Re: [ossec-list] Windows Source IP Parsing

Fri, 04 Oct 2013 08:11:17 -0700 

Michael,

Can you please link me to the decoder you are using? I took the blog post 
that Nathaniel recommended (thank you very much) and spun my own version of 
it since I'm using Snare logs and it didn't match up.

<decoder name="windows-snare">
  <type>windows</type>
  <prematch>MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d</prematch>
</decoder>

<decoder name="windows-sub1">
  <type>windows</type>
  <parent>windows-snare</parent>
  <regex offset="after_parent">:\d\d:\d\d \d\d\d\d\t(\d+)\t\.+</regex>
  <regex>\t(\.+)\\(\S+)\t\.+</regex>
  <order>id, extra_data, user, system_name</order>
  <fts>name, location, user, system_name</fts>
</decoder>

<decoder name="windows-sub1">
  <type>windows</type>
  <parent>windows-snare</parent>
  <regex offset="after_regex">Source Network Address: (\S+)</regex>
  <order>srcip</order>
</decoder>

<decoder name="windows-sub1">
  <type>windows</type>
  <parent>windows-snare</parent>
  <regex offset="after_regex">Source IP Address: (\S+)</regex>
  <order>srcip</order>
</decoder>

When I run my Windows events through it, I get the following results using 
logtest.

**Phase 2: Completed decoding.
       decoder: 'windows-snare'
       id: '4624'
       extra_data: 'WIN-SERVER1'
       dstuser: 'Administrator'
       srcip: '10.1.1.1'

**Phase 3: Completed filtering (rules).
       Rule id: '18100'
       Level: '0'
       Description: 'Group of windows rules.'

Sot it appears my parsing is working correctly now. I'm just confused why 
it only tripped rule 18100 and not rule 18107 as well since it should trip 
off of the ID.


On Thursday, October 3, 2013 9:12:27 PM UTC-4, Michael Starks wrote:
>
> On 10/03/2013 04:10 PM, Nathaniel Bentzinger wrote: 
> > Sorry I ment to include my full decoder file too: 
>
> Have you seen the decoder I have been using in the other thread? I'm not 
> sure how this one compares, so it might be useful to see where we have 
> similarities and differences. 
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to