On Tue, Oct 30, 2012 at 10:08 AM, <[email protected]> wrote: > Hello ossec experts, > > 1. I have installed ossec-hids-2.6-16.el5 and few days ago, I started to > write some rules to better match with our network and today, realized that > for w2k8 ... predefined rules and also actual ossec decoders are not working > ... > > Where I can find rules to work with windows 2008 server or how can I have > correct decoded alerts for Windows 2008 OS? I don't want to reinvent the > wheel and write all rules for this OS ... How other people solved this > problem? >
Have you tried any of the 2.7 betas or the latest development code? That would be where you'd want to start. > 2. Can somebody tell me why above event (generated by w2k8 server) is not > decoded and still match Rule 1002 ...?! > > Oct 30 08:15:44 sftp microsoft-windows-security-auditing[success] 4663 An > attempt was made to access an object.#177#177Subject:#177Security > ID:#177S-1-5-21-489666841-2110797398-591752945-1274#177Account > Name:ionel#177Account Domain:SENSITIVE#177Logon > ID:0x182f97bc3#177#177Object:#177Object Server:Security#177Object > Type:File#177Object > Name:#177\Device\TrueCryptVolumeK\Transfer\out\213\errors.txt#177Handle > ID:0x84c#177#177Process Information:#177Process ID:0x4#177Process > Name:#177#177Access Request Information:#177Accesses: DELETE#177#177Access > Mask:0x10000 > Not being decoded and matching rule 1002 may be different issues. What should this decode as? How did you get this log message into the OSSEC server (ossec agent, snare, ??)? > 3. Why adding below rule into local_rules.xml file ... matching event id > 4663 will not work ...? Is still matching with Rule 1002! > > <rule id="100360" level="12"> > <if_sid>18100</if_sid> If it's matching sid 1002, why did you tell the rule to look for events matching 18100? > <id>^4663</id> If the log isn't decoded properly, there won't be an id. > <description>An attempt was made to access an object - > custom</description> > </rule> > > How to correct above rule to better match with event 4663 and work for w2k8 > OS? > > I want to mention that other rules declared in local_rules.xml file are > working without problems! > > Regards, > Alx > > > ------------------------------------------------- > 2012 - Make an informed choice http://www.isidewith.com/ > Sponsored by VFEmail.net - http://www.vfemail.net > $14.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No > bandwidth quotas! > Commercial and Bulk Mail Options!
