dan, quick question for <match> :
What is the best way to take care of whitespace and a quote in string example?, such as: <match>^route-null.cmd" delete</match> Thanks!, Rob On Friday, April 22, 2016 at 12:44:25 PM UTC-4, dan (ddpbsd) wrote: > > On Fri, Apr 22, 2016 at 12:42 PM, Rob B <[email protected] <javascript:>> > wrote: > > Very interesting.... and thanks a lot dan!!!! > > > > I guess I need to fix my logtest too, it probably would have helped me > > figure it out. Thanks again!! ;-) > > > > No problem. If you post which version of OSSEC you're using, and the > logtest output, we might be able to help. > > > Rob > > > > On Friday, April 22, 2016 at 12:21:48 PM UTC-4, dan (ddpbsd) wrote: > >> > >> On Fri, Apr 22, 2016 at 11:50 AM, Rob B <[email protected]> wrote: > >> > dan, > >> > > >> > I have this from the alerts log: > >> > > >> > ** Alert 1461339927.2762520: - windows,system_error, > >> > 2016 Apr 22 08:45:27 (VICTIM0) 10.0.1.100->WinEvtLog > >> > Rule: 18103 (level 5) -> 'Windows error event.' > >> > User: cuckoo > >> > 2016 Apr 22 11:46:32 WinEvtLog: Microsoft-Windows-AppLocker/EXE and > DLL: > >> > ERROR(8004): Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: > >> > \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from > running. > >> > > >> > >> Ok, so I installed 2.8.3 and here is what a vanilla 2.8.3's > >> ossec-logtest gives us for this log message: > >> **Phase 1: Completed pre-decoding. > >> full event: '2016 Apr 22 11:46:32 WinEvtLog: > >> Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): > >> Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: > >> \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from > >> running.' > >> hostname: 'ipyr' > >> program_name: '(null)' > >> log: '2016 Apr 22 11:46:32 WinEvtLog: > >> Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): > >> Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: > >> \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from > >> running.' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'windows' > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '18100' > >> Level: '0' > >> Description: 'Group of windows rules.' > >> > >> Unfortunately it doesn't decode the status field, and triggers 18100 > >> instead of 18103. > >> > >> Adding the following decoder gets me to the same point you're at: > >> <decoder name="windows-applocker"> > >> <parent>windows</parent> > >> <type>windows</type> > >> <prematch>WinEvtLog: Microsoft-Windows-AppLocker</prematch> > >> <regex offset="after_prematch">: (ERROR)\p(\d+)</regex> > >> <order>status,id</order> > >> </decoder> > >> > >> Notice that the status field will be "ERROR" and the id field will be > >> "8004." The logtest follows, with the final rule after that. > >> > >> > >> logtest: > >> **Phase 1: Completed pre-decoding. > >> full event: '2016 Apr 22 11:46:32 WinEvtLog: > >> Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): > >> Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: > >> \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from > >> running.' > >> hostname: 'ipyr' > >> program_name: '(null)' > >> log: '2016 Apr 22 11:46:32 WinEvtLog: > >> Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): > >> Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: > >> \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from > >> running.' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'windows' > >> status: 'ERROR' > >> id: '8004' > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '18103' > >> Level: '5' > >> Description: 'Windows error event.' > >> **Alert to be generated. > >> > >> So I modified the rule you posted like so: > >> <rule id="100046" level="12"> > >> <if_sid>18103</if_sid> > >> <status>ERROR</status> <!-- The status will be ERROR --> > >> <id>^8004$</id> <!-- Windows decoders seem to prefer > >> id for this type of info --> > >> <description>AppLocker - blocked program.</description> > >> </rule> > >> > >> Using that rule gives me the following output: > >> **Phase 1: Completed pre-decoding. > >> full event: '2016 Apr 22 11:46:32 WinEvtLog: > >> Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): > >> Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: > >> \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from > >> running.' > >> hostname: 'ipyr' > >> program_name: '(null)' > >> log: '2016 Apr 22 11:46:32 WinEvtLog: > >> Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): > >> Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: > >> \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from > >> running.' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'windows' > >> status: 'ERROR' > >> id: '8004' > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '100046' > >> Level: '12' > >> Description: 'AppLocker - blocked program.' > >> **Alert to be generated. > >> > >> > >> > > >> > Side note: I have been running logtest and executing the play, though > >> > nothing shows in logtest. Should I see the event fire as output in > my > >> > terminal session? > >> > > >> > Thanks, Rob > >> > > >> > > >> > On Friday, April 22, 2016 at 11:35:10 AM UTC-4, dan (ddpbsd) wrote: > >> >> > >> >> Can you provide a log sample? > >> >> > >> >> On Fri, Apr 22, 2016 at 11:30 AM, Rob B <[email protected]> > wrote: > >> >> > Hi Folks, > >> >> > > >> >> > I have a rule for applocker created as follows: > >> >> > > >> >> > <rule id="100046" level="12"> > >> >> > <if_sid>18103</if_sid> > >> >> > <status>^8004$</status> > >> >> > <description>AppLocker - blocked program.</description> > >> >> > </rule> > >> >> > > >> >> > Problem: I only see the windows "error event" as a level "5" > coming > >> >> > in > >> >> > from sid 18103, the error event contains all teh information I am > >> >> > looking > >> >> > for. > >> >> > But my rule 100046 above does nothing. > >> >> > > >> >> > As additional info, I also have the following rule: > >> >> > > >> >> > <rule id="100045" level="12" > > >> >> > <if_sid>18100</if_sid> > >> >> > <status>^8003$|^8004$</status> > >> >> > <description>Applocker - blocked program.</description> > >> >> > </rule> > >> >> > > >> >> > (Could this possibly cause a conflict?) > >> >> > > >> >> > > >> >> > Question: Overall, Could someone shed some light here as to why > rule > >> >> > 100046 > >> >> > does not fire? > >> >> > > >> >> > Thanks!!! > >> >> > > >> >> > Rob > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
