Hi Dan, Thank you for taking time to correct my local rule.
The reason why I want to write a custom decoder and rule to parse Windows events is that I need to extract useful and correct values from the log such as the event id, extra_data (what happened), and the actual user account name. Wrong or useless values will be extracted as extra_data, user, and system_name if default is in use. As the result, a fix of the default behavior is needed as I noticed. I also want to configure an active response to send an email notification and see if a correlation of events can be done to manipulate alert notifications. It seems to me that by going with the existing Windows default what I planned to accomplish cannot be fulfilled. I saw from the test output that the alert level stays 9 but not 5 if I use windows but not windows-4740 as a decoder. What's a proper way to achieve what I planned to do? Thanks, On Monday, October 21, 2013 5:39:08 PM UTC-7, tww0101 wrote: > > In an attempt to get custom Windows decoder and rules working, I came up > with the following decoder and rule: > > In local_rules.xml: > > <group name="windows-account-lockout"> > <rule id="100010" level="5"> > <decoded_as>windows-4740</decoded_as> > <description>windows-account-lockout</description> > </rule> > </group> > > In decoder.xml: > > <decoder name="windows-4740"> > <type>windows</type> > <parent>windows</parent> > <regex offset="after_parent">^\.+: (\w+)\((\d+)\):\.+</regex> > <regex>0x3a1\s+(\.+):\s+Security ID:\.+Account Name:\s+(\S+)</regex> > <order>status, id, extra_data, user</order> > <fts>name, location, user, system_name</fts> > </decoder> > > Here is a sample Windows event log that was used for testing: > > WinEvtLog: Security: AUDIT_SUCCESS(4740): XXXXXXXXXXXXXX: (no user): no > domain: XXXXXXX: XXXXXXX message: A user account was locked out. > Subject: Security ID: XXXXX Account Name: XXX Account Domain: > EXAMPLE Logon ID: 0x3a1 Account That Was Locked Out: Security ID: > XXXXXXXXXXXXXXX Account Name: jking Additional Information: XXXXX: > > /opt/ossec/ossec-logtest -d > > ... > 2013/10/21 14:55:40 1 : rule:100010, level 5, timeout: 0 > ... > ... > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_SUCCESS' > id: '4740' > extra_data: ' Account That Was Locked Out' > dstuser: 'jking' > > **Phase 3: Completed filtering (rules). > Rule id: '18116' > Level: '9' > Description: 'User account locked out (multiple login errors).' > **Alert to be generated. > > > It seems to me that my decoder is working. However, why rule 18116 is > still in use? How can I bypass default msauth rules? Can someone please > help? Thanks, > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
