Hi Dan,
I did notice that the windows event log was a mess so that the default
decoder and msauth rule retrieved the following values during phase 2:
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '4740'
extra_data: 'XXXXXXXXXXXXXX'
dstuser: '(no user)'
system_name: 'XXXXXXX'
The Windows event log contains two "Account Name" fields. However, the
first one seems to be incorrect or useless. The no user and no domain parts
are misleading and cannot be used. Even the system_name value isn't the
actual system name. Before Microsoft admits that they need to fix their
event logs, I hope that by using a revised decoder and rule we can retrieve
data from different fields to give us desired values. That is, in phase 2,
I need to get:
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '4740'
extra_data: ' Account That Was Locked Out'
dstuser: 'jking'
Therefore, I modified the windows decoder from:
<decoder name="windows">
<type>windows</type>
<prematch>^WinEvtLog: </prematch>
<regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
<order>status, id, extra_data, user, system_name</order>
<fts>name, location, user, system_name</fts>
</decoder>
to:
<decoder name="windows">
<type>windows</type>
<prematch>^WinEvtLog: </prematch>
</decoder>
and added the windows-4740 decoder and its corresponding local rule.
I will highly appreciate it if you are willing to help revise my custom
decoder and rule or provide an example to show the best way to retrieve
desired values from non-default fields in the log.
On Monday, October 21, 2013 5:39:08 PM UTC-7, tww0101 wrote:
>
> In an attempt to get custom Windows decoder and rules working, I came up
> with the following decoder and rule:
>
> In local_rules.xml:
>
> <group name="windows-account-lockout">
> <rule id="100010" level="5">
> <decoded_as>windows-4740</decoded_as>
> <description>windows-account-lockout</description>
> </rule>
> </group>
>
> In decoder.xml:
>
> <decoder name="windows-4740">
> <type>windows</type>
> <parent>windows</parent>
> <regex offset="after_parent">^\.+: (\w+)\((\d+)\):\.+</regex>
> <regex>0x3a1\s+(\.+):\s+Security ID:\.+Account Name:\s+(\S+)</regex>
> <order>status, id, extra_data, user</order>
> <fts>name, location, user, system_name</fts>
> </decoder>
>
> Here is a sample Windows event log that was used for testing:
>
> WinEvtLog: Security: AUDIT_SUCCESS(4740): XXXXXXXXXXXXXX: (no user): no
> domain: XXXXXXX: XXXXXXX message: A user account was locked out.
> Subject: Security ID: XXXXX Account Name: XXX Account Domain:
> EXAMPLE Logon ID: 0x3a1 Account That Was Locked Out: Security ID:
> XXXXXXXXXXXXXXX Account Name: jking Additional Information: XXXXX:
>
> /opt/ossec/ossec-logtest -d
>
> ...
> 2013/10/21 14:55:40 1 : rule:100010, level 5, timeout: 0
> ...
> ...
>
> **Phase 2: Completed decoding.
> decoder: 'windows'
> status: 'AUDIT_SUCCESS'
> id: '4740'
> extra_data: ' Account That Was Locked Out'
> dstuser: 'jking'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '18116'
> Level: '9'
> Description: 'User account locked out (multiple login errors).'
> **Alert to be generated.
>
>
> It seems to me that my decoder is working. However, why rule 18116 is
> still in use? How can I bypass default msauth rules? Can someone please
> help? Thanks,
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
