I've made a few more tweaks due to one group using spaces instead of tabs on their Snare config. So both I just created 2 separate decoders to get them both. I also cleaned up a few minor items.
<decoder name="windows-snare"> <type>windows</type> <prematch>MSWinEventLog\t\d\.+\w\w\w \d\d \d\d</prematch> </decoder> <decoder name="windows-sub1"> <type>windows</type> <parent>windows-snare</parent> <regex offset="after_parent">:\d\d:\d\d \d\d\d\d\t(\d+)\t\.+</regex> <regex>\t\.+\\(\S+)\tN/A\W+(\w+)\sAudit\t(\w+)\tLogon</regex> <order>id, user, status, system_name</order> <fts>name, location, user, system_name</fts> </decoder> <decoder name="windows-sub1"> <type>windows</type> <parent>windows-snare</parent> <regex offset="after_regex">Source Network Address: (\S+)</regex> <order>srcip</order> </decoder> <decoder name="windows-sub1"> <type>windows</type> <parent>windows-snare</parent> <regex offset="after_regex">Source IP Address: (\S+)</regex> <order>srcip</order> </decoder> <decoder name="windows-snare-2"> <type>windows</type> <prematch>MSWinEventLog\W+\d\.+\w\w\w \d\d \d\d</prematch> </decoder> <decoder name="windows-snare-2-sub1"> <type>windows</type> <parent>windows-snare-2</parent> <regex offset="after_parent">:\d\d:\d\d \d\d\d\d\W+(\d+)\W+\.+</regex> <regex>\W+\.+\\(\S+)\W+N/A\W+(\w+)\sAudit\W+(\w+)</regex> <order>id, user, status, system_name</order> <fts>name, location, user, system_name</fts> </decoder> <decoder name="windows-snare-2-sub1"> <type>windows</type> <parent>windows-snare-2</parent> <regex offset="after_regex">Source Network Address: (\S+)</regex> <order>srcip</order> </decoder> On Monday, October 7, 2013 11:08:55 AM UTC-4, Eric wrote: > > Ok! I finally got this working after much drinking. The regex tester I was > using and the what OSSEC was parsing didn't match up correctly. On my > tester, it shows a tab or multiple white spaces so I used \t and or \s+. > However OSSEC didn't like that and never matched the parser on that portion > so I ended up using \W+ and it worked fine. So below is the parser that is > matching up to all of the appropriate fields. So if you are working on > these, please keep that in mind. When in doubt, just do a (\.+) and see > what it parses out as, as it may have additional characters you didn't > expect. This is for Snare format and has the syslog header at the front of > it. > > The only annoying part now is that Windows doesn't log the source IP for > the failed events so I can't correctly do a rule where "multiple failed > logins from X IP and then one successful login form the same IP withing Y > time frame". Not sure how I'm going to do that. > > <decoder name="windows-snare"> > <type>windows</type> > <prematch>MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d > \d\d</prematch> > </decoder> > > <decoder name="windows-sub1"> > <type>windows</type> > <parent>windows-snare</parent> > <regex offset="after_parent">:\d\d:\d\d \d\d\d\d\t(\d+)\t\.+</regex> > <regex>\t\.+\\(\S+)\tN/A\W(\.+)\s+Audit\t(\.+)\tLogon</regex> > <order>id, user, status, system_name</order> > <fts>name, location, user, system_name</fts> > </decoder> > > <decoder name="windows-sub1"> > <type>windows</type> > <parent>windows-snare</parent> > <regex offset="after_regex">Source Network Address: (\S+)</regex> > <order>srcip</order> > </decoder> > > <decoder name="windows-sub1"> > <type>windows</type> > <parent>windows-snare</parent> > <regex offset="after_regex">Source IP Address: (\S+)</regex> > <order>srcip</order> > </decoder> > > > On Friday, October 4, 2013 11:14:38 AM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Oct 4, 2013 at 11:08 AM, Eric <[email protected]> wrote: >> > Michael, >> > >> > Can you please link me to the decoder you are using? I took the blog >> post >> > that Nathaniel recommended (thank you very much) and spun my own >> version of >> > it since I'm using Snare logs and it didn't match up. >> > >> >> https://groups.google.com/forum/#!topic/ossec-list/1F_2Axytgzg >> >> > <decoder name="windows-snare"> >> > <type>windows</type> >> > <prematch>MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d >> \d\d</prematch> >> > </decoder> >> > >> > <decoder name="windows-sub1"> >> > <type>windows</type> >> > <parent>windows-snare</parent> >> > <regex offset="after_parent">:\d\d:\d\d \d\d\d\d\t(\d+)\t\.+</regex> >> > <regex>\t(\.+)\\(\S+)\t\.+</regex> >> > <order>id, extra_data, user, system_name</order> >> > <fts>name, location, user, system_name</fts> >> > </decoder> >> > >> > <decoder name="windows-sub1"> >> > <type>windows</type> >> > <parent>windows-snare</parent> >> > <regex offset="after_regex">Source Network Address: (\S+)</regex> >> > <order>srcip</order> >> > </decoder> >> > >> > <decoder name="windows-sub1"> >> > <type>windows</type> >> > <parent>windows-snare</parent> >> > <regex offset="after_regex">Source IP Address: (\S+)</regex> >> > <order>srcip</order> >> > </decoder> >> > >> > When I run my Windows events through it, I get the following results >> using >> > logtest. >> > >> > **Phase 2: Completed decoding. >> > decoder: 'windows-snare' >> > id: '4624' >> > extra_data: 'WIN-SERVER1' >> > dstuser: 'Administrator' >> > srcip: '10.1.1.1' >> > >> > **Phase 3: Completed filtering (rules). >> > Rule id: '18100' >> > Level: '0' >> > Description: 'Group of windows rules.' >> > >> > Sot it appears my parsing is working correctly now. I'm just confused >> why it >> > only tripped rule 18100 and not rule 18107 as well since it should trip >> off >> > of the ID. >> > >> > >> > On Thursday, October 3, 2013 9:12:27 PM UTC-4, Michael Starks wrote: >> >> >> >> On 10/03/2013 04:10 PM, Nathaniel Bentzinger wrote: >> >> > Sorry I ment to include my full decoder file too: >> >> >> >> Have you seen the decoder I have been using in the other thread? I'm >> not >> >> sure how this one compares, so it might be useful to see where we have >> >> similarities and differences. >> >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
