Josh - Thanks for the link and the information! I took a quick peek at your work and it looks very thorough! I will give it my full attention next week when I have more time.
Here's my quick and dirty approach for this... It was clear to me that the windows decoder is a good start. Which is a nice way of saying that it could use some fleshing out. I took my approach for this from the following site: http://www.richardosgood.com/blog/fixing-ossec-windows-logon-failure-events/ My use case is pretty interesting. I have a Windows 2003 server that is in a gray area slightly outside of my control. I am, however, allowed to run an OSSEC agent on this computer. It is a one trick pony computer, and has very predictable behavior. Given that this computer is connected to some sensitive networks, I wanted to be sure that anytime anyone runs anything other than the executables they need to do their job, I would receive an alert. Other use cases might be that you want to enable GPO application whitelisting or applocker, but you don't want to break anything. You could use this approach prior to implementing the GPOs and be assured that there are no other applications missing from your list. There's another link in a previous post that has the applocker whitelist approach. It looks to be quite good. Unfortunately I'm still dealing with Windows 2003 here at least for the next 9 months. WindowsXP embedded would be another use case. Plenty of POS computers running that software right now... AUDIT_SUCCESS events will fly right under the OSSEC radar.... I suspect this approach would work for any system where process auditing is enabled. Just check to see what event ID you need to trap and change the XML below to match. Hope this helps someone out there! <!-- local_decoder.xml --> <!-- Rewrite "windows" decoder --> <decoder name="windows"> <type>windows</type> <prematch>^WinEvtLog: </prematch> </decoder> <!-- Catch 592 "process created" events on Windows 2003 --> <decoder name="windows-592"> <type>windows</type> <parent>windows</parent> <prematch offset="after_parent">^\.+: (\w+)\((592)\):</prematch> <regex offset="after_parent">^\.+: (\w+)\((592)\): \.+: (\S+): \.+: (\S+): \.+: \.+: \.+ \.+:\s+(\S+) </regex> <!-- user and system_name have been reversed to facilitate rule-based trapping --> <order>status, id, system_name, user, url</order> <fts>name, location, user, system_name</fts> </decoder> <!-- Insert original "windows" decoder to maintain OOB functionality --> <decoder name="windows-default"> <parent>windows</parent> <type>windows</type> <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex> <regex>(\.+): \.+: (\S+): </regex> <order>status, id, extra_data, user, system_name</order> <fts>name, location, user, system_name</fts> </decoder> <!-- local_rules.xml --> <group name="local,syslog,"> <rule id="100230" level="0"> <if_sid>18104</if_sid> <id>^592$</id> <!-- user has been reversed with system_name in local_decoder.xml to enable functionality below - system_name doesn't work in rules :( --> <user>SYSTEM-NAME</user> <match>explorer.exe|rdpclip.exe|scrnsave.scr|your_executable_name_here.exe</match> <description>SYSTEM-NAME Application Whitelist</description> </rule> <rule id="100240" level="10"> <if_sid>18104</if_sid> <id>^592$</id> <!-- catch everything else that is not in Rule 100230 --> <user>SYSTEM-NAME</user> <description>SYSTEM-NAME Application Blacklist</description> </rule> </group> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
