Hi Jesus, Yeah, I think I submitted a pull request into OSSEC some time back on this... If memory serves, the other IDs are because I used the existing MS ID schema for OSSEC. The odd IDs are just because these live in my local_rules.xml in production. Sadly, I haven't had the time to update OSSEC or try any of the new distributions lately.
On Thursday, May 19, 2016 at 12:25:09 AM UTC-7, Jesus Linares wrote: > > Hi Brent, > > Your rules are in OSSEC by default (with other ID, why?) but you added a > few new rules. > > could you send a PR to OSSEC or Wazuh > <https://github.com/wazuh/ossec-rules/tree/development>with your new > rules?. > > Thanks. > > > On Wednesday, May 18, 2016 at 8:38:16 PM UTC+2, Rob B wrote: >> >> Nice! Thanks Pedro! I've got it now.. >> >> Cheers. >> >> >> On Wednesday, May 18, 2016 at 10:09:14 AM UTC-4, Pedro S wrote: >>> >>> Hi Rob, >>> >>> *extra_data *is another allowed field used by OSSEC decoders to extract >>> information from the event, once it is extracted you can match the field >>> content in order to create a rule. >>> The content of extra_data depends on the decoder which extracted it, in >>> Windows decoders >>> <https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml#L350>could >>> >>> be for example: Win source, Parent Image, Protocol, Signature, Start >>> function... >>> >>> Best regards, >>> >>> Pedro S. >>> >>> On Tuesday, May 17, 2016 at 5:32:25 PM UTC+2, Rob B wrote: >>>> >>>> Thanks Brent.! Funny enough, that day I figured it out and built a >>>> whole bunch very similar to your list. Seems to be working very nicely, >>>> as >>>> now I find myself leaning to creating some down right creative >>>> composites.... (finally) >>>> >>>> I've been looking for some reference material on the <extra_data> tag? >>>> How is this used properly? >>>> >>>> >>>> >>>> Cheers! Rob >>>> >>>> >>>> On Monday, May 16, 2016 at 5:22:08 PM UTC-4, Brent Morris wrote: >>>>> >>>>> Rob - can you post your OSSEC version of the log? I can check my >>>>> rules. These are a culmination of gleaned rules that I updated some time >>>>> back with new event IDs. Yours is covered in there.... but I would like >>>>> to test it against a valid OSSEC log. So if you can post it from the >>>>> OSSEC >>>>> logs, that'd be great. >>>>> >>>>> Here they are.. >>>>> >>>>> </group> >>>>> <!-- Microsoft Security Essentials rules --> >>>>> <!-- see https://technet.microsoft.com/en-us/library/hh144989.aspx --> >>>>> <group name="windows,mse,"> >>>>> <rule id="720001" level="0"> >>>>> <category>windows</category> >>>>> <if_sid>18101,18102,18103</if_sid> >>>>> <extra_data>^Microsoft Antimalware</extra_data> >>>>> <description>Grouping of Microsoft Security Essentials >>>>> rules.</description> >>>>> </rule> >>>>> >>>>> <rule id="720010" level="12"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^1118$|^1119$</id> >>>>> <group>virus,</group> >>>>> <description>Microsoft Security Essentials - Virus detected, but >>>>> unable to remove.</description> >>>>> </rule> >>>>> <rule id="720011" level="7"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^1117$</id> >>>>> <group>virus,</group> >>>>> <description>Microsoft Security Essentials - Virus detected and >>>>> properly removed.</description> >>>>> </rule> >>>>> >>>>> <rule id="720012" level="7"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^1119$|^1118$|^1117$|^1116$</id> >>>>> <group>virus,</group> >>>>> <description>Microsoft Security Essentials - Virus >>>>> detected.</description> >>>>> </rule> >>>>> >>>>> <rule id="720013" level="7"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^1015$</id> >>>>> <group>virus,</group> >>>>> <description>Microsoft Security Essentials - Suspicious activity >>>>> detected.</description> >>>>> </rule> >>>>> >>>>> <!-- Service conditions and errors --> >>>>> <rule id="720020" level="3"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^5007$</id> >>>>> <description>Microsoft Security Essentials - Configuration >>>>> changed.</description> >>>>> <group>policy_changed,</group> >>>>> </rule> >>>>> <rule id="720021" level="9"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^5008$</id> >>>>> <description>Microsoft Security Essentials - Service >>>>> failed.</description> >>>>> </rule> >>>>> <rule id="720022" level="9"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^3002$</id> >>>>> <description>Microsoft Security Essentials - Real time protection >>>>> failed.</description> >>>>> </rule> >>>>> <rule id="720023" level="8"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^2012$</id> >>>>> <description>Microsoft Security Essentials - Cannot use Dynamic >>>>> Signature Service.</description> >>>>> </rule> >>>>> <rule id="720024" level="8"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^2004$</id> >>>>> <description>Microsoft Security Essentials - Loading definitions >>>>> failed. Using last good set.</description> >>>>> </rule> >>>>> <rule id="720025" level="8"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^2003$</id> >>>>> <description>Microsoft Security Essentials - Engine update >>>>> failed.</description> >>>>> </rule> >>>>> <rule id="720026" level="8"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^2001$</id> >>>>> <description>Microsoft Security Essentials - Definitions update >>>>> failed.</description> >>>>> </rule> >>>>> <rule id="720027" level="7"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^1005$</id> >>>>> <description>Microsoft Security Essentials - Scan error. Scan has >>>>> stopped.</description> >>>>> </rule> >>>>> <rule id="720028" level="5"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^1002$</id> >>>>> <description>Microsoft Security Essentials - Scan stopped before >>>>> completion.</description> >>>>> </rule> >>>>> >>>>> <!-- EICAR test file special case --> >>>>> <!-- www.eicar.org/86-0-Intended-use.html --> >>>>> <rule id="720041" level="5"> >>>>> <if_sid>720012</if_sid> >>>>> <match>Virus:DOS/EICAR_Test_File</match> >>>>> <options>alert_by_email</options> >>>>> <description>Microsoft Security Essentials - EICAR test file >>>>> detected.</description> >>>>> </rule> >>>>> <rule id="720042" level="3"> >>>>> <if_sid>720011</if_sid> >>>>> <match>Virus:DOS/EICAR_Test_File</match> >>>>> <options>alert_by_email</options> >>>>> <description>Microsoft Security Essentials - EICAR test file >>>>> removed.</description> >>>>> </rule> >>>>> <rule id="720043" level="8"> >>>>> <if_sid>720010</if_sid> >>>>> <match>Virus:DOS/EICAR_Test_File</match> >>>>> <options>alert_by_email</options> >>>>> <description>Microsoft Security Essentials - EICAR test file >>>>> detected, but removal failed.</description> >>>>> </rule> >>>>> >>>>> <!-- Status messages --> >>>>> <rule id="720050" level="3"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^2000$</id> >>>>> <description>Microsoft Security Essentials - Signature database >>>>> updated.</description> >>>>> </rule> >>>>> <rule id="720051" level="3"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^2002$</id> >>>>> <description>Microsoft Security Essentials - Scan engine >>>>> updated.</description> >>>>> </rule> >>>>> <rule id="720053" level="3"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^1000$|^1001$</id> >>>>> <description>Microsoft Security Essentials - Scan started or >>>>> stopped.</description> >>>>> </rule> >>>>> <rule id="720054" level="4"> >>>>> <if_sid>720001</if_sid> >>>>> <id>^1013$</id> >>>>> <description>Microsoft Security Essentials - History >>>>> cleared.</description> >>>>> </rule> >>>>> >>>>> <!-- Time based alerts --> >>>>> <rule id="720070" level="10" frequency="4" timeframe="240"> >>>>> <if_matched_sid>720011</if_matched_sid> >>>>> <description>Multiple Microsoft Security Essentials AV warnings >>>>> detected.</description> >>>>> </rule> >>>>> <rule id="720071" level="10" frequency="4" timeframe="240"> >>>>> <if_matched_sid>720012</if_matched_sid> >>>>> <description>Multiple Microsoft Security Essentials AV warnings >>>>> detected.</description> >>>>> </rule> >>>>> >>>>> </group> <!-- mse --> >>>>> >>>>> >>>>> On Friday, April 22, 2016 at 1:16:22 PM UTC-7, Rob B wrote: >>>>>> >>>>>> Hello All, >>>>>> >>>>>> Does anyone have a decoder for Windows Defender floating around >>>>>> out there?? >>>>>> >>>>>> Im having a heck of a time... Here is the event channel event >>>>>> example if anyone is curious or can help: (Win10 box) >>>>>> >>>>>> Log Name: Microsoft-Windows-Windows Defender/Operational >>>>>> Source: Microsoft-Windows-Windows Defender >>>>>> Date: 4/22/2016 4:05:17 PM >>>>>> Event ID: 1116 >>>>>> Task Category: None >>>>>> Level: Warning >>>>>> Keywords: >>>>>> User: SYSTEM >>>>>> Computer: VICTIM0 >>>>>> Description: >>>>>> Windows Defender has detected malware or other potentially unwanted >>>>>> software. >>>>>> For more information please see the following: >>>>>> >>>>>> http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Bagsu!rfn&threatid=2147694406&enterprise=0 >>>>>> Name: Trojan:Win32/Bagsu!rfn >>>>>> ID: 2147694406 >>>>>> Severity: Severe >>>>>> Category: Trojan >>>>>> Path: >>>>>> containerfile:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe->(VFS:svchost.exe) >>>>>> Detection Origin: Network share >>>>>> Detection Type: Concrete >>>>>> Detection Source: Real-Time Protection >>>>>> User: frog >>>>>> Process Name: C:\Windows\explorer.exe >>>>>> Signature Version: AV: 1.217.2054.0, AS: 1.217.2054.0, NIS: >>>>>> 115.8.0.0 >>>>>> Engine Version: AM: 1.1.12603.0, NIS: 2.1.11804.0 >>>>>> >>>>>> Event Xml: >>>>>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> >>>>>> <System> >>>>>> <Provider Name="Microsoft-Windows-Windows Defender" >>>>>> Guid="{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}" /> >>>>>> <EventID>1116</EventID> >>>>>> <Version>0</Version> >>>>>> <Level>3</Level> >>>>>> <Task>0</Task> >>>>>> <Opcode>0</Opcode> >>>>>> <Keywords>0x8000000000000000</Keywords> >>>>>> <TimeCreated SystemTime="2016-04-22T20:05:17.551083000Z" /> >>>>>> <EventRecordID>95</EventRecordID> >>>>>> <Correlation ActivityID="{ECC2B320-F9A6-41AD-9F17-5C9EE24D3330}" >>>>>> /> >>>>>> <Execution ProcessID="2332" ThreadID="4540" /> >>>>>> <Channel>Microsoft-Windows-Windows Defender/Operational</Channel> >>>>>> <Computer>VICTIM0</Computer> >>>>>> <Security UserID="S-1-5-77" /> >>>>>> </System> >>>>>> <EventData> >>>>>> <Data Name="Product Name">%%827</Data> >>>>>> <Data Name="Product Version">4.9.10586.0</Data> >>>>>> <Data Name="Detection >>>>>> ID">{CAADD684-36C9-444B-8A6D-8CE537A93E40}</Data> >>>>>> <Data Name="Detection Time">2016-04-22T20:04:40.369Z</Data> >>>>>> <Data Name="Unused"> >>>>>> </Data> >>>>>> <Data Name="Unused2"> >>>>>> </Data> >>>>>> <Data Name="Threat ID">2147694406</Data> >>>>>> <Data Name="Threat Name">Trojan:Win32/Bagsu!rfn</Data> >>>>>> <Data Name="Severity ID">5</Data> >>>>>> <Data Name="Severity Name">Severe</Data> >>>>>> <Data Name="Category ID">8</Data> >>>>>> <Data Name="Category Name">Trojan</Data> >>>>>> <Data Name="FWLink"> >>>>>> http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Bagsu!rfn&threatid=2147694406&enterprise=0 >>>>>> </Data> >>>>>> <Data Name="Status Code">1</Data> >>>>>> <Data Name="Status Description"> >>>>>> </Data> >>>>>> <Data Name="State">1</Data> >>>>>> <Data Name="Source ID">3</Data> >>>>>> <Data Name="Source Name">%%818</Data> >>>>>> <Data Name="Process Name">C:\Windows\explorer.exe</Data> >>>>>> <Data Name="Detection User">frog</Data> >>>>>> <Data Name="Unused3"> >>>>>> </Data> >>>>>> <Data >>>>>> Name="Path">containerfile:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe->(VFS:svchost.exe)</Data> >>>>>> <Data Name="Origin ID">2</Data> >>>>>> <Data Name="Origin Name">%%846</Data> >>>>>> <Data Name="Execution ID">1</Data> >>>>>> <Data Name="Execution Name">%%813</Data> >>>>>> <Data Name="Type ID">0</Data> >>>>>> <Data Name="Type Name">%%822</Data> >>>>>> <Data Name="Pre Execution Status">0</Data> >>>>>> <Data Name="Action ID">9</Data> >>>>>> <Data Name="Action Name">%%887</Data> >>>>>> <Data Name="Unused4"> >>>>>> </Data> >>>>>> <Data Name="Error Code">0x00000000</Data> >>>>>> <Data Name="Error Description">The operation completed >>>>>> successfully. </Data> >>>>>> <Data Name="Unused5"> >>>>>> </Data> >>>>>> <Data Name="Post Clean Status">0</Data> >>>>>> <Data Name="Additional Actions ID">0</Data> >>>>>> <Data Name="Additional Actions String">No additional actions >>>>>> required</Data> >>>>>> <Data Name="Remediation User"> >>>>>> </Data> >>>>>> <Data Name="Unused6"> >>>>>> </Data> >>>>>> <Data Name="Signature Version">AV: 1.217.2054.0, AS: >>>>>> 1.217.2054.0, NIS: 115.8.0.0</Data> >>>>>> <Data Name="Engine Version">AM: 1.1.12603.0, NIS: >>>>>> 2.1.11804.0</Data> >>>>>> </EventData> >>>>>> </Event> >>>>>> >>>>>> >>>>>> Thanks!, Rob >>>>>> >>>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
