Thanks! I found out my mistake. In My rule there was <regex>Password Last Set: \d</regex>. The sign "+" after "\d" was absent.
When I pasted your <regex>Password Last Set: \d+</regex> the rule works perfectly. So I wonder, why my rule didn't work? Or where can I find explanation of regular expressions of Ossec? On Wednesday, August 8, 2012 6:21:54 PM UTC+4, dan (ddpbsd) wrote: > > On Wed, Aug 8, 2012 at 10:11 AM, Dmitry <[email protected] <javascript:>> > wrote: > > You see the rule 18111 is "A user account was changed" > > In the part of log "Changed Attributes" there are all the names of > > attributes and there is only one value of changed attribute. > > So in any alert of rule 18111 there is the name of attribute "Password > Last > > Set" > > > > So the only way to determine the change of password is to look for a > digit > > after "Password Last Set: ". > > In other case there will be "-" > > > > <rule id="100089" level="7"> > <if_sid>18111</if_sid> > <regex>Password Last Set: \d+</regex> > <description>blahblah</description> > </rule> > > > # cat /tmp/p > WinEvtLog: Security: AUDIT_SUCCESS(4738): > Microsoft-Windows-Security-Auditing: (no user): no domain: > SRV-DC.ft.local: A user account was changed. Subject: Security ID: > S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg > Account Domain: FL Logon ID: 0x1204753c Target Account: Security ID: > S-1-5-21-3227760434-1372198118-1359596449-1269 Account Name: DP > Account Domain: FL Changed Attributes: SAM Account Name: - Display > Name: - User Principal Name: - Home Directory: - Home Drive: - Script > Path: - Profile Path: - User Workstations: - Password Last Set: > 8/8/2012 2:42:44 PM Account Expires: - Primary Group ID: - > AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account > Control: - User Parameters: - SID History: - Logon Hours: - Additional > Information: Privileges: - > # cat /tmp/p | /var/ossec/bin/ossec-logtest > 2012/08/08 10:20:52 ossec-testrule: INFO: Reading decoder file > etc/decoder.xml. > 2012/08/08 10:20:52 ossec-testrule: INFO: Reading decoder file > etc/local_decoder.xml. > 2012/08/08 10:20:52 ossec-testrule: INFO: Reading decoder file > etc/wip/nsd_decoder.xml. > 2012/08/08 10:20:52 ossec-testrule: INFO: Reading loading the lists > file: 'lists/blocked.txt.cdb' > 2012/08/08 10:20:52 ossec-testrule: INFO: Reading loading the lists > file: 'lists/userlist.txt.cdb' > 2012/08/08 10:20:52 ossec-testrule: INFO: Reading loading the lists > file: 'lists/banneduser.txt.cdb' > 2012/08/08 10:20:53 ossec-testrule: INFO: Started (pid: 26728). > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(4738): > Microsoft-Windows-Security-Auditing: (no user): no domain: > SRV-DC.ft.local: A user account was changed. Subject: Security ID: > S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg > Account Domain: FL Logon ID: 0x1204753c Target Account: Security ID: > S-1-5-21-3227760434-1372198118-1359596449-1269 Account Name: DP > Account Domain: FL Changed Attributes: SAM Account Name: - Display > Name: - User Principal Name: - Home Directory: - Home Drive: - Script > Path: - Profile Path: - User Workstations: - Password Last Set: > 8/8/2012 2:42:44 PM Account Expires: - Primary Group ID: - > AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account > Control: - User Parameters: - SID History: - Logon Hours: - Additional > Information: Privileges: -' > hostname: 'ix' > program_name: '(null)' > log: 'WinEvtLog: Security: AUDIT_SUCCESS(4738): > Microsoft-Windows-Security-Auditing: (no user): no domain: > SRV-DC.ft.local: A user account was changed. Subject: Security ID: > S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg > Account Domain: FL Logon ID: 0x1204753c Target Account: Security ID: > S-1-5-21-3227760434-1372198118-1359596449-1269 Account Name: DP > Account Domain: FL Changed Attributes: SAM Account Name: - Display > Name: - User Principal Name: - Home Directory: - Home Drive: - Script > Path: - Profile Path: - User Workstations: - Password Last Set: > 8/8/2012 2:42:44 PM Account Expires: - Primary Group ID: - > AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account > Control: - User Parameters: - SID History: - Logon Hours: - Additional > Information: Privileges: -' > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_SUCCESS' > id: '4738' > extra_data: 'Microsoft-Windows-Security-Auditing' > dstuser: '(no user)' > system_name: 'SRV-DC.ft.local' > > **Phase 3: Completed filtering (rules). > Rule id: '100089' > Level: '7' > Description: 'blahblah' > **Alert to be generated. > > > > > > > On Wednesday, August 8, 2012 4:28:10 PM UTC+4, dan (ddpbsd) wrote: > >> > >> On Wed, Aug 8, 2012 at 7:29 AM, Dmitry <[email protected]> wrote: > >> > Hi! > >> > > >> > In Windows Log event that says about changing password looks like: > >> > > >> > WinEvtLog: Security: AUDIT_SUCCESS(4738): > >> > Microsoft-Windows-Security-Auditing: (no user): no domain: > >> > SRV-DC.ft.local: > >> > A user account was changed. Subject: Security ID: > >> > S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg > Account > >> > Domain: FL Logon ID: 0x1204753c Target Account: Security ID: > >> > S-1-5-21-3227760434-1372198118-1359596449-1269 Account Name: DP > Account > >> > Domain: FL Changed Attributes: SAM Account Name: - Display Name: - > User > >> > Principal Name: - Home Directory: - Home Drive: - Script Path: - > Profile > >> > Path: - User Workstations: - Password Last Set: 8/8/2012 2:42:44 PM > >> > Account > >> > Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: > - > >> > New > >> > UAC Value: - User Account Control: - User Parameters: - SID History: > - > >> > Logon > >> > Hours: - Additional Information: Privileges: - > >> > > >> > This log triggered alert of rule 18111 (Windows account changed). > >> > > >> > In order to have separate rule "Password changed" I wrote rule: > >> > > >> > <!-- Password changed for Windows Account --> > >> > <rule id="100003" level="7"> > >> > <if_sid>18111</if_sid> > >> > <regex>Password Last Set: \d </regex> > >> > <description>Password changed for Windows account</description> > >> > </rule> > >> > > >> > Dut it doesn't work. When I use <match> instead of <regex> it doesn't > >> > help. > >> > > >> > > >> > >> This works fine for me: > >> > >> <rule id="100089" level="7"> > >> <if_sid>18111</if_sid> > >> <match>Password Last Set:</match> > >> <description>blahblah</description> > >> </rule> >
