On Fri, Apr 22, 2016 at 12:42 PM, Rob B <[email protected]> wrote: > Very interesting.... and thanks a lot dan!!!! > > I guess I need to fix my logtest too, it probably would have helped me > figure it out. Thanks again!! ;-) >
No problem. If you post which version of OSSEC you're using, and the logtest output, we might be able to help. > Rob > > On Friday, April 22, 2016 at 12:21:48 PM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Apr 22, 2016 at 11:50 AM, Rob B <[email protected]> wrote: >> > dan, >> > >> > I have this from the alerts log: >> > >> > ** Alert 1461339927.2762520: - windows,system_error, >> > 2016 Apr 22 08:45:27 (VICTIM0) 10.0.1.100->WinEvtLog >> > Rule: 18103 (level 5) -> 'Windows error event.' >> > User: cuckoo >> > 2016 Apr 22 11:46:32 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: >> > ERROR(8004): Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: >> > \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from running. >> > >> >> Ok, so I installed 2.8.3 and here is what a vanilla 2.8.3's >> ossec-logtest gives us for this log message: >> **Phase 1: Completed pre-decoding. >> full event: '2016 Apr 22 11:46:32 WinEvtLog: >> Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): >> Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: >> \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from >> running.' >> hostname: 'ipyr' >> program_name: '(null)' >> log: '2016 Apr 22 11:46:32 WinEvtLog: >> Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): >> Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: >> \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from >> running.' >> >> **Phase 2: Completed decoding. >> decoder: 'windows' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '18100' >> Level: '0' >> Description: 'Group of windows rules.' >> >> Unfortunately it doesn't decode the status field, and triggers 18100 >> instead of 18103. >> >> Adding the following decoder gets me to the same point you're at: >> <decoder name="windows-applocker"> >> <parent>windows</parent> >> <type>windows</type> >> <prematch>WinEvtLog: Microsoft-Windows-AppLocker</prematch> >> <regex offset="after_prematch">: (ERROR)\p(\d+)</regex> >> <order>status,id</order> >> </decoder> >> >> Notice that the status field will be "ERROR" and the id field will be >> "8004." The logtest follows, with the final rule after that. >> >> >> logtest: >> **Phase 1: Completed pre-decoding. >> full event: '2016 Apr 22 11:46:32 WinEvtLog: >> Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): >> Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: >> \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from >> running.' >> hostname: 'ipyr' >> program_name: '(null)' >> log: '2016 Apr 22 11:46:32 WinEvtLog: >> Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): >> Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: >> \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from >> running.' >> >> **Phase 2: Completed decoding. >> decoder: 'windows' >> status: 'ERROR' >> id: '8004' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '18103' >> Level: '5' >> Description: 'Windows error event.' >> **Alert to be generated. >> >> So I modified the rule you posted like so: >> <rule id="100046" level="12"> >> <if_sid>18103</if_sid> >> <status>ERROR</status> <!-- The status will be ERROR --> >> <id>^8004$</id> <!-- Windows decoders seem to prefer >> id for this type of info --> >> <description>AppLocker - blocked program.</description> >> </rule> >> >> Using that rule gives me the following output: >> **Phase 1: Completed pre-decoding. >> full event: '2016 Apr 22 11:46:32 WinEvtLog: >> Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): >> Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: >> \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from >> running.' >> hostname: 'ipyr' >> program_name: '(null)' >> log: '2016 Apr 22 11:46:32 WinEvtLog: >> Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): >> Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: >> \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from >> running.' >> >> **Phase 2: Completed decoding. >> decoder: 'windows' >> status: 'ERROR' >> id: '8004' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100046' >> Level: '12' >> Description: 'AppLocker - blocked program.' >> **Alert to be generated. >> >> >> > >> > Side note: I have been running logtest and executing the play, though >> > nothing shows in logtest. Should I see the event fire as output in my >> > terminal session? >> > >> > Thanks, Rob >> > >> > >> > On Friday, April 22, 2016 at 11:35:10 AM UTC-4, dan (ddpbsd) wrote: >> >> >> >> Can you provide a log sample? >> >> >> >> On Fri, Apr 22, 2016 at 11:30 AM, Rob B <[email protected]> wrote: >> >> > Hi Folks, >> >> > >> >> > I have a rule for applocker created as follows: >> >> > >> >> > <rule id="100046" level="12"> >> >> > <if_sid>18103</if_sid> >> >> > <status>^8004$</status> >> >> > <description>AppLocker - blocked program.</description> >> >> > </rule> >> >> > >> >> > Problem: I only see the windows "error event" as a level "5" coming >> >> > in >> >> > from sid 18103, the error event contains all teh information I am >> >> > looking >> >> > for. >> >> > But my rule 100046 above does nothing. >> >> > >> >> > As additional info, I also have the following rule: >> >> > >> >> > <rule id="100045" level="12" > >> >> > <if_sid>18100</if_sid> >> >> > <status>^8003$|^8004$</status> >> >> > <description>Applocker - blocked program.</description> >> >> > </rule> >> >> > >> >> > (Could this possibly cause a conflict?) >> >> > >> >> > >> >> > Question: Overall, Could someone shed some light here as to why rule >> >> > 100046 >> >> > does not fire? >> >> > >> >> > Thanks!!! >> >> > >> >> > Rob >> >> > >> >> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
