Very interesting.... and thanks a lot dan!!!! I guess I need to fix my logtest too, it probably would have helped me figure it out. Thanks again!! ;-)
Rob On Friday, April 22, 2016 at 12:21:48 PM UTC-4, dan (ddpbsd) wrote: > > On Fri, Apr 22, 2016 at 11:50 AM, Rob B <[email protected] <javascript:>> > wrote: > > dan, > > > > I have this from the alerts log: > > > > ** Alert 1461339927.2762520: - windows,system_error, > > 2016 Apr 22 08:45:27 (VICTIM0) 10.0.1.100->WinEvtLog > > Rule: 18103 (level 5) -> 'Windows error event.' > > User: cuckoo > > 2016 Apr 22 11:46:32 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: > > ERROR(8004): Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: > > \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from running. > > > > Ok, so I installed 2.8.3 and here is what a vanilla 2.8.3's > ossec-logtest gives us for this log message: > **Phase 1: Completed pre-decoding. > full event: '2016 Apr 22 11:46:32 WinEvtLog: > Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): > Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: > \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from > running.' > hostname: 'ipyr' > program_name: '(null)' > log: '2016 Apr 22 11:46:32 WinEvtLog: > Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): > Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: > \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from > running.' > > **Phase 2: Completed decoding. > decoder: 'windows' > > **Phase 3: Completed filtering (rules). > Rule id: '18100' > Level: '0' > Description: 'Group of windows rules.' > > Unfortunately it doesn't decode the status field, and triggers 18100 > instead of 18103. > > Adding the following decoder gets me to the same point you're at: > <decoder name="windows-applocker"> > <parent>windows</parent> > <type>windows</type> > <prematch>WinEvtLog: Microsoft-Windows-AppLocker</prematch> > <regex offset="after_prematch">: (ERROR)\p(\d+)</regex> > <order>status,id</order> > </decoder> > > Notice that the status field will be "ERROR" and the id field will be > "8004." The logtest follows, with the final rule after that. > > > logtest: > **Phase 1: Completed pre-decoding. > full event: '2016 Apr 22 11:46:32 WinEvtLog: > Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): > Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: > \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from > running.' > hostname: 'ipyr' > program_name: '(null)' > log: '2016 Apr 22 11:46:32 WinEvtLog: > Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): > Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: > \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from > running.' > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'ERROR' > id: '8004' > > **Phase 3: Completed filtering (rules). > Rule id: '18103' > Level: '5' > Description: 'Windows error event.' > **Alert to be generated. > > So I modified the rule you posted like so: > <rule id="100046" level="12"> > <if_sid>18103</if_sid> > <status>ERROR</status> <!-- The status will be ERROR --> > <id>^8004$</id> <!-- Windows decoders seem to prefer > id for this type of info --> > <description>AppLocker - blocked program.</description> > </rule> > > Using that rule gives me the following output: > **Phase 1: Completed pre-decoding. > full event: '2016 Apr 22 11:46:32 WinEvtLog: > Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): > Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: > \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from > running.' > hostname: 'ipyr' > program_name: '(null)' > log: '2016 Apr 22 11:46:32 WinEvtLog: > Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): > Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: > \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from > running.' > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'ERROR' > id: '8004' > > **Phase 3: Completed filtering (rules). > Rule id: '100046' > Level: '12' > Description: 'AppLocker - blocked program.' > **Alert to be generated. > > > > > > Side note: I have been running logtest and executing the play, though > > nothing shows in logtest. Should I see the event fire as output in my > > terminal session? > > > > Thanks, Rob > > > > > > On Friday, April 22, 2016 at 11:35:10 AM UTC-4, dan (ddpbsd) wrote: > >> > >> Can you provide a log sample? > >> > >> On Fri, Apr 22, 2016 at 11:30 AM, Rob B <[email protected]> wrote: > >> > Hi Folks, > >> > > >> > I have a rule for applocker created as follows: > >> > > >> > <rule id="100046" level="12"> > >> > <if_sid>18103</if_sid> > >> > <status>^8004$</status> > >> > <description>AppLocker - blocked program.</description> > >> > </rule> > >> > > >> > Problem: I only see the windows "error event" as a level "5" coming > in > >> > from sid 18103, the error event contains all teh information I am > >> > looking > >> > for. > >> > But my rule 100046 above does nothing. > >> > > >> > As additional info, I also have the following rule: > >> > > >> > <rule id="100045" level="12" > > >> > <if_sid>18100</if_sid> > >> > <status>^8003$|^8004$</status> > >> > <description>Applocker - blocked program.</description> > >> > </rule> > >> > > >> > (Could this possibly cause a conflict?) > >> > > >> > > >> > Question: Overall, Could someone shed some light here as to why rule > >> > 100046 > >> > does not fire? > >> > > >> > Thanks!!! > >> > > >> > Rob > >> > > >> > > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
