I found it...
the issue was that I prepended a / ossec.conf <list>
bad
<list>*/*lists/filename</list>
good!
<list>lists/filename</list>
Thanks for your help!
On Tuesday, March 31, 2015 at 3:05:32 PM UTC-7, DefensiveDepth wrote:
> 1) Confirm that you have the list referenced in ossec.conf ie
> <list>lists/psexec</list>
>
> 2) Create the cdb file with no extension ie vi /var/ossec/lists/psexec
> 3) Run: /var/ossec/bin/ossec-makelists, it should create a file named
> psexec.cdb in the lists folder
>
> MaWhen doing my first CDB list a couple months back I ran into some weird
> issues with the ossec-makelists & file extensions... The above are my raw
> notes that eventually worked....
>
> -Josh
>
>
>
> On Tuesday, March 31, 2015 at 4:52:51 PM UTC-4, Brent Morris wrote:
>>
>> *Raw Log...*
>>
>> 2015 Mar 31 11:37:27 WinEvtLog: System: INFORMATION(1): Sysmon: Username:
>> SYSTEM-NAME: SYSTEM-NAME: Process Create: UtcTime: 3/31/2015
>> 06:37:27.465 PM ProcessGuid: {7531FA7E-E967-551A-0000-0010D2A58706}
>> ProcessId: 5868 Image: C:\Folder\Folder\file.exe CommandLine:
>> C:\Folder\Folder\file.exe User: DOMAIN\Username LogonGuid:
>> {7531FA7E-E963-551A-0000-0020EB238706} LogonId: 0x68723eb
>> TerminalSessionId: 1 IntegrityLevel: no level HashType: SHA1
>> Hash: 19AF48C6B036E722D74FA00C4E852774236D2F38 ParentProcessGuid:
>> {7531FA7E-E965-551A-0000-0010038F8706} ParentProcessId: 476
>> ParentImage: C:\Folder\Folder\Parent.exe ParentCommandLine:
>> "C:\Folder\Folder\Parent.exe"
>>
>> *Decoded...*
>>
>> **Phase 2: Completed decoding.
>> decoder: 'windows'
>> status: 'C:\Folder\Folder\file.exe'
>> dstuser: 'DOMAIN\Username'
>> url: '19AF48C6B036E722D74FA00C4E852774236D2F38'
>> extra_data: 'C:\Folder\Folder\Parent.exe'
>>
>> **Phase 3: Completed filtering (rules).
>> Rule id: '100242'
>> Level: '12'
>> Description: 'Unauthorized Process Detected'
>> **Alert to be generated.
>>
>>
>> *Rules...*
>>
>> <rule id="100241" level="0">
>> <if_sid>18100</if_sid>
>> <list field="url">rules/lists/filelist</list>
>> <description>Authorized Process</description>
>> </rule>
>>
>> <rule id="100242" level="12">
>> <if_sid>18100</if_sid>
>> <list field="url" lookup="not_match_key">rules/lists/filelist</list>
>> <description>Unauthorized Process</description>
>> </rule>
>>
>> *CDB file contents...*
>>
>> 19AF48C6B036E722D74FA00C4E852774236D2F38:file.exe
>>
>> *Goal:*
>>
>> I would like to monitor a system for expected behavior and receive alerts
>> when unexpected behavior occurs. I have a list of SHA1 hashes of the
>> executables as in the CDB file contents above. I simply want an alert when
>> there are processes executed from this system outside of its baseline.
>>
>> *Issue:*
>>
>> I cannot get a MATCH to work in the CDB. Maybe its something simple and
>> I've just been looking at this too long. I've commented out the 100242
>> rule and I cannot get 100241 to work.
>>
>> Much of the documentation supports no file extensions on the cdb lists in
>> the ossec.conf and in the rules.xml - although I can find examples where
>> people have included extensions...
>>
>> Maybe something silly I've overlooked? Please... someone slap some sense
>> into me!!!
>>
>> Thank you!
>>
>>
>>
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
