domain.local: Kerberos pre-authentication failed. > Account Information: Security ID: > S-1-5-21-299502267-854245398-682003330-500 Account Name: Administrator > Service Information: Service Name: krbtgt/DOMAIN Network Information: > Client Address: ::ffff:1.1.1.1 Client Port: 4826 Additional > Information: Ticket Options: 0x40810010 Failure Code: 0x18 > Pre-Authentication Type: 2 Certificate Information: Certificate Issuer > Name: Certificate Serial Number: Certificate Thumbprint: > Certificate information is only provided if a certificate was used for > pre-authentication. Pre-authentication types, ticket options and failure > codes are defined in RFC 4120. If the ticket was malformed or damaged > during transit and could not be decrypted, then many fields in this event > might not be present.' > hostname: 'alienvault' > program_name: '(null)' > log: '2012 Apr 17 13:09:00 > syslog->/var/log/messages|(dc.domain.local) 2.2.2.2->WinEvtLog WinEvtLog: > Security: AUDIT_FAILURE(4771): Microsoft-Windows-Security-Auditing: (no > user): no domain: dc.domain.local: Kerberos pre-authentication failed. > Account Information: Security ID: > S-1-5-21-299502267-854245398-682003330-500 Account Name: Administrator > Service Information: Service Name: krbtgt/DOMAIN Network Information: > Client Address: ::ffff:1.1.1.1 Client Port: 4826 Additional > Information: Ticket Options: 0x40810010 Failure Code: 0x18 > Pre-Authentication Type: 2 Certificate Information: Certificate Issuer > Name: Certificate Serial Number: Certificate Thumbprint: > Certificate information is only provided if a certificate was used for > pre-authentication. Pre-authentication types, ticket options and failure > codes are defined in RFC 4120. If the ticket was malformed or damaged > during transit and could not be decrypted, then many fields in this event > might not be present.' > > **Phase 2: Completed decoding. > decoder: 'winserver' > status: 'AUDIT_FAILURE' > id: '4771' > system_name: 'dc.domain.local' > srcuser: 'Administrator' > srcip: '1.1.1.1' > extra_data: ' Client Port: 4826 Additional Information: Ticket > Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 > Certificate Information: Certificate Issuer Name: Certificate Serial > Number: Certificate Thumbprint: Certificate information is only > provided if a certificate was used for pre-authentication. > Pre-authentication types, ticket options and failure codes are defined in > RFC 4120. If the ticket was malformed or damaged during transit and could > not be decrypted, then many fields in this event might not be present.' > > **Phase 3: Completed filtering (rules). > Rule id: '101209' > Level: '3' > Description: 'Event ID 4771: Kerberos pre-authentication failed.' > **Alert to be generated. > However, they do not work when both are in local_decoder.xml at the same > time. The decoder that is listed first under the parent will work, but the > other child decoder falls to the parent. I have tried different orders, > trying to go from most specific to most general in the decoders under a > parent. Any ideas on how (or if) this can be made to work? I know that I > could just take the same approach as the default Windows rules and just > alert on Event ID, but if I can pull out those specific details it would be > more useful since this is feeding into OSSIM and I'd love to be able to pass > some of the discrete fields for reporting. > > Thanks in advance for any ideas. > > > > > David Mashburn > IT Security Manager > U.S. Pharmacopeia
