On Thu, Nov 1, 2012 at 7:24 AM, <[email protected]> wrote: > Quoting "dan (ddp)" <[email protected]>: > >> On Tue, Oct 30, 2012 at 10:08 AM, <[email protected]> wrote: >>> >>> 2. Can somebody tell me why above event (generated by w2k8 server) is not >>> decoded and still match Rule 1002 ...?! >>> >>> Oct 30 08:15:44 sftp microsoft-windows-security-auditing[success] 4663 An >>> attempt was made to access an object.#177#177Subject:#177Security >>> ID:#177S-1-5-21-489666841-2110797398-591752945-1274#177Account >>> Name:ionel#177Account Domain:SENSITIVE#177Logon >>> ID:0x182f97bc3#177#177Object:#177Object Server:Security#177Object >>> Type:File#177Object >>> Name:#177\Device\TrueCryptVolumeK\Transfer\out\213\errors.txt#177Handle >>> ID:0x84c#177#177Process Information:#177Process ID:0x4#177Process >>> Name:#177#177Access Request Information:#177Accesses: >>> DELETE#177#177Access >>> Mask:0x10000 >>> >> >> Not being decoded and matching rule 1002 may be different issues. What >> should this decode as? How did you get this log message into the OSSEC >> server (ossec agent, snare, ??)? > > > I am getting this message from our windows 2008 server (we are using rsyslog > on linux central server to collect it) >
Ok, but what is sending it? The format is different from what we've seen with other products. > >> >>> 3. Why adding below rule into local_rules.xml file ... matching event id >>> 4663 will not work ...? Is still matching with Rule 1002! >>> >>> <rule id="100360" level="12"> >>> <if_sid>18100</if_sid> >> >> >> If it's matching sid 1002, why did you tell the rule to look for >> events matching 18100? > > > Just tried 18100 considering that it should be translated in: "if is windows > operating system" ... do something! > That doesn't even make sense. >>> <id>^4663</id> > > > and here tried to match eventid 4663 ... > Which isn't decoded. Did you look at the ossec-logtest output at all? > So, my question is: is windows 2008 events supported in ossec-2.6? > > If no, when is planned to be supported in a stable ossec release? > No idea, I don't do much with Windows. But my guess would be 2.7. > > Regards, > Alx > > > ------------------------------------------------- > 2012 - Make an informed choice http://www.isidewith.com/ > Sponsored by VFEmail.net - http://www.vfemail.net > $14.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No > bandwidth quotas! > Commercial and Bulk Mail Options!
