On Tue, Oct 22, 2013 at 12:23 PM, tww0101 <[email protected]> wrote: > Hi Dan, > > Thank you for taking time to correct my local rule. > > The reason why I want to write a custom decoder and rule to parse Windows > events is that I need to extract useful and correct values from the log such > as the event id, extra_data (what happened), and the actual user account > name. Wrong or useless values will be extracted as extra_data, user, and > system_name if default is in use. As the result, a fix of the default > behavior is needed as I noticed. > > I also want to configure an active response to send an email notification > and see if a correlation of events can be done to manipulate alert > notifications. It seems to me that by going with the existing Windows > default what I planned to accomplish cannot be fulfilled. > > I saw from the test output that the alert level stays 9 but not 5 if I use > windows but not windows-4740 as a decoder. What's a proper way to achieve > what I planned to do? Thanks, >
Your rule isn't firing now, so it's already a level 9. I can't get your decoder to work though, so I can't be of much help. > On Monday, October 21, 2013 5:39:08 PM UTC-7, tww0101 wrote: >> >> In an attempt to get custom Windows decoder and rules working, I came up >> with the following decoder and rule: >> >> In local_rules.xml: >> >> <group name="windows-account-lockout"> >> <rule id="100010" level="5"> >> <decoded_as>windows-4740</decoded_as> >> <description>windows-account-lockout</description> >> </rule> >> </group> >> >> In decoder.xml: >> >> <decoder name="windows-4740"> >> <type>windows</type> >> <parent>windows</parent> >> <regex offset="after_parent">^\.+: (\w+)\((\d+)\):\.+</regex> >> <regex>0x3a1\s+(\.+):\s+Security ID:\.+Account Name:\s+(\S+)</regex> >> <order>status, id, extra_data, user</order> >> <fts>name, location, user, system_name</fts> >> </decoder> >> >> Here is a sample Windows event log that was used for testing: >> >> WinEvtLog: Security: AUDIT_SUCCESS(4740): XXXXXXXXXXXXXX: (no user): no >> domain: XXXXXXX: XXXXXXX message: A user account was locked out. >> Subject: Security ID: XXXXX Account Name: XXX Account Domain: EXAMPLE >> Logon ID: 0x3a1 Account That Was Locked Out: Security ID: >> XXXXXXXXXXXXXXX Account Name: jking Additional Information: XXXXX: >> >> /opt/ossec/ossec-logtest -d >> >> ... >> 2013/10/21 14:55:40 1 : rule:100010, level 5, timeout: 0 >> ... >> ... >> >> **Phase 2: Completed decoding. >> decoder: 'windows' >> status: 'AUDIT_SUCCESS' >> id: '4740' >> extra_data: ' Account That Was Locked Out' >> dstuser: 'jking' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '18116' >> Level: '9' >> Description: 'User account locked out (multiple login errors).' >> **Alert to be generated. >> >> >> It seems to me that my decoder is working. However, why rule 18116 is >> still in use? How can I bypass default msauth rules? Can someone please >> help? Thanks, > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
