Ok! I finally got this working after much drinking. The regex tester I was using and the what OSSEC was parsing didn't match up correctly. On my tester, it shows a tab or multiple white spaces so I used \t and or \s+. However OSSEC didn't like that and never matched the parser on that portion so I ended up using \W+ and it worked fine. So below is the parser that is matching up to all of the appropriate fields. So if you are working on these, please keep that in mind. When in doubt, just do a (\.+) and see what it parses out as, as it may have additional characters you didn't expect. This is for Snare format and has the syslog header at the front of it.
The only annoying part now is that Windows doesn't log the source IP for the failed events so I can't correctly do a rule where "multiple failed logins from X IP and then one successful login form the same IP withing Y time frame". Not sure how I'm going to do that. <decoder name="windows-snare"> <type>windows</type> <prematch>MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d</prematch> </decoder> <decoder name="windows-sub1"> <type>windows</type> <parent>windows-snare</parent> <regex offset="after_parent">:\d\d:\d\d \d\d\d\d\t(\d+)\t\.+</regex> <regex>\t\.+\\(\S+)\tN/A\W(\.+)\s+Audit\t(\.+)\tLogon</regex> <order>id, user, status, system_name</order> <fts>name, location, user, system_name</fts> </decoder> <decoder name="windows-sub1"> <type>windows</type> <parent>windows-snare</parent> <regex offset="after_regex">Source Network Address: (\S+)</regex> <order>srcip</order> </decoder> <decoder name="windows-sub1"> <type>windows</type> <parent>windows-snare</parent> <regex offset="after_regex">Source IP Address: (\S+)</regex> <order>srcip</order> </decoder> On Friday, October 4, 2013 11:14:38 AM UTC-4, dan (ddpbsd) wrote: > > On Fri, Oct 4, 2013 at 11:08 AM, Eric <[email protected] <javascript:>> > wrote: > > Michael, > > > > Can you please link me to the decoder you are using? I took the blog > post > > that Nathaniel recommended (thank you very much) and spun my own version > of > > it since I'm using Snare logs and it didn't match up. > > > > https://groups.google.com/forum/#!topic/ossec-list/1F_2Axytgzg > > > <decoder name="windows-snare"> > > <type>windows</type> > > <prematch>MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d > \d\d</prematch> > > </decoder> > > > > <decoder name="windows-sub1"> > > <type>windows</type> > > <parent>windows-snare</parent> > > <regex offset="after_parent">:\d\d:\d\d \d\d\d\d\t(\d+)\t\.+</regex> > > <regex>\t(\.+)\\(\S+)\t\.+</regex> > > <order>id, extra_data, user, system_name</order> > > <fts>name, location, user, system_name</fts> > > </decoder> > > > > <decoder name="windows-sub1"> > > <type>windows</type> > > <parent>windows-snare</parent> > > <regex offset="after_regex">Source Network Address: (\S+)</regex> > > <order>srcip</order> > > </decoder> > > > > <decoder name="windows-sub1"> > > <type>windows</type> > > <parent>windows-snare</parent> > > <regex offset="after_regex">Source IP Address: (\S+)</regex> > > <order>srcip</order> > > </decoder> > > > > When I run my Windows events through it, I get the following results > using > > logtest. > > > > **Phase 2: Completed decoding. > > decoder: 'windows-snare' > > id: '4624' > > extra_data: 'WIN-SERVER1' > > dstuser: 'Administrator' > > srcip: '10.1.1.1' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '18100' > > Level: '0' > > Description: 'Group of windows rules.' > > > > Sot it appears my parsing is working correctly now. I'm just confused > why it > > only tripped rule 18100 and not rule 18107 as well since it should trip > off > > of the ID. > > > > > > On Thursday, October 3, 2013 9:12:27 PM UTC-4, Michael Starks wrote: > >> > >> On 10/03/2013 04:10 PM, Nathaniel Bentzinger wrote: > >> > Sorry I ment to include my full decoder file too: > >> > >> Have you seen the decoder I have been using in the other thread? I'm > not > >> sure how this one compares, so it might be useful to see where we have > >> similarities and differences. > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
