I need some help modifying my Windows Audit parser to get the IP
address/hostname. The current one looks like this:
<decoder name="windows-snare">
<type>windows</type>
<prematch>^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d
\d\d</prematch>
<regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+)</regex>
<regex>\t(\.+)\t\.+\t(\.+)\t(\.+)\t</regex>
<order>id, extra_data, user, status, system_name</order>
<fts>name, id, location, user, system_name</fts>
</decoder>
My modified one looks like this:
<decoder name="windows-snare">
<type>windows</type>
<prematch>^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d
\d\d</prematch>
<regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t\.+</regex>
<regex>\t(\.+)\\(\S+)\t</regex>
<order>id, srcip, user</order>
<fts>name, id, location, user, system_name</fts>
</decoder>
The log I'm trying to match is:
Oct 3 12:50:01 WIN-SERVER1 MSWinEventLog 1 Security 474 Thu Oct 03 12:50:00
2013 4624 Microsoft-Windows-Security-Auditing WIN-SERVER1\Administrator N/A
Success
Audit WIN-SERVER1 Logon An account was successfully logged on. Subject:
Security ID: S-1-5-18 Account Name: WIN-SERVER1$ Account Domain: WORKGROUP
Logon ID: 0x3e7 Logon Type: 10 New Logon: Security ID:
S-1-5-21-2885816794-3785768203-2620152398-500 Account Name: Administrator
Account Domain: WIN-SERVER1 Logon ID: 0xd8f9af1 Logon GUID:
{00000000-0000-0000-0000-000000000000} Process Information: Process ID:
0x2c70 Process Name: C:\Windows\System32\winlogon.exe Network Information:
Workstation Name: WIN-SERVER1 Source Network Address: 10.1.1.1 Source Port:
34916 Detailed Authentication Information: Logon Process: User32
Authentication Package: Negotiate Transited Services: - Package Name (NTLM
only): - Key Length: 0 This event is generated when a logon session is
created. It is generated on the computer that was accessed. The subject
fields indicate the account on the local system which requested the logon.
This is most commonly a service such as the Server service, or a local
When using a general regex tester, everything works fine, other than for
some reason OSSEC does (\.+) instead of a (.+) and I'm unsure why the ^ is
at the beginning of the after_prematch string. I just mimiced those
settings fromt he one that works. When I use my new parser, no alerts ever
hit my OSSEC wui, therefore it looks like it's not parsing them correctly
at all.
On Wednesday, October 2, 2013 9:32:44 AM UTC-4, dan (ddpbsd) wrote:
>
> On Wed, Oct 2, 2013 at 9:29 AM, Eric <[email protected] <javascript:>>
> wrote:
> > Dan,
> >
> > Are you referring to the "etc/decoder.xml" file? I started looking in
> there
> > yesterday but didn't get very far due to other issues coming up. I just
> > assumed that the source IP would be a common field that was parsed for
> > general Snare logs.
> >
>
> It would be in decoder.xml I guess probably. It's really tough to
> figure out since I don't have any log samples to work with. Good luck!
>
> > Thanks,
> > Eric
> >
> > On Tuesday, October 1, 2013 3:00:36 PM UTC-4, dan (ddpbsd) wrote:
> >>
> >> On Tue, Oct 1, 2013 at 2:58 PM, Eric <[email protected]> wrote:
> >> > Hello,
> >> >
> >> > I am using OSSEC in a server config with no actual agents. I am
> having
> >> > Snare
> >> > logs from my Windows servers sent to /var/log/remotesys.log and
> having
> >> > OSSEC
> >> > monitor that file to trip alerts. This works for the most part but
> I'm
> >> > having a few issues. The main issue is on rules such as 40112 -
> Multiple
> >> > authentication failures followed by a success. This works fine when I
> >> > test
> >> > it with local SSH on the box as the "Src IP" is parsed out and shown
> >> > correctly when I'm reviewing the logs in OSSEC-wui. But on the
> Windows
> >> > box,
> >> > it isn't showing a Src IP section. I see Level, Rule ID, Location
> >> > (server1's
> >> > DNS name -> /var/log/remotesys.log), and user
> >> > (192.168.10.10\administrator).
> >> > I would think it could trip the "from same IP" correlation that rule
> >> > 40112
> >> > needs from the location or first part of the user field, but it isn't
> >> > working. Once I remove the from same IP part of the rule I can get it
> to
> >> > trip on Windows events too. But I have to have that part since I will
> >> > have
> >> > hundreds of Windows servers sending logs to the same location.
> >> >
> >> > Thanks for the help.
> >> > Eric
> >> >
> >>
> >> Make sure a usable IP address is decoded.
> >>
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
