On Thu, Nov 1, 2012 at 10:44 AM, <[email protected]> wrote:
>
> Ok. Is SyslogAgent v3.5 by Datagram ... see picture attached.
>
> If this one is not good, what agent is recommended?
>
>
> Regards,
> Alx
>
It's not a question as to whether it's good or not, it just isn't
currently supported. But this is an easy fix. It's apparently based on
NTSyslog, which does have a decoder.
Let's write a decoder! First, how does the log sample look in ossec-logtest?
2012/11/01 10:52:54 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2012/11/01 10:52:54 ossec-testrule: INFO: Reading decoder file
etc/local_decoder.xml.
2012/11/01 10:52:55 ossec-testrule: INFO: Reading the lists file:
'lists/blocked.txt'
2012/11/01 10:52:55 ossec-testrule: INFO: Reading the lists file:
'lists/userlist.txt'
2012/11/01 10:52:55 ossec-testrule: INFO: Reading the lists file:
'lists/auser.txt'
2012/11/01 10:52:55 ossec-testrule: INFO: Started (pid: 4131).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Oct 30 08:15:44 sftp
microsoft-windows-security-auditing[success] 4663 An attempt was made
to access an object.#177#177Subject:#177Security
ID:#177S-1-5-21-489666841-2110797398-591752945-1274#177Account
Name:ionel#177Account Domain:SENSITIVE#177Logon
ID:0x182f97bc3#177#177Object:#177Object Server:Security#177Object
Type:File#177Object
Name:#177\Device\TrueCryptVolumeK\Transfer\out\213\errors.txt#177Handle
ID:0x84c#177#177Process Information:#177Process ID:0x4#177Process
Name:#177#177Access Request Information:#177Accesses:
DELETE#177#177Access Mask:0x10000'
hostname: 'sftp'
program_name: '(null)'
log: 'microsoft-windows-security-auditing[success] 4663 An
attempt was made to access an object.#177#177Subject:#177Security
ID:#177S-1-5-21-489666841-2110797398-591752945-1274#177Account
Name:ionel#177Account Domain:SENSITIVE#177Logon
ID:0x182f97bc3#177#177Object:#177Object Server:Security#177Object
Type:File#177Object
Name:#177\Device\TrueCryptVolumeK\Transfer\out\213\errors.txt#177Handle
ID:0x84c#177#177Process Information:#177Process ID:0x4#177Process
Name:#177#177Access Request Information:#177Accesses:
DELETE#177#177Access Mask:0x10000'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
No decoder, just like we knew. The log starts with (after the header),
"microsoft-windows-security-auditing[success]." The windows-ntsyslog
decoder looks for "<prematch>^security[\w+] \d+ </prematch>" first.
These two things don't quite line up, so open the
/var/ossec/etc/decoder.xml in vi/emacs. Change the prematch to look
like: "<prematch>^security[\w+] \d+
|^microsoft-windows-security-auditing[\w+] \d+ </prematch>", save, and
close.
The decoder should look like this now:
<decoder name="windows-ntsyslog">
<type>windows</type>
<prematch>^security[\w+] \d+
|^microsoft-windows-security-auditing[\w+] \d+ </prematch>
<regex>^(\w+)[(\w+)] (\d+) </regex>
<order>extra_data, status, id</order>
</decoder>
Now rerun the log message through ossec-logtest, and look at the results:
# cat /tmp/lll | /var/ossec/bin/ossec-logtest
2012/11/01 10:58:23 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2012/11/01 10:58:23 ossec-testrule: INFO: Reading decoder file
etc/local_decoder.xml.
2012/11/01 10:58:23 ossec-testrule: INFO: Reading the lists file:
'lists/blocked.txt'
2012/11/01 10:58:23 ossec-testrule: INFO: Reading the lists file:
'lists/userlist.txt'
2012/11/01 10:58:23 ossec-testrule: INFO: Reading the lists file:
'lists/auser.txt'
2012/11/01 10:58:23 ossec-testrule: INFO: Started (pid: 24943).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Oct 30 08:15:44 sftp
microsoft-windows-security-auditing[success] 4663 An attempt was made
to access an object.#177#177Subject:#177Security
ID:#177S-1-5-21-489666841-2110797398-591752945-1274#177Account
Name:ionel#177Account Domain:SENSITIVE#177Logon
ID:0x182f97bc3#177#177Object:#177Object Server:Security#177Object
Type:File#177Object
Name:#177\Device\TrueCryptVolumeK\Transfer\out\213\errors.txt#177Handle
ID:0x84c#177#177Process Information:#177Process ID:0x4#177Process
Name:#177#177Access Request Information:#177Accesses:
DELETE#177#177Access Mask:0x10000'
hostname: 'sftp'
program_name: '(null)'
log: 'microsoft-windows-security-auditing[success] 4663 An
attempt was made to access an object.#177#177Subject:#177Security
ID:#177S-1-5-21-489666841-2110797398-591752945-1274#177Account
Name:ionel#177Account Domain:SENSITIVE#177Logon
ID:0x182f97bc3#177#177Object:#177Object Server:Security#177Object
Type:File#177Object
Name:#177\Device\TrueCryptVolumeK\Transfer\out\213\errors.txt#177Handle
ID:0x84c#177#177Process Information:#177Process ID:0x4#177Process
Name:#177#177Access Request Information:#177Accesses:
DELETE#177#177Access Mask:0x10000'
**Phase 2: Completed decoding.
decoder: 'windows-ntsyslog'
extra_data: 'microsoft-windows-security-auditing'
status: 'success'
id: '4663'
**Phase 3: Completed filtering (rules).
Rule id: '18104'
Level: '0'
Description: 'Windows audit success event.'
Notice how Phase 2 changed? It is now being decoded a bit better, and
I have a patch to submit to ossec-dev. ;)
HTH
>
> -------------------------------------------------
>
> 2012 - Make an informed choice http://www.isidewith.com/
>
>
> Sponsored by VFEmail.net - http://www.vfemail.net
>
> $14.95 ONETIME Lifetime accounts with Privacy Features!
> 15GB disk! No bandwidth quotas!
>
> Commercial and Bulk Mail Options!
