I have created decoder who extracted username and accessed file from
windows file server. After that rule create alarm if specific user access
the file.
When I test it everything looks ok, but in live environment ossec do not
create any alert in /var/ossec/logs/alerts/alerts.log
I can’t figure out what can be wrong.
alienvault:/var/ossec/logs/archives# /var/ossec/bin/ossec-logtest
2013/10/02 17:18:36 ossec-testrule: INFO: Reading local decoder file.
2013/10/02 17:18:36 ossec-testrule: INFO: Started (pid: 10349).
ossec-testrule: Type one log per line.
2013 Oct 02 15:57:06 (LL-FILE) 99.21.2.12->WinEvtLog WinEvtLog: Security:
AUDIT_SUCCESS(4663): Microsoft-Windows-Security-Auditing: (no user): no
domain: domain.local.ff: An attempt was made to access an object. Subject:
Security ID: S-1-5-21-79331101-1830893244-26564730-29171 Account Name:
specusername Account Domain: mydomain Logon ID: 0x8251cea32 Object:
Object Server: Security Object Type: File Object Name: d:\test\file.txt
Handle ID: 0x4358 Process Information: Process ID: 0x4 Process Name:
Access Request Information: Accesses: %%4416
Access Mask: 0x1
**Phase 1: Completed pre-decoding.
full event: '2013 Oct 02 15:57:06 (LL-FILE) 99.21.2.12->WinEvtLog
WinEvtLog: Security: AUDIT_SUCCESS(4663):
Microsoft-Windows-Security-Auditing: (no user): no domain: domain.local.ff:
An attempt was made to access an object. Subject: Security ID:
S-1-5-21-79331101-1830893244-26564730-29171 Account Name: specusername
Account Domain: mydomain Logon ID: 0x8251cea32 Object: Object Server:
Security Object Type: File Object Name: d:\test\file.txt Handle ID:
0x4358 Process Information: Process ID: 0x4 Process Name: Access
Request Information: Accesses: %%4416 Access
Mask: 0x1'
hostname: 'alienvault'
program_name: '(null)'
log: '2013 Oct 02 15:57:06 (LL-FILE) 99.21.2.12->WinEvtLog
WinEvtLog: Security: AUDIT_SUCCESS(4663):
Microsoft-Windows-Security-Auditing: (no user): no domain: domain.local.ff:
An attempt was made to access an object. Subject: Security ID:
S-1-5-21-79331101-1830893244-26564730-29171 Account Name: specusername
Account Domain: mydomain Logon ID: 0x8251cea32 Object: Object Server:
Security Object Type: File Object Name: d:\test\file.txt Handle ID:
0x4358 Process Information: Process ID: 0x4 Process Name: Access
Request Information: Accesses: %%4416 Access
Mask: 0x1'
**Phase 2: Completed decoding.
decoder: 'valdes-mape'
srcuser: 'specusername'
extra_data: 'd:\test\file.txt '
**Phase 3: Completed filtering (rules).
Rule id: '700006'
Level: '7'
Description: 'Alert'
**Alert to be generated.
decoder:
<decoder name="valdes-mape">
<prematch>test</prematch>
</decoder>
<decoder name="valdes-mape-alert">
<parent>valdes-mape</parent>
<prematch>Name:</prematch>
<regex offset="after_prematch">(\w+) \.+ Name: (\.+)Handle ID:</regex>
<order>srcuser,extra_data</order>
and rule
<group name="valdes-mape">
<rule id="700005" level="0">
<decoded_as>valdes-mape</decoded_as>
<description>Custom Alert</description>
</rule>
<rule id="700006" level="12">
<if_sid>700005</if_sid>
<match>specusername</match>
<description>Alert</description>
<!-- <options>alert_by_email</options> -->
</rule>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
