Hi, if you want to use Sysmon + OSSEC, here <https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml>you have decoders for every Sysmon event:
- Event ID 1: Process Created - Event ID 2: A process changed a file creation time - Event ID 3: Network connection - Event ID 4: Sysmon service state changed - Event ID 5: Process terminated - Event ID 6: Driver loaded - Event ID 7: Image loaded - Event ID 8: CreateRemoteThread Also, take a look at sysmon rules included by default in OSSEC. On Thursday, January 14, 2016 at 2:58:56 PM UTC+1, Brent Morris wrote: > > > http://santi-bassett.blogspot.com/2014/09/osseccon-2014-malware-detection-with.html > > Another option would be to glean the SHA1 values of malware, and create > and use the Sysmon blacklist. But automating a blacklist of SHA1 values > for malware, using Sysmon and a CDB list in OSSEC would be a method worth > considering. This wouldn't work with the win_malware_rcl.txt and using > IOCs from that angle. > > On Friday, January 8, 2016 at 4:05:40 AM UTC-8, 林威任 wrote: >> >> Hello,I has installed the server and agent of ossec. >> I want to use OSSEC to detect malware on windows systems, >> so I must add some codes to the win_malware_rcl.txt. >> Then, I can analyse the logs file produced. >> ps: this used by research. >> Please give me some ideas. >> Thank you very much. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
