The updated (& new) Sysmon decoders look great!
Will you be pushing the Sysmon decoders to OSSEC core? ie here
<https://github.com/ossec/ossec-hids/blob/094327973941546b0ac2e61ec2509919558258e1/etc/decoder.xml>
-Josh
On Tuesday, November 24, 2015 at 1:41:11 PM UTC-5, je...@wazuh.com wrote:
>
> Hello Konrad,
>
> I had the same issue and I fixed it using windows as parent.
>
> I give you an example. You can see in archives.log this:
> *2015 Nov 24 19:03:55 (windows_2008) 192.168.2.201->WinEvtLog 2015 Nov 24
> 19:03:55 WinEvtLog*: Microsoft-Windows-Sysmon/Operational:
> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY:
> WIN-K3UD9R5LCEL: Process Create: UtcTime: 2015-11-24 18:03:55.292
> ProcessGuid: {0B364D7C-A68B-5654-0000-0010AEE11300} ProcessId: 2392
> Image: *C:\Windows\System32\mspaint.exe* CommandLine:
> "C:\Windows\system32\mspaint.exe" CurrentDirectory: C:\Windows\system32\
> User: WIN-K3UD9R5LCEL\Administrator LogonGuid:
> {0B364D7C-6052-5654-0000-0020F1570100} LogonId: 0x157f1
> TerminalSessionId: 1 IntegrityLevel: High Hashes:
> SHA1=3F97DC3BD1467C710C6A8D26B97BB6CF47DEB4C6,MD5=458F4590F80563EB2A0A72709BFC2BD9,SHA256=FF923C051AE380BF30D749EBE9CF310CCAB6572D84EB81B76FB1012BCBDF557F,IMPHASH=152C8272EF887AF33419CC9F60ABC28F
>
> ParentProcessGuid: {0B364D7C-6055-5654-0000-00107BCD0100}
> ParentProcessId: 1980 ParentImage: C:\Windows\explorer.exe
> ParentCommandLine: C:\Windows\Explorer.EXE
>
> The blue text is a header. OSSEC uses this to launch alerts:
> *Nov 24 19:03:55 WinEvtLog*: Microsoft-Windows-Sysmon/Operational:
> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY:
> WIN-K3UD9R5LCEL: Process Create: UtcTime: 2015-11-24 18:03:55.292
> ProcessGuid: {0B364D7C-A68B-5654-0000-0010AEE11300} ProcessId: 2392
> Image: *C:\Windows\System32\mspaint.exe* CommandLine:
> "C:\Windows\system32\mspaint.exe" CurrentDirectory: C:\Windows\system32\
> User: WIN-K3UD9R5LCEL\Administrator LogonGuid:
> {0B364D7C-6052-5654-0000-0020F1570100} LogonId: 0x157f1
> TerminalSessionId: 1 IntegrityLevel: High Hashes:
> SHA1=3F97DC3BD1467C710C6A8D26B97BB6CF47DEB4C6,MD5=458F4590F80563EB2A0A72709BFC2BD9,SHA256=FF923C051AE380BF30D749EBE9CF310CCAB6572D84EB81B76FB1012BCBDF557F,IMPHASH=152C8272EF887AF33419CC9F60ABC28F
>
> ParentProcessGuid: {0B364D7C-6055-5654-0000-00107BCD0100}
> ParentProcessId: 1980 ParentImage: C:\Windows\explorer.exe
> ParentCommandLine: C:\Windows\Explorer.EXE
>
> So, the windows decoder capture this event:
> <decoder name="*windows*">
> <type>windows</type>
> <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog:
> </prematch>
> ...
>
> Just add windows as parent to sysmon decoder and it works:
> <decoder name="*Sysmon-EventID#1*">
> *<parent>windows</parent>*
> ...
>
> I tested with:
> <rule id="400001" level="15">
> <if_sid>18100</if_sid>
> <status>mspaint.exe</status>
> <description>TestSysmon PAINT</description>
> </rule>
>
> And in alerts.log I see:
> ** Alert 1448383718.178946: mail - sysmon_process-anomalies
> 2015 Nov 24 17:48:38 (windows_2008) 192.168.2.201->WinEvtLog
> *Rule: 400001 (level 15) -> 'TestSysmon PAINT'*
> User: WIN-K3UD9R5LCEL\Administrator
> 2015 Nov 24 17:48:38 WinEvtLog: Microsoft-Windows-Sysmon/Operational:
> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY:
> WIN-K3UD9R5LCEL: Process Create: UtcTime: 2015-11-24 16:48:38.119
> ProcessGuid: {0B364D7C-94E6-5654-0000-001009291100} ProcessId: 1232
> Image: C:\Windows\System32\mspaint.exe CommandLine: "
> *C:\Windows\system32\mspaint.exe*" CurrentDirectory:
> C:\Windows\system32\ User: WIN-K3UD9R5LCEL\Administrator LogonGuid:
> {0B364D7C-6052-5654-0000-0020F1570100} LogonId: 0x157f1
> TerminalSessionId: 1 IntegrityLevel: High Hashes:
> SHA1=3F97DC3BD1467C710C6A8D26B97BB6CF47DEB4C6,MD5=458F4590F80563EB2A0A72709BFC2BD9,SHA256=FF923C051AE380BF30D749EBE9CF310CCAB6572D84EB81B76FB1012BCBDF557F,IMPHASH=152C8272EF887AF33419CC9F60ABC28F
>
> ParentProcessGuid: {0B364D7C-6055-5654-0000-00107BCD0100}
> ParentProcessId: 1980 ParentImage: C:\Windows\explorer.exe
> ParentCommandLine: C:\Windows\Explorer.EXE
>
>
> I'm using a new decoder compatible with the last version of sysmon, you
> can find it here: Sysmon decoders
> <https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/decoder.xml>.
>
> Also you will find decoders for Event 2 - 8 of sysmon.
>
>
> I hope it will be useful to you.
>
> Jesús Linares.
>
>
> On Tuesday, November 24, 2015 at 1:49:27 AM UTC+1, Konrad W wrote:
>>
>> Hello,
>>
>> I am having issues with decoding sysmon generated process creation logs
>> and alerting. I am using below decoder:
>>
>>
>> https://github.com/defensivedepth/Sysmon_OSSEC/blob/master/Sysmon_OSSEC-Decoders.xml
>>
>> I have also loaded rules below:
>>
>>
>> https://github.com/defensivedepth/Sysmon_OSSEC/blob/master/Alert-On-Image-Name_OSSEC-Ruleset.txt
>>
>> When doing the ossec-logtest and pasting the message captured in the
>> archives.log received from my desktop it works correctly, however
>> alerts.log doesn't have an alert:
>>
>> /var/ossec/bin/ossec-logtest
>> 2015/11/24 00:38:00 ossec-testrule: INFO: Reading local decoder file.
>> 2015/11/24 00:38:00 ossec-testrule: INFO: Started (pid: 21832).
>> ossec-testrule: Type one log per line.
>>
>> 2015 Nov 24 00:31:12 (TESTPC1) 192.168.1.24->WinEvtLog 2015 Nov 23
>> 19:31:09 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
>> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: TESTPC1: Process Create:
>> UtcTime: 2015-11-24 00:31:09.674 ProcessGuid:
>> {CD81AE75-AFCD-5653-0000-00100FF1E900} ProcessId: 7680 Image:
>> C:\Windows\System32\cmd.exe CommandLine: "C:\Windows\system32\cmd.exe"
>> CurrentDirectory: C:\Users\testuser\ User: TESTPC1\testuser LogonGuid:
>> {CD81AE75-675B-5653-0000-0020B22A0800} LogonId: 0x82ab2
>> TerminalSessionId: 1 IntegrityLevel: Medium Hashes:
>> SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8 ParentProcessGuid:
>> {CD81AE75-675D-5653-0000-00107AE60800} ParentProcessId: 4368 ParentImage:
>> C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE
>>
>>
>> **Phase 1: Completed pre-decoding.
>> full event: '2015 Nov 24 00:31:12 (TESTPC1)
>> 192.168.1.24->WinEvtLog 2015 Nov 23 19:31:09 WinEvtLog:
>> Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
>> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: TESTPC1: Process Create:
>> UtcTime: 2015-11-24 00:31:09.674 ProcessGuid:
>> {CD81AE75-AFCD-5653-0000-00100FF1E900} ProcessId: 7680 Image:
>> C:\Windows\System32\cmd.exe CommandLine: "C:\Windows\system32\cmd.exe"
>> CurrentDirectory: C:\Users\testuser\ User: TESTPC1\testuser LogonGuid:
>> {CD81AE75-675B-5653-0000-0020B22A0800} LogonId: 0x82ab2
>> TerminalSessionId: 1 IntegrityLevel: Medium Hashes:
>> SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8 ParentProcessGuid:
>> {CD81AE75-675D-5653-0000-00107AE60800} ParentProcessId: 4368 ParentImage:
>> C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE'
>> hostname: 'SO-Sensor1'
>> program_name: '(null)'
>> log: '2015 Nov 24 00:31:12 (TESTPC1) 192.168.1.24->WinEvtLog 2015
>> Nov 23 19:31:09 WinEvtLog: Microsoft-Windows-Sysmon/Operational:
>> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: TESTPC1:
>> Process Create: UtcTime: 2015-11-24 00:31:09.674 ProcessGuid:
>> {CD81AE75-AFCD-5653-0000-00100FF1E900} ProcessId: 7680 Image:
>> C:\Windows\System32\cmd.exe CommandLine: "C:\Windows\system32\cmd.exe"
>> CurrentDirectory: C:\Users\testuser\ User: TESTPC1\testuser LogonGuid:
>> {CD81AE75-675B-5653-0000-0020B22A0800} LogonId: 0x82ab2
>> TerminalSessionId: 1 IntegrityLevel: Medium Hashes:
>> SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8 ParentProcessGuid:
>> {CD81AE75-675D-5653-0000-00107AE60800} ParentProcessId: 4368 ParentImage:
>> C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE'
>>
>> **Phase 2: Completed decoding.
>> decoder: 'SysmonV3-EventID#1'
>> status: 'C:\Windows\System32\cmd.exe'
>> dstuser: 'TESTPC1\testuser'
>> url: 'SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8'
>> extra_data: 'C:\Windows\explorer.exe'
>>
>> **Phase 3: Completed filtering (rules).
>> Rule id: '182669'
>> Level: '12'
>> Description: 'cmd usage'
>> **Alert to be generated.
>>
>>
>> As per the earlier blog post (
>> https://groups.google.com/forum/#!topic/ossec-list/dSKSRpx_olQ) Dan
>> advised to test the decoder starting at 2nd timestamp, which when I do that
>> I am matching wrong decoder and that is why rules are not matching, see
>> below:
>>
>> /var/ossec/bin/ossec-logtest -v
>> 2015/11/24 00:41:44 ossec-testrule: INFO: Reading local decoder file.
>> 2015/11/24 00:41:44 ossec-testrule: INFO: Started (pid: 23805).
>> ossec-testrule: Type one log per line.
>>
>> 2015 Nov 23 19:31:09 WinEvtLog: Microsoft-Windows-Sysmon/Operational:
>> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: TESTPC1:
>> Process Create: UtcTime: 2015-11-24 00:31:09.674 ProcessGuid:
>> {CD81AE75-AFCD-5653-0000-00100FF1E900} ProcessId: 7680 Image:
>> C:\Windows\System32\cmd.exe CommandLine: "C:\Windows\system32\cmd.exe"
>> CurrentDirectory: C:\Users\testuser\ User: TESTPC1\testuser LogonGuid:
>> {CD81AE75-675B-5653-0000-0020B22A0800} LogonId: 0x82ab2
>> TerminalSessionId: 1 IntegrityLevel: Medium Hashes:
>> SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8 ParentProcessGuid:
>> {CD81AE75-675D-5653-0000-00107AE60800} ParentProcessId: 4368 ParentImage:
>> C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE
>>
>>
>> **Phase 1: Completed pre-decoding.
>> full event: '2015 Nov 23 19:31:09 WinEvtLog:
>> Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
>> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: TESTPC1: Process Create:
>> UtcTime: 2015-11-24 00:31:09.674 ProcessGuid:
>> {CD81AE75-AFCD-5653-0000-00100FF1E900} ProcessId: 7680 Image:
>> C:\Windows\System32\cmd.exe CommandLine: "C:\Windows\system32\cmd.exe"
>> CurrentDirectory: C:\Users\testuser\ User: TESTPC1\testuser LogonGuid:
>> {CD81AE75-675B-5653-0000-0020B22A0800} LogonId: 0x82ab2
>> TerminalSessionId: 1 IntegrityLevel: Medium Hashes:
>> SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8 ParentProcessGuid:
>> {CD81AE75-675D-5653-0000-00107AE60800} ParentProcessId: 4368 ParentImage:
>> C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE'
>> hostname: 'SO-Sensor1'
>> program_name: '(null)'
>> log: '2015 Nov 23 19:31:09 WinEvtLog:
>> Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
>> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: TESTPC1: Process Create:
>> UtcTime: 2015-11-24 00:31:09.674 ProcessGuid:
>> {CD81AE75-AFCD-5653-0000-00100FF1E900} ProcessId: 7680 Image:
>> C:\Windows\System32\cmd.exe CommandLine: "C:\Windows\system32\cmd.exe"
>> CurrentDirectory: C:\Users\testuser\ User: TESTPC1\testuser LogonGuid:
>> {CD81AE75-675B-5653-0000-0020B22A0800} LogonId: 0x82ab2
>> TerminalSessionId: 1 IntegrityLevel: Medium Hashes:
>> SHA1=0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8 ParentProcessGuid:
>> {CD81AE75-675D-5653-0000-00107AE60800} ParentProcessId: 4368 ParentImage:
>> C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE'
>>
>> **Phase 2: Completed decoding.
>> decoder: 'windows'
>> status: 'INFORMATION'
>> id: '1'
>> extra_data: 'Microsoft-Windows-Sysmon'
>> dstuser: 'SYSTEM'
>> system_name: 'TESTPC1'
>>
>> **Rule debugging:
>> Trying rule: 6 - Generic template for all windows rules.
>> *Rule 6 matched.
>> *Trying child rules.
>> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
>> Trying rule: 18100 - Group of windows rules.
>> *Rule 18100 matched.
>> *Trying child rules.
>> Trying rule: 18101 - Windows informational event.
>> *Rule 18101 matched.
>> *Trying child rules.
>> Trying rule: 7500 - Grouping of McAfee Windows AV rules.
>> Trying rule: 18146 - Application Uninstalled.
>> Trying rule: 18147 - Application Installed.
>> Trying rule: 18126 - Remote access login success.
>> Trying rule: 18145 - Service startup type was changed.
>>
>> **Phase 3: Completed filtering (rules).
>> Rule id: '18101'
>> Level: '0'
>> Description: 'Windows informational event.'
>>
>> I am running OSSEC client version 2.8.3 on Windows 7 and server is part
>> of the Security Onion deployment. Windows is running sysmon version 3.1.
>>
>> Josh (DefensiveDepth) thanks for looking into this again.
>>
>> Konrad
>>
>>
>>
>>
>>
>>
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
