Hello,
I incorporated wazuh's custom OSSEC decoders for sysmon events
(https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml)
by placing these decoders into /var/ossec/etc/local_decoder.xml. However,
when I did this, the normal windows rules in
/var/ossec/rules/msauth_rules.xml would no longer fire. Obviously I created
a conflict of some sort, but I'm not certain where.
To expound, here is a sample log line:
2016 Jan 13 08:19:04 WinEvtLog: Security: AUDIT_SUCCESS(4733):
Microsoft-Windows-Security-Auditing: (no user): no domain: foo.local: A
member was removed from a security-enabled local group. Subject: Security
ID: S-1-5-18 Account Name: foo-machine$ Account Domain: FOO Logon
ID: 0x3e7 Member: Security ID:
S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx Account Name: - Group:
Security ID: S-1-5-32-544 Group Name: Administrators Group Domain:
Builtin Additional Information: Privileges: -
Before adding a local_decoder.xml, this log line would be parsed as follows:
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '4733'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'foo-machine'
**Phase 3: Completed filtering (rules).
Rule id: '18217'
Level: '12'
Description: 'Administrators Group Changed'
Info - Text: 'http://support.microsoft.com/kb/243330'
**Alert to be generated.
Now, it's parsed as such:
**Phase 2: Completed decoding.
decoder: 'windows'
**Phase 3: Completed filtering (rules).
Rule id: '18100'
Level: '0'
Description: 'Group of windows rules.'
Why!?!
Thanks!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
