[ossec-list] help with regex for decoder

Thu, 13 Feb 2014 04:52:27 -0800 

Hi.  I'm having real problems with a regex for a decoder, and hope someone 
can help.  I'm trying to extract some details from Windows Event Logs from 
a file server, for Object Access.  Here's a sample of the logs:

WinEvtLog: Security: AUDIT_SUCCESS(560): Security: user.name: MYDOMAIN: 
WIN-FS2: Object Open:          Object Server: Security         Object Type: 
File       Object Name: D:\Shares\Recruitment\Head Office\Ops Vacancies 
Tracker.xlsx            Handle ID: 27948        Operation ID: 
{3,166460974}     Process ID: 4           Image File Name:        Primary 
User Name: WIN-FS2$     Primary Domain: 4UCORE          Primary Logon ID: 
(0x0,0x3E7)           Client User Name: user.name         Client Domain: 
MYDOMAIN           Client Logon ID: (0x3,0x9D2FBB5)        Accesses: 
%%1539        %%4423                                  Privileges: 
-           Restricted Sid Count: 0         Access Mask: 0x40080

The fields I'm interested in, and that I want to use with FTS to trigger an 
alert, are the user.name and Object Name.  I'm good with extracting the 
former with the following decoders:

<decoder name="windows">
        <type>windows</type>
        <prematch>^WinEvtLog: </prematch>
</decoder>
<decoder name="windows-file-access">
        <type>windows</type>
        <parent>windows</parent>
        <prematch offset="after_parent">^\.+: (\w+)\((560)\):</prematch>
        <regex offset="after_parent">^\.+: (\w+)\((560)\): \S+: (\S+): \S+: 
(\S+):</regex>
        <order>status, id, user, system_name</order>
</decoder>

But I can't extract the Object Name.  I've tried various permutations of 
along the lines of:
<decoder name="windows-file-access">
        <type>windows</type>
        <parent>windows</parent>
        <prematch offset="after_parent">^\.+: (\w+)\((560)\):</prematch>
        <regex offset="after_parent">^\.+: (\w+)\((560)\): \S+: (\S+): \S+: 
(\S+):</regex>
        <regex>\.*Object Type: File\s+Object Name: (\.*) +Handle</regex>
        <order>status, id, user, system_name</order>
</decoder>

I also have to deal with files with spaces in the name.  With a fuller 
regex library I'd do something like this, which works nicely because of the 
non-greedy matching:
^.+: (\w+)\((560)\): \w+: (\S+): \S+: (\S+): .*Object Type: File\s+Object 
Name: (.+?)\s+Handle

But I can't even get OSSEC to match on something as simple as:
<regex>\.*Name: (\S+)</regex>

Any help would be gratefully received.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to