On Fri, Apr 22, 2016 at 11:50 AM, Rob B <[email protected]> wrote:
> dan,
>
> I have this from the alerts log:
>
> ** Alert 1461339927.2762520: - windows,system_error,
> 2016 Apr 22 08:45:27 (VICTIM0) 10.0.1.100->WinEvtLog
> Rule: 18103 (level 5) -> 'Windows error event.'
> User: cuckoo
> 2016 Apr 22 11:46:32 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL:
> ERROR(8004): Microsoft-Windows-AppLocker: user: VICTIM0.domain.com:
> \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from running.
>
Ok, so I installed 2.8.3 and here is what a vanilla 2.8.3's
ossec-logtest gives us for this log message:
**Phase 1: Completed pre-decoding.
full event: '2016 Apr 22 11:46:32 WinEvtLog:
Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004):
Microsoft-Windows-AppLocker: user: VICTIM0.domain.com:
\\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from
running.'
hostname: 'ipyr'
program_name: '(null)'
log: '2016 Apr 22 11:46:32 WinEvtLog:
Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004):
Microsoft-Windows-AppLocker: user: VICTIM0.domain.com:
\\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from
running.'
**Phase 2: Completed decoding.
decoder: 'windows'
**Phase 3: Completed filtering (rules).
Rule id: '18100'
Level: '0'
Description: 'Group of windows rules.'
Unfortunately it doesn't decode the status field, and triggers 18100
instead of 18103.
Adding the following decoder gets me to the same point you're at:
<decoder name="windows-applocker">
<parent>windows</parent>
<type>windows</type>
<prematch>WinEvtLog: Microsoft-Windows-AppLocker</prematch>
<regex offset="after_prematch">: (ERROR)\p(\d+)</regex>
<order>status,id</order>
</decoder>
Notice that the status field will be "ERROR" and the id field will be
"8004." The logtest follows, with the final rule after that.
logtest:
**Phase 1: Completed pre-decoding.
full event: '2016 Apr 22 11:46:32 WinEvtLog:
Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004):
Microsoft-Windows-AppLocker: user: VICTIM0.domain.com:
\\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from
running.'
hostname: 'ipyr'
program_name: '(null)'
log: '2016 Apr 22 11:46:32 WinEvtLog:
Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004):
Microsoft-Windows-AppLocker: user: VICTIM0.domain.com:
\\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from
running.'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'ERROR'
id: '8004'
**Phase 3: Completed filtering (rules).
Rule id: '18103'
Level: '5'
Description: 'Windows error event.'
**Alert to be generated.
So I modified the rule you posted like so:
<rule id="100046" level="12">
<if_sid>18103</if_sid>
<status>ERROR</status> <!-- The status will be ERROR -->
<id>^8004$</id> <!-- Windows decoders seem to prefer
id for this type of info -->
<description>AppLocker - blocked program.</description>
</rule>
Using that rule gives me the following output:
**Phase 1: Completed pre-decoding.
full event: '2016 Apr 22 11:46:32 WinEvtLog:
Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004):
Microsoft-Windows-AppLocker: user: VICTIM0.domain.com:
\\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from
running.'
hostname: 'ipyr'
program_name: '(null)'
log: '2016 Apr 22 11:46:32 WinEvtLog:
Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004):
Microsoft-Windows-AppLocker: user: VICTIM0.domain.com:
\\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from
running.'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'ERROR'
id: '8004'
**Phase 3: Completed filtering (rules).
Rule id: '100046'
Level: '12'
Description: 'AppLocker - blocked program.'
**Alert to be generated.
>
> Side note: I have been running logtest and executing the play, though
> nothing shows in logtest. Should I see the event fire as output in my
> terminal session?
>
> Thanks, Rob
>
>
> On Friday, April 22, 2016 at 11:35:10 AM UTC-4, dan (ddpbsd) wrote:
>>
>> Can you provide a log sample?
>>
>> On Fri, Apr 22, 2016 at 11:30 AM, Rob B <[email protected]> wrote:
>> > Hi Folks,
>> >
>> > I have a rule for applocker created as follows:
>> >
>> > <rule id="100046" level="12">
>> > <if_sid>18103</if_sid>
>> > <status>^8004$</status>
>> > <description>AppLocker - blocked program.</description>
>> > </rule>
>> >
>> > Problem: I only see the windows "error event" as a level "5" coming in
>> > from sid 18103, the error event contains all teh information I am
>> > looking
>> > for.
>> > But my rule 100046 above does nothing.
>> >
>> > As additional info, I also have the following rule:
>> >
>> > <rule id="100045" level="12" >
>> > <if_sid>18100</if_sid>
>> > <status>^8003$|^8004$</status>
>> > <description>Applocker - blocked program.</description>
>> > </rule>
>> >
>> > (Could this possibly cause a conflict?)
>> >
>> >
>> > Question: Overall, Could someone shed some light here as to why rule
>> > 100046
>> > does not fire?
>> >
>> > Thanks!!!
>> >
>> > Rob
>> >
>> >
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
