On Wed, Jun 19, 2013 at 1:10 PM, George <[email protected]> wrote:
> Noob alert!!
>
> I need to make a match with the underlied string within the following log
> entry (this is an MSSQL Audit event which captures a SELECT command upon a
> specific table within a given database):
>
> 2013 Jun 18 10:34:39 (Win2008-Eval) 10.0.0.9->WinEvtLog WinEvtLog:
> Application: AUDIT_SUCCESS(33205): MSSQLSERVER: (no user): no domain:
> WIN-C9JIP9A4KU1:
> Audit event: event_time:2013-06-18 09:38:02.1701266 sequence_number:1
> action_id:SL succeeded:true is_column_permission:true session_id:58
> server_principal_id:266
> database_principal_id:6 target_server_principal_id:0
> target_database_principal_id:0 object_id:869578136 user_defined_event_id:0
> class_type:U
> permission_bitmask:00000000000000000000000000000001
> session_server_principal_name:cr3vm2
> server_principal_name:cr3vm2
> server_principal_sid:64f982f76fd3cc4aa0b3dc58684bab6e
> database_principal_name:cr3vm2 target_server_principal_name:
> target_server_principal_sid: target_database_principal_name:
> server_instance_name:WIN-C9JIP9A4KU1
> database_name:AdventureWorks2012 schema_name:Sales object_name:CreditCard
> statement:select top 50 * from Sales.CreditCard
> additional_information: user_defined_information:
>
> In order to make a match with that string, do I need to write a decoder that
> contains a prematch tag with a regular expression for all the 4 lines that
> precede that string?
>
You don't have to do anything that complicated, just write a rule to match it.
Here's a rule that worked for me:
<rule id="500007" level="10">
<if_sid>18104</if_sid>
<match>session_server_principal_name:cr3vm2 </match>
<description>XXX</description>
</rule>
Output of ossec-logtest after putting this rule in place:
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Application: AUDIT_SUCCESS(33205):
MSSQLSERVER: (no user): no domain: WIN-C9JIP9A4KU1: Audit event:
event_time:2013-06-18 09:38:02.1701266 sequence_number:1 action_id:SL
succeeded:true is_column_permission:true session_id:58
server_principal_id:266 database_principal_id:6
target_server_principal_id:0 target_database_principal_id:0
object_id:869578136 user_defined_event_id:0 class_type:U
permission_bitmask:00000000000000000000000000000001
session_server_principal_name:cr3vm2 server_principal_name:cr3vm2
server_principal_sid:64f982f76fd3cc4aa0b3dc58684bab6e
database_principal_name:cr3vm2 target_server_principal_name:
target_server_principal_sid: target_database_principal_name:
server_instance_name:WIN-C9JIP9A4KU1 database_name:AdventureWorks2012
schema_name:Sales object_name:CreditCard statement:select top 50 *
from Sales.CreditCard additional_information:
user_defined_information:'
hostname: 'arrakis'
program_name: '(null)'
log: 'WinEvtLog: Application: AUDIT_SUCCESS(33205):
MSSQLSERVER: (no user): no domain: WIN-C9JIP9A4KU1: Audit event:
event_time:2013-06-18 09:38:02.1701266 sequence_number:1 action_id:SL
succeeded:true is_column_permission:true session_id:58
server_principal_id:266 database_principal_id:6
target_server_principal_id:0 target_database_principal_id:0
object_id:869578136 user_defined_event_id:0 class_type:U
permission_bitmask:00000000000000000000000000000001
session_server_principal_name:cr3vm2 server_principal_name:cr3vm2
server_principal_sid:64f982f76fd3cc4aa0b3dc58684bab6e
database_principal_name:cr3vm2 target_server_principal_name:
target_server_principal_sid: target_database_principal_name:
server_instance_name:WIN-C9JIP9A4KU1 database_name:AdventureWorks2012
schema_name:Sales object_name:CreditCard statement:select top 50 *
from Sales.CreditCard additional_information:
user_defined_information:'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '33205'
extra_data: 'MSSQLSERVER'
dstuser: '(no user)'
system_name: 'WIN-C9JIP9A4KU1'
**Phase 3: Completed filtering (rules).
Rule id: '500007'
Level: '10'
Description: 'XXX'
**Alert to be generated.
Before that rule was in place ossec-logtest looked like this:
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Application: AUDIT_SUCCESS(33205):
MSSQLSERVER: (no user): no domain: WIN-C9JIP9A4KU1: Audit event:
event_time:2013-06-18 09:38:02.1701266 sequence_number:1 action_id:SL
succeeded:true is_column_permission:true session_id:58
server_principal_id:266 database_principal_id:6
target_server_principal_id:0 target_database_principal_id:0
object_id:869578136 user_defined_event_id:0 class_type:U
permission_bitmask:00000000000000000000000000000001
session_server_principal_name:cr3vm2 server_principal_name:cr3vm2
server_principal_sid:64f982f76fd3cc4aa0b3dc58684bab6e
database_principal_name:cr3vm2 target_server_principal_name:
target_server_principal_sid: target_database_principal_name:
server_instance_name:WIN-C9JIP9A4KU1 database_name:AdventureWorks2012
schema_name:Sales object_name:CreditCard statement:select top 50 *
from Sales.CreditCard additional_information:
user_defined_information:'
hostname: 'arrakis'
program_name: '(null)'
log: 'WinEvtLog: Application: AUDIT_SUCCESS(33205):
MSSQLSERVER: (no user): no domain: WIN-C9JIP9A4KU1: Audit event:
event_time:2013-06-18 09:38:02.1701266 sequence_number:1 action_id:SL
succeeded:true is_column_permission:true session_id:58
server_principal_id:266 database_principal_id:6
target_server_principal_id:0 target_database_principal_id:0
object_id:869578136 user_defined_event_id:0 class_type:U
permission_bitmask:00000000000000000000000000000001
session_server_principal_name:cr3vm2 server_principal_name:cr3vm2
server_principal_sid:64f982f76fd3cc4aa0b3dc58684bab6e
database_principal_name:cr3vm2 target_server_principal_name:
target_server_principal_sid: target_database_principal_name:
server_instance_name:WIN-C9JIP9A4KU1 database_name:AdventureWorks2012
schema_name:Sales object_name:CreditCard statement:select top 50 *
from Sales.CreditCard additional_information:
user_defined_information:'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '33205'
extra_data: 'MSSQLSERVER'
dstuser: '(no user)'
system_name: 'WIN-C9JIP9A4KU1'
**Phase 3: Completed filtering (rules).
Rule id: '18104'
Level: '0'
Description: 'Windows audit success event.'
> Thanks,
> G.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
