On Thu, Aug 9, 2012 at 1:39 AM, Dmitry <[email protected]> wrote: > Thanks! > I found out my mistake. > > In My rule there was <regex>Password Last Set: \d</regex>. The sign "+" > after "\d" was absent. > > When I pasted your <regex>Password Last Set: \d+</regex> the rule works > perfectly. > > So I wonder, why my rule didn't work? Or where can I find explanation of > regular expressions of Ossec? > >
http://ossec.net/doc/syntax/regex.html > On Wednesday, August 8, 2012 6:21:54 PM UTC+4, dan (ddpbsd) wrote: >> >> On Wed, Aug 8, 2012 at 10:11 AM, Dmitry <[email protected]> wrote: >> > You see the rule 18111 is "A user account was changed" >> > In the part of log "Changed Attributes" there are all the names of >> > attributes and there is only one value of changed attribute. >> > So in any alert of rule 18111 there is the name of attribute "Password >> > Last >> > Set" >> > >> > So the only way to determine the change of password is to look for a >> > digit >> > after "Password Last Set: ". >> > In other case there will be "-" >> > >> >> <rule id="100089" level="7"> >> <if_sid>18111</if_sid> >> <regex>Password Last Set: \d+</regex> >> <description>blahblah</description> >> </rule> >> >> >> # cat /tmp/p >> WinEvtLog: Security: AUDIT_SUCCESS(4738): >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> SRV-DC.ft.local: A user account was changed. Subject: Security ID: >> S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg >> Account Domain: FL Logon ID: 0x1204753c Target Account: Security ID: >> S-1-5-21-3227760434-1372198118-1359596449-1269 Account Name: DP >> Account Domain: FL Changed Attributes: SAM Account Name: - Display >> Name: - User Principal Name: - Home Directory: - Home Drive: - Script >> Path: - Profile Path: - User Workstations: - Password Last Set: >> 8/8/2012 2:42:44 PM Account Expires: - Primary Group ID: - >> AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account >> Control: - User Parameters: - SID History: - Logon Hours: - Additional >> Information: Privileges: - >> # cat /tmp/p | /var/ossec/bin/ossec-logtest >> 2012/08/08 10:20:52 ossec-testrule: INFO: Reading decoder file >> etc/decoder.xml. >> 2012/08/08 10:20:52 ossec-testrule: INFO: Reading decoder file >> etc/local_decoder.xml. >> 2012/08/08 10:20:52 ossec-testrule: INFO: Reading decoder file >> etc/wip/nsd_decoder.xml. >> 2012/08/08 10:20:52 ossec-testrule: INFO: Reading loading the lists >> file: 'lists/blocked.txt.cdb' >> 2012/08/08 10:20:52 ossec-testrule: INFO: Reading loading the lists >> file: 'lists/userlist.txt.cdb' >> 2012/08/08 10:20:52 ossec-testrule: INFO: Reading loading the lists >> file: 'lists/banneduser.txt.cdb' >> 2012/08/08 10:20:53 ossec-testrule: INFO: Started (pid: 26728). >> ossec-testrule: Type one log per line. >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'WinEvtLog: Security: AUDIT_SUCCESS(4738): >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> SRV-DC.ft.local: A user account was changed. Subject: Security ID: >> S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg >> Account Domain: FL Logon ID: 0x1204753c Target Account: Security ID: >> S-1-5-21-3227760434-1372198118-1359596449-1269 Account Name: DP >> Account Domain: FL Changed Attributes: SAM Account Name: - Display >> Name: - User Principal Name: - Home Directory: - Home Drive: - Script >> Path: - Profile Path: - User Workstations: - Password Last Set: >> 8/8/2012 2:42:44 PM Account Expires: - Primary Group ID: - >> AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account >> Control: - User Parameters: - SID History: - Logon Hours: - Additional >> Information: Privileges: -' >> hostname: 'ix' >> program_name: '(null)' >> log: 'WinEvtLog: Security: AUDIT_SUCCESS(4738): >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> SRV-DC.ft.local: A user account was changed. Subject: Security ID: >> S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg >> Account Domain: FL Logon ID: 0x1204753c Target Account: Security ID: >> S-1-5-21-3227760434-1372198118-1359596449-1269 Account Name: DP >> Account Domain: FL Changed Attributes: SAM Account Name: - Display >> Name: - User Principal Name: - Home Directory: - Home Drive: - Script >> Path: - Profile Path: - User Workstations: - Password Last Set: >> 8/8/2012 2:42:44 PM Account Expires: - Primary Group ID: - >> AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account >> Control: - User Parameters: - SID History: - Logon Hours: - Additional >> Information: Privileges: -' >> >> **Phase 2: Completed decoding. >> decoder: 'windows' >> status: 'AUDIT_SUCCESS' >> id: '4738' >> extra_data: 'Microsoft-Windows-Security-Auditing' >> dstuser: '(no user)' >> system_name: 'SRV-DC.ft.local' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100089' >> Level: '7' >> Description: 'blahblah' >> **Alert to be generated. >> >> >> >> >> >> > On Wednesday, August 8, 2012 4:28:10 PM UTC+4, dan (ddpbsd) wrote: >> >> >> >> On Wed, Aug 8, 2012 at 7:29 AM, Dmitry <[email protected]> wrote: >> >> > Hi! >> >> > >> >> > In Windows Log event that says about changing password looks like: >> >> > >> >> > WinEvtLog: Security: AUDIT_SUCCESS(4738): >> >> > Microsoft-Windows-Security-Auditing: (no user): no domain: >> >> > SRV-DC.ft.local: >> >> > A user account was changed. Subject: Security ID: >> >> > S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg >> >> > Account >> >> > Domain: FL Logon ID: 0x1204753c Target Account: Security ID: >> >> > S-1-5-21-3227760434-1372198118-1359596449-1269 Account Name: DP >> >> > Account >> >> > Domain: FL Changed Attributes: SAM Account Name: - Display Name: - >> >> > User >> >> > Principal Name: - Home Directory: - Home Drive: - Script Path: - >> >> > Profile >> >> > Path: - User Workstations: - Password Last Set: 8/8/2012 2:42:44 PM >> >> > Account >> >> > Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: >> >> > - >> >> > New >> >> > UAC Value: - User Account Control: - User Parameters: - SID History: >> >> > - >> >> > Logon >> >> > Hours: - Additional Information: Privileges: - >> >> > >> >> > This log triggered alert of rule 18111 (Windows account changed). >> >> > >> >> > In order to have separate rule "Password changed" I wrote rule: >> >> > >> >> > <!-- Password changed for Windows Account --> >> >> > <rule id="100003" level="7"> >> >> > <if_sid>18111</if_sid> >> >> > <regex>Password Last Set: \d </regex> >> >> > <description>Password changed for Windows account</description> >> >> > </rule> >> >> > >> >> > Dut it doesn't work. When I use <match> instead of <regex> it doesn't >> >> > help. >> >> > >> >> > >> >> >> >> This works fine for me: >> >> >> >> <rule id="100089" level="7"> >> >> <if_sid>18111</if_sid> >> >> <match>Password Last Set:</match> >> >> <description>blahblah</description> >> >> </rule>
