Re: [ossec-list] Windows Custom decoder Question.

Wed, 02 Oct 2013 08:51:32 -0700 

Hi dan

Thank you !!

Now it works.

But i have another problem.

I wrote 2 decoders. One for 2003/2k and other for 2008.

they do not work when both are in local_decoder.xml at the same time.

Here are my decoders:

<decoder name="windows-03">
        <type>windows</type>
        <parent>windows</parent>
        <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
        <regex>\.+: \.+: (\S+): </regex>
        <order>status, id, extra_data, system_name</order>
        <fts>name, location, system_name</fts>
</decoder>

<decoder name="windows-03">
        <type>windows</type>
        <parent>windows</parent>
        <regex offset="after_regex">Caller User Name: (\S+)</regex>
        <order>user</order>
</decoder>


<decoder name="windows-08">
        <type>windows</type>
        <parent>windows</parent>
        <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
        <regex>\.+: \.+: (\S+): </regex>
        <order>status, id, extra_data, system_name</order>
        <fts>name, location, system_name</fts>
</decoder>


<decoder name="windows-08">
        <type>windows</type>
        <parent>windows</parent>
        <regex>Account Name:\s\t\t\s(\S+)</regex>
        <order>user</order>
</decoder>


And other problem was sometimes logs arrives in different format, EXAMPLE:

WinEvtLog: Security: AUDIT_SUCCESS(4733): 
Microsoft-Windows-Security-Auditing: (no user): no domain: XXXXXX: A member 
was removed from a security-enabled local group. Subject:  Security ID:  
XXXXXXXXXXXXXXXXX * **Account Name: USER*  Account Domain:  XXXXXX  Logon 
ID:  XXXXXX  Member:  Security ID:  XXXXXXXXXX  Account Name:  -  Group:  
Security 
ID:  XXXXXXXXXXXX Group Name:  Administrators  Group Domain:  Builtin  
Additional 
Information:  Privileges:  -

 

WinEvtLog: Security: AUDIT_SUCCESS(4725): 
Microsoft-Windows-Security-Auditing: (no user): no domain: 
xxxxxxxxxxxxxxxxxx: A user account was disabled.    Subject:           Security 
ID:         XXXXXXXXXXXXXXXXXXXXXXXX               *Account Name:           
USER*             Account Domain:         XXXXXXXXXXXXX         Logon ID:       
  
XXXXXXXXXXXXXX    Target Account:            Security ID:            
XXXXXXXXXXXXXXXXXX          Account Name:           LNKI766$          Account 
Domain:              XXXXXXXXXXXXXX

 

This ultimate log show "Account Name" field. with spaces and tabs. and the 
first log not!.
What can i do to match both them?


Regards,


El miércoles, 2 de octubre de 2013 10:02:47 UTC-3, dan (ddpbsd) escribió:
>
> <decoder name="win2k3beta-1"> 
>   <parent>windows</parent> 
>   <prematch>Security: </prematch> 
>     <regex offset="after_prematch">^(\S+)\p(\d+)\p: (\S+): \S+: \S+: 
> (\S+): </rege 
> x> 
>   <order>status, id, extra_data, system_name</order> 
> </decoder> 
>
> <decoder name="win2k3beta-1"> 
>   <parent>windows</parent> 
>   <regex>Caller User Name: (\S+) </regex> 
>   <order>user</order> 
> </decoder> 
>
>
>
> On Tue, Oct 1, 2013 at 8:36 PM, Leonel Algaré 
> <[email protected]<javascript:>> 
> wrote: 
> > Hi guys, 
> > 
> > Here is my Custom decoder. 
> > 
> > 
> ***************************************************************************** 
>
> > 
> > <decoder name=”win2003beta-1”> 
> > 
> > <parent>windows</parent> 
> > 
> > <prematch offset=”after_parent”>Security: (\w+)\((\d+)\): </prematch> 
> > 
> > <regex>Security: </regex> 
> > 
> > <regex>\.+:\s+\.+:\s+(\S+):\s+(\.+):\.+ </regex> 
> > 
> > <regex>Caller User Name:\s+(\w+)</regex> 
> > 
> > <order>status, id, system_name, extra_data, user</order> 
> > 
> > 
> **********************************************************************************
>  
>
> > 
> > I need to catch the username in "Caller User Name" field 
> > 
> > 
> > When i put this in logtest, the decoder doesn't match nothing!. 
> > 
> > 
> > Is the decoder correctly? 
> > 
> > This is the log: 
> > 
> > WinEvtLog: Security: AUDIT_SUCCESS(642): Security: XXXXX: XXXXX: 
> XXXXXXXXX: 
> > User Account Changed:                 Target Account Name: XXXXX     
>  Target 
> > Domain: XXXXXXXXXX           Target Account ID: 
> > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX             Caller User Name: 
> USER 
> > Caller Domain: XXXXXXXXXXX           Caller Logon ID: XXXXXXXXXXXXXXXX 
> > Privileges: -    Changed Attributes:                 Sam Account Name: - 
> > Display Name: -              User Principal Name: -             Home 
> > Directory: -            Home Drive: -                Script Path: - 
> > Profile Path: -              User Workstations: -               Password 
> > Last Set: 10/1/2013 4:01:12 PM                Account Expires: - 
> > Primary Group ID: -                AllowedToDelegateTo: -             
>  Old 
> > UAC Value: -             New UAC Value: -                 User Account 
> > Control: -            User Parameters: -           Sid History: - 
> > Logon Hours: - 
> > 
> > 
> > Please help, and apologies for my bad english. 
> > 
> > 
> > Regards 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to [email protected] <javascript:>. 
> > For more options, visit https://groups.google.com/groups/opt_out. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to