> -----Original Message-----
> From: Nathaniel Bentzinger
> Sent: Tuesday, February 26, 2013 4:02 PM
> To: [email protected]
> Subject: RE: [ossec-list] OSSEC 2.6: Capturing Custom Powershell Event to
> generate an alert never generates the alert
>
>
>
> > -----Original Message-----
> > From: [email protected] [mailto:[email protected]]
> > On Behalf Of dan (ddp)
> > Sent: Tuesday, February 26, 2013 3:29 PM
> > To: [email protected]
> > Subject: Re: [ossec-list] OSSEC 2.6: Capturing Custom Powershell Event
> > to generate an alert never generates the alert
> >
> > On Tue, Feb 26, 2013 at 12:43 PM, Nathaniel Bentzinger
> > <nbentzinger@archer- group.com> wrote:
> > > I've written a powershell script to install windows updates and
> > > report back status to the Application Event log so OSSEC can scrap
> > > them up and generate alerts however I'm not getting the email generated.
> > >
> > >
> > >
> > > My rule:
> > >
> > >
> > >
> > > <group name="syslog,WindowsUpdateScript">
> > >
> > > <rule id="100012" level="9">
> > >
> > > <if_sid>1</if_sid>
> > >
> > > <match>WindowsUpdateScript</match>
> > >
> > > <description>Windows Update Script</description>
> > >
> > > </rule>
> > >
> > > </group>
> > >
> > >
> > >
> > > LogAll is enabled on my ossec.conf & the email alert level is 8.
> > >
> > >
> > >
> > > The logging results in the archives.log:
> > >
> > >
> > >
> > > # tail -f archives/archives.log | grep WindowsUpdate
> > >
> > > 2013 Feb 26 12:35:31 (testwin2008) 10.10.10.0->WinEvtLog WinEvtLog:
> > > Application: INFORMATION(104): WindowsUpdateScript: (no user): no domain:
> > > TESTWIN2008.archergroup.local: Starting Automated Windows Update
> > > Installation: 2/26/2013 12:35:29 PM
> > >
> > >
> > >
> > >
> > >
> > > Ossec-Logtest output:
> > >
> > >
> > >
> > > [root@secserv bin]# ./ossec-logtest -f
> > >
> > > 2013/02/26 12:35:21 ossec-testrule: INFO: Reading local decoder file.
> > >
> > > 2013/02/26 12:35:21 ossec-testrule: INFO: Started (pid: 24615).
> > >
> > > ossec-testrule: Type one log per line.
> > >
> > >
> > >
> > > Application: INFORMATION(105): WindowsUpdateScript: (no user): no domain:
> > > TESTWIN2008.archergroup.local: Automated Windows Update Installation:
> > > Completed: 2/26/2013 12:28:44 PM Windows Update Results: Security
> > > Update for Microsoft Visual C++ 2010 Service Pack 1 Redistributable
> > > Package
> > > (KB2565063)
> > >
> > >
> > >
> > >
> > >
> > > **Phase 1: Completed pre-decoding.
> > >
> > > full event: ' Application: INFORMATION(105):
> > > WindowsUpdateScript: (no
> > > user): no domain: TESTWIN2008.archergroup.local: Automated Windows
> > > Update
> > > Installation: Completed: 2/26/2013 12:28:44 PM Windows Update Results:
> > > Security Update for Microsoft Visual C++ 2010 Service Pack 1
> > > Redistributable Package (KB2565063)'
> > >
> > > hostname: 'secserv'
> > >
> > > program_name: '(null)'
> > >
> > > log: ' Application: INFORMATION(105): WindowsUpdateScript: (no
> > > user):
> > > no domain: TESTWIN2008.archergroup.local: Automated Windows Update
> > > Installation: Completed: 2/26/2013 12:28:44 PM Windows Update Results:
> > > Security Update for Microsoft Visual C++ 2010 Service Pack 1
> > > Redistributable Package (KB2565063)'
> > >
> > >
> > >
> > > **Phase 2: Completed decoding.
> > >
> > > No decoder matched.
> > >
> > >
> > >
> > > **Rule debugging:
> > >
> > > Trying rule: 1 - Generic template for all syslog rules.
> > >
> > > *Rule 1 matched.
> > >
> > > *Trying child rules.
> > >
> > > Trying rule: 5500 - Grouping of the pam_unix rules.
> > >
> > > Trying rule: 5700 - SSHD messages grouped.
> > >
> > > Trying rule: 5600 - Grouping for the telnetd rules
> > >
> > > Trying rule: 2100 - NFS rules grouped.
> > >
> > > Trying rule: 2507 - OpenLDAP group.
> > >
> > > Trying rule: 2550 - rshd messages grouped.
> > >
> > > Trying rule: 2701 - Ignoring procmail messages.
> > >
> > > Trying rule: 2800 - Pre-match rule for smartd.
> > >
> > > Trying rule: 5100 - Pre-match rule for kernel messages
> > >
> > > Trying rule: 5200 - Ignoring hpiod for producing useless logs.
> > >
> > > Trying rule: 2830 - Crontab rule group.
> > >
> > > Trying rule: 5300 - Initial grouping for su messages.
> > >
> > > Trying rule: 5400 - Initial group for sudo messages
> > >
> > > Trying rule: 9100 - PPTPD messages grouped
> > >
> > > Trying rule: 9200 - Squid syslog messages grouped
> > >
> > > Trying rule: 2900 - Dpkg (Debian Package) log.
> > >
> > > Trying rule: 2930 - Yum logs.
> > >
> > > Trying rule: 2931 - Yum logs.
> > >
> > > Trying rule: 7200 - Grouping of the arpwatch rules.
> > >
> > > Trying rule: 7300 - Grouping of Symantec AV rules.
> > >
> > > Trying rule: 7400 - Grouping of Symantec Web Security rules.
> > >
> > > Trying rule: 4300 - Grouping of PIX rules
> > >
> > > Trying rule: 12100 - Grouping of the named rules
> > >
> > > Trying rule: 13100 - Grouping for the smbd rules.
> > >
> > > Trying rule: 13106 - (null)
> > >
> > > Trying rule: 11400 - Grouping for the vsftpd rules.
> > >
> > > Trying rule: 11300 - Grouping for the pure-ftpd rules.
> > >
> > > Trying rule: 11200 - Grouping for the proftpd rules.
> > >
> > > Trying rule: 11500 - Grouping for the Microsoft ftp rules.
> > >
> > > Trying rule: 11100 - Grouping for the ftpd rules.
> > >
> > > Trying rule: 9300 - Grouping for the Horde imp rules.
> > >
> > > Trying rule: 9400 - Roundcube messages groupe.d
> > >
> > > Trying rule: 9500 - Wordpress messages grouped.
> > >
> > > Trying rule: 9600 - cimserver messages grouped.
> > >
> > > Trying rule: 9900 - Grouping for the vpopmail rules.
> > >
> > > Trying rule: 9800 - Grouping for the vm-pop3d rules.
> > >
> > > Trying rule: 3900 - Grouping for the courier rules.
> > >
> > > Trying rule: 30100 - Apache messages grouped.
> > >
> > > Trying rule: 31300 - Nginx messages grouped.
> > >
> > > Trying rule: 31404 - PHP Warning message.
> > >
> > > Trying rule: 31405 - PHP Fatal error.
> > >
> > > Trying rule: 31406 - PHP Parse error.
> > >
> > > Trying rule: 50100 - MySQL messages grouped.
> > >
> > > Trying rule: 50500 - PostgreSQL messages grouped.
> > >
> > > Trying rule: 4700 - Grouping of Cisco IOS rules.
> > >
> > > Trying rule: 4500 - Grouping for the Netscreen Firewall rules
> > >
> > > Trying rule: 4800 - SonicWall messages grouped.
> > >
> > > Trying rule: 3300 - Grouping of the postfix reject rules.
> > >
> > > Trying rule: 3320 - Grouping of the postfix rules.
> > >
> > > Trying rule: 3390 - Grouping of the clamsmtpd rules.
> > >
> > > Trying rule: 3100 - Grouping of the sendmail rules.
> > >
> > > Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.
> > >
> > > Trying rule: 3600 - Grouping of the imapd rules.
> > >
> > > Trying rule: 3700 - Grouping of mailscanner rules.
> > >
> > > Trying rule: 9700 - Dovecot Messages Grouped.
> > >
> > > Trying rule: 3800 - Grouping of Exchange rules.
> > >
> > > Trying rule: 14100 - Grouping of racoon rules.
> > >
> > > Trying rule: 14200 - Grouping of Cisco VPN concentrator rules
> > >
> > > Trying rule: 3500 - Grouping for the spamd rules
> > >
> > > Trying rule: 7600 - Grouping of Trend OSCE rules.
> > >
> > > Trying rule: 31200 - Grouping of Zeus rules.
> > >
> > > Trying rule: 6100 - Solaris BSM Auditing messages grouped.
> > >
> > > Trying rule: 19100 - VMWare messages grouped.
> > >
> > > Trying rule: 19101 - VMWare ESX syslog messages grouped.
> > >
> > > Trying rule: 6300 - Grouping for the MS-DHCP rules.
> > >
> > > Trying rule: 6350 - Grouping for the MS-DHCP rules.
> > >
> > > Trying rule: 6200 - Asterisk messages grouped.
> > >
> > > Trying rule: 600 - Active Response Messages Grouped
> > >
> > > Trying rule: 51500 - Grouping of bsd_kernel alerts
> > >
> > > Trying rule: 51521 - Grouping for groupdel rules.
> > >
> > > Trying rule: 51523 - No core dumps.
> > >
> > > Trying rule: 52500 - Grouping of the clamd rules.
> > >
> > > Trying rule: 52501 - ClamAV database update
> > >
> > > Trying rule: 52000 - Grouping for all bro-ids events.
> > >
> > > Trying rule: 51000 - Grouping for dropbear rules.
> > >
> > > Trying rule: 40102 - Buffer overflow attack on rpc.statd
> > >
> > > Trying rule: 40103 - Buffer overflow on WU-FTPD versions prior
> > > to
> > > 2.6
> > >
> > > Trying rule: 40107 - Heap overflow in the Solaris cachefsd service.
> > >
> > > Trying rule: 1003 - Non standard syslog message (size too large).
> > >
> > > Trying rule: 40104 - Possible buffer overflow attempt.
> > >
> > > Trying rule: 40105 - "Null" user changed some information.
> > >
> > > Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd).
> > >
> > > Trying rule: 40109 - Stack overflow attempt or program exiting
> > > with SEGV (Solaris).
> > >
> > > Trying rule: 2301 - Excessive number connections to a service.
> > >
> > > Trying rule: 2502 - User missed the password more than one time
> > >
> > > Trying rule: 2504 - Illegal root login.
> > >
> > > Trying rule: 100012 - Windows Update Script
> > >
> > > *Rule 100012 matched.
> > >
> > >
> > >
> > > **Phase 3: Completed filtering (rules).
> > >
> > > Rule id: '100012'
> > >
> > > Level: '9'
> > >
> > > Description: 'Windows Update Script'
> > >
> > > **Alert to be generated.
> > >
> > >
> > >
> >
> >
> > Perhaps the level is too low? Does the alert show up in alerts.log?
> What do you mean by the Perhaps the level is too low? the Level 9 for this
> alert? it
> should have generated an alert since my ossec.conf is for 8 and up. I even
> made
> an explicit do not group, do not delay for Rule ID 100012 and it still never
> sent it.
>
> Nothing is logged in the alerts/alerts.log file by registered Application
> name or
> agent name:
>
> tail -f alerts/alerts.log | grep testwin tail -f alerts/alerts.log | grep
> WindowsUpdateScript
>
> I've run wireshark and I see the agent pass some data off to the server but
> the
> server never generates the SMTP email. Am I correct to assume the archive.log
> is
> not the same format as the alerts.log?
> >
> > >
> > >
> > > --
> > >
> > > ---
> > > You received this message because you are subscribed to the Google
> > > Groups "ossec-list" group.
> > > To unsubscribe from this group and stop receiving emails from it,
> > > send an email to [email protected].
> > > For more options, visit https://groups.google.com/groups/opt_out.
> > >
> > >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to
> > [email protected].
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
I see what's up.
By dumb luck I copied the event from the archive.log like this:
WinEvtLog: Application: INFORMATION(104): WindowsUpdateScript: (no user): no
domain: TESTWIN2008.archergroup.local: Starting Automated Windows Update
Installation: 2/26/2013 3:59:31 PM
(note the WinEvtLog: at the beginning) and ran it through the ossec-logtest -f:
[root@secserv ossec]# ./bin/./ossec-logtest -f
2013/02/26 16:07:28 ossec-testrule: INFO: Reading local decoder file.
2013/02/26 16:07:28 ossec-testrule: INFO: Started (pid: 28348).
ossec-testrule: Type one log per line.
WinEvtLog: Application: INFORMATION(104): WindowsUpdateScript: (no user): no
domain: TESTWIN2008.archergroup.local: Starting Automated Windows Update
Installation: 2/26/2013 3:59:31 PM
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Application: INFORMATION(104):
WindowsUpdateScript: (no user): no domain: TESTWIN2008.archergroup.local:
Starting Automated Windows Update Installation: 2/26/2013 3:59:31 PM'
hostname: 'secserv'
program_name: '(null)'
log: 'WinEvtLog: Application: INFORMATION(104): WindowsUpdateScript: (no
user): no domain: TESTWIN2008.archergroup.local: Starting Automated Windows
Update Installation: 2/26/2013 3:59:31 PM'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'INFORMATION'
id: '104'
extra_data: 'WindowsUpdateScript'
dstuser: '(no user)'
system_name: 'TESTWIN2008.archergroup.local'
**Rule debugging:
Trying rule: 6 - Generic template for all windows rules.
*Rule 6 matched.
*Trying child rules.
Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
Trying rule: 18100 - Group of windows rules.
*Rule 18100 matched.
*Trying child rules.
Trying rule: 18101 - Windows informational event.
*Rule 18101 matched.
*Trying child rules.
Trying rule: 7500 - Grouping of McAfee Windows AV rules.
Trying rule: 100010 - Windows Update Script events.
Trying rule: 18146 - Application Uninstalled.
Trying rule: 18147 - Application Installed.
Trying rule: 18126 - Remote access login success.
Trying rule: 18145 - Service startup type was changed.
**Phase 3: Completed filtering (rules).
Rule id: '18101'
Level: '0'
Description: 'Windows informational event.'
Now I'm getting somewhere. I should have never been capturing it under Rule #1
but work with rule 18101.
I read up a post by you (dan) regarding how to pull the events from the
archive.log and I read your comment wrong. I thought I had to take this post:
2013 Feb 26 15:59:32 (testwin2008) 10.10.10.0->WinEvtLog WinEvtLog:
Application: INFORMATION(104): WindowsUpdateScript: (no user): no domain:
TESTWIN2008.archergroup.local: Starting Automated Windows Update Installation:
2/26/2013 3:59:31 PM
and truncate to the end of the last "WinEvtLog:" phrase but actually it must be
starting from the end of the AGENTIP->WinEvtLog. As you can see dumping from
the last WinEvtLog works fine.
My correct rule would be something like:
<group name="syslog,WindowsUpdateScript">
<rule id="100012" level="9">
<if_sid>18101</if_sid>
<match>WindowsUpdateScript</match>
<description>Windows Update Script</description>
</rule>
</group>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
