I'd like to create an application white list from Windows audit logs. I have some systems that are fairly static in nature. They only do one thing, and I want to be alerted when they deviate from this behavior. An example use case could be a Windows Embedded POS (no cheeky acronym intended). Alerts would be generated when the system is creating processes outside of its normal defined behavior.
Here's the issue. I can't match the system_name from the completed decode. It doesn't look like system_name is included in the rules syntax. http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html My thought was that I could modify the decoder.xml to parse out the executable name from the event log and stuff that in program_name. Then perform a CDB lookup based on matching system_name. But since that isn't possible, my second thought was to just do some creative matching from the local_rules.xml - however, these local_rules screw up all the other "audit success" rules. <group name="local,syslog,"> <rule id="100230" level="0"> <if_sid>18104</if_sid> <match>^SYSTEM-NAME|Allowed1.exe|Allowed2.exe</match> <description>SYSTEM-NAME Application Whitelist</description> </rule> <rule id="100240" level="10"> <if_sid>18104</if_sid> <match>^SYSTEM-NAME|exe</match> <description>SYSTEM-NAME Application Blacklist</description> </rule> </group> How can I positively match a single string "SYSTEM-NAME" and a long list of "or" strings? Thank you! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
