Sorry I ment to include my full decoder file too:
<decoder name="windows"> <type>windows</type> <prematch>^WinEvtLog: </prematch> </decoder> <decoder name="windows-sub1"> <type>windows</type> <parent>windows</parent> <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex> <regex>(\.+): \.+: (\S+): </regex> <order>status, id, extra_data, user, system_name</order> <fts>name, location, user, system_name</fts> </decoder> <decoder name="windows-sub1"> <type>windows</type> <parent>windows</parent> <regex offset="after_regex">Source Network Address: (\S+)</regex> <order>srcip</order> </decoder> <decoder name="windows-sub1"> <type>windows</type> <parent>windows</parent> <regex offset="after_regex">Source IP Address: (\S+)</regex> <order>srcip</order> </decoder> <decoder name="windows-sub1"> <type>windows</type> <parent>windows</parent> <regex offset="after_regex">Client Address: (\S+)</regex> <order>srcip</order> </decoder> <decoder name="windows-sub1"> <type>windows</type> <parent>windows</parent> <regex offset="after_regex">Workstation Name: (\S+)</regex> <order>srcip</order> <decoder name="windows-sub1"> <type>windows</type> <parent>windows</parent> <regex offset="after_regex">Client IP Address: (\S+)</regex> <order>srcip</order> </decoder> From: [email protected] [mailto:[email protected]] On Behalf Of Eric Sent: Thursday, October 03, 2013 3:37 PM To: [email protected] Subject: Re: [ossec-list] Windows Source IP Parsing I need some help modifying my Windows Audit parser to get the IP address/hostname. The current one looks like this: <decoder name="windows-snare"> <type>windows</type> <prematch>^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d</prematch> <regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+)</regex> <regex>\t(\.+)\t\.+\t(\.+)\t(\.+)\t</regex> <order>id, extra_data, user, status, system_name</order> <fts>name, id, location, user, system_name</fts> </decoder> My modified one looks like this: <decoder name="windows-snare"> <type>windows</type> <prematch>^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d</prematch> <regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t\.+</regex> <regex>\t(\.+)\\(\S+)\t</regex<file:///\\(\S+)\t%3c\regex>> <order>id, srcip, user</order> <fts>name, id, location, user, system_name</fts> </decoder> The log I'm trying to match is: Oct 3 12:50:01 WIN-SERVER1 MSWinEventLog 1 Security 474 Thu Oct 03 12:50:00 2013 4624 Microsoft-Windows-Security-Auditing WIN-SERVER1\Administrator N/A Success Audit WIN-SERVER1 Logon An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-SERVER1$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 10 New Logon: Security ID: S-1-5-21-2885816794-3785768203-2620152398-500 Account Name: Administrator Account Domain: WIN-SERVER1 Logon ID: 0xd8f9af1 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c70 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: WIN-SERVER1 Source Network Address: 10.1.1.1 Source Port: 34916 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local When using a general regex tester, everything works fine, other than for some reason OSSEC does (\.+) instead of a (.+) and I'm unsure why the ^ is at the beginning of the after_prematch string. I just mimiced those settings fromt he one that works. When I use my new parser, no alerts ever hit my OSSEC wui, therefore it looks like it's not parsing them correctly at all. On Wednesday, October 2, 2013 9:32:44 AM UTC-4, dan (ddpbsd) wrote: On Wed, Oct 2, 2013 at 9:29 AM, Eric <[email protected]<javascript:>> wrote: > Dan, > > Are you referring to the "etc/decoder.xml" file? I started looking in there > yesterday but didn't get very far due to other issues coming up. I just > assumed that the source IP would be a common field that was parsed for > general Snare logs. > It would be in decoder.xml I guess probably. It's really tough to figure out since I don't have any log samples to work with. Good luck! > Thanks, > Eric > > On Tuesday, October 1, 2013 3:00:36 PM UTC-4, dan (ddpbsd) wrote: >> >> On Tue, Oct 1, 2013 at 2:58 PM, Eric >> <[email protected]<mailto:[email protected]>> wrote: >> > Hello, >> > >> > I am using OSSEC in a server config with no actual agents. I am having >> > Snare >> > logs from my Windows servers sent to /var/log/remotesys.log and having >> > OSSEC >> > monitor that file to trip alerts. This works for the most part but I'm >> > having a few issues. The main issue is on rules such as 40112 - Multiple >> > authentication failures followed by a success. This works fine when I >> > test >> > it with local SSH on the box as the "Src IP" is parsed out and shown >> > correctly when I'm reviewing the logs in OSSEC-wui. But on the Windows >> > box, >> > it isn't showing a Src IP section. I see Level, Rule ID, Location >> > (server1's >> > DNS name -> /var/log/remotesys.log), and user >> > (192.168.10.10\administrator). >> > I would think it could trip the "from same IP" correlation that rule >> > 40112 >> > needs from the location or first part of the user field, but it isn't >> > working. Once I remove the from same IP part of the rule I can get it to >> > trip on Windows events too. But I have to have that part since I will >> > have >> > hundreds of Windows servers sending logs to the same location. >> > >> > Thanks for the help. >> > Eric >> > >> >> Make sure a usable IP address is decoded. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to >> > [email protected]<mailto:[email protected]>. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]<javascript:>. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
