On Thu, Jun 2, 2016 at 10:42 PM, Kevin Branch <[email protected]> wrote: > I am running an OSSEC 2.8.3 server and a Windows computer with OSSEC 2.8.3 > agent. > > The rule simply alerts on Chrome Remote Desktop events. > > It uses this custom decoder: > > <decoder name="chromoting"> > <prematch>: chromoting: \.*chromoting</prematch>
I don't think regex is allowed in the prematch, the docs only mention sregex: https://ossec.github.io/docs/syntax/head_decoders.html?highlight=prematch#element-decoder.prematch > </decoder> > > The rule is: > > <rule id="100040" level="3"> > <decoded_as>chromoting</decoded_as> > <description>Chrome Remote Desktop event - generic</description> > </rule> > > My test event is: > > 2016 Jun 02 21:58:38 (XYZ-O9020) 192.168.15.0->WinEvtLog 2016 Jun 02 > 17:58:36 WinEvtLog: Application: INFORMATION(1): chromoting: (no user): no > domain: XYZ-O9020: Client connected: [email protected]/chromoting754CDB67. > > When I feed this to ossec-logtest, the rule fires: > > **Phase 3: Completed filtering (rules). > Rule id: '100040' > Level: '3' > Description: 'Chrome Remote Desktop event - generic' > **Alert to be generated. > > ..but when I trigger the actual event on my OSSEC agent computer, the event > only shows up on the OSSEC server in archives.log, never in alerts.log. > > I have restarted OSSEC server many times and varied lots of things but I > can't get it to fire on the real log event, only in ossec-logtest. > > Please advise. I don't have any idea what kinds of rule writing errors can > be glossed over by ossec-logtest while causing rule failures in production. > Using the decoder and rule above, I get the following output from ossec-logtest: **Phase 1: Completed pre-decoding. full event: '2016 Jun 02 17:58:36 WinEvtLog: Application: INFORMATION(1): chromoting: (no user): no domain: XYZ-O9020: Client connected: [email protected]/chromoting754CDB67.' hostname: 'ipyr' program_name: 'WinEvtLog' log: 'Application: INFORMATION(1): chromoting: (no user): no domain: XYZ-O9020: Client connected: [email protected]/chromoting754CDB67.' **Phase 2: Completed decoding. No decoder matched. Changing the decoder to this: <decoder name="chromoting"> <prematch>: chromoting: </prematch> <program_name>^WinEvtLog</program_name> </decoder> it all starts to work. I run this to get the log into syslog (I don't have a way to test it any other way that I can think of), so it may not be exactly correct: # echo 'Application: INFORMATION(1): chromoting: (no user): no domain: XYZ-O9020: Client connected: [email protected]/chromoting754CDB67.' | logger -t WinEvtLog Here's the entry from alerts.log: ** Alert 1464961149.36091: - local,syslog, 2016 Jun 03 09:39:09 ipyr->/var/log/messages Rule: 100040 (level 3) -> 'Chrome Remote Desktop event - generic' Jun 3 09:39:07 ipyr WinEvtLog: Application: INFORMATION(1): chromoting: (no user): no domain: XYZ-O9020: Client connected: [email protected]/chromoting754CDB67. I believe this is with a fairly stock 2.8.3, but I'm not positive. > Kevin > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
