Nevermind - I am going to try this.. and adapt it for Windows Audit process logs.
http://blog.rootshell.be/2014/02/10/tracking-processesmalwares-using-ossec/ On Tuesday, March 24, 2015 at 10:55:47 AM UTC-7, Brent Morris wrote: > > I'd like to create an application white list from Windows audit logs. > > I have some systems that are fairly static in nature. They only do one > thing, and I want to be alerted when they deviate from this behavior. An > example use case could be a Windows Embedded POS (no cheeky acronym > intended). Alerts would be generated when the system is creating processes > outside of its normal defined behavior. > > Here's the issue. I can't match the system_name from the completed > decode. It doesn't look like system_name is included in the rules syntax. > > http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html > > My thought was that I could modify the decoder.xml to parse out the > executable name from the event log and stuff that in program_name. Then > perform a CDB lookup based on matching system_name. > > But since that isn't possible, my second thought was to just do some > creative matching from the local_rules.xml - however, these local_rules > screw up all the other "audit success" rules. > > <group name="local,syslog,"> > <rule id="100230" level="0"> > <if_sid>18104</if_sid> > <match>^SYSTEM-NAME|Allowed1.exe|Allowed2.exe</match> > <description>SYSTEM-NAME Application Whitelist</description> > </rule> > > <rule id="100240" level="10"> > <if_sid>18104</if_sid> > <match>^SYSTEM-NAME|exe</match> > <description>SYSTEM-NAME Application Blacklist</description> > </rule> > </group> > > How can I positively match a single string "SYSTEM-NAME" and a long list > of "or" strings? > > Thank you! > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
