Re: [ossec-list] eventchannel decoder testing

Craig Mon, 01 Aug 2016 06:11:50 -0700

So, interesting. I guess that is my question. In my testing (using 2.9RC2), 
the decoder below won't recognize the log entry unless I keep the header 
from archives.log (you can see the output in my post above). If I remove 
the header, the decoder doesn't work. What version were you running with 
your testing of my log entry?
<decoder name="Sysmon-EventID#1">
  <type>windows</type>
  <prematch>INFORMATION\(1\)</prematch>
  <regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User: 
(\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* 
\s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: 
\S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) 
\s*ParentCommandLine:</regex>
  <order>status,user,url,data</order>
</decoder>




On Monday, August 1, 2016 at 2:50:22 AM UTC-5, Jesus Linares wrote:
>
> It seems the output of ossec-logtest is cut in the previous post. I paste 
> it here again:
>
>
> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: 
> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-
> PC1.hackme.local: Process Create:  UtcTime: 2016-07-30 03:32:24.846  
> ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00}  ProcessId: 3988  
> Image: C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: C:\Users\
> administrator\Desktop\  User: HACKME\Administrator  LogonGuid: {67C360F4-
> 1C55-579C-0000-00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
> IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600}  ParentProcessId
> : 3056  ParentImage: C:\Windows\explorer.exe  ParentCommandLine: C:\
> Windows\Explorer.EXE
>
>
>
>
> **Phase 1: Completed pre-decoding.
>        full event: '2016 Jul 29 22:32:24 WinEvtLog: 
> Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
> Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
> {67C360F4-1FC8-579C-0000-001017F41E00}  ProcessId: 3988  Image: 
> C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
> C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
> {67C360F4-1C55-579C-0000-00206BBC0600}  LogonId: 0x6bc6b 
>  TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
> MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid: 
> {67C360F4-1C57-579C-0000-001092EC0600}  ParentProcessId: 3056  ParentImage: 
> C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'
>        hostname: 'ip-10-0-0-10'
>        program_name: '(null)'
>        log: '2016 Jul 29 22:32:24 WinEvtLog: 
> Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: 
> Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: 
> {67C360F4-1FC8-579C-0000-001017F41E00}  ProcessId: 3988  Image: 
> C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: 
> C:\Users\administrator\Desktop\  User: HACKME\Administrator  LogonGuid: 
> {67C360F4-1C55-579C-0000-00206BBC0600}  LogonId: 0x6bc6b 
>  TerminalSessionId: 1  IntegrityLevel: High  Hashes: 
> MD5=C019D10F80409FC4C7D45EBFA48B0076  ParentProcessGuid: 
> {67C360F4-1C57-579C-0000-001092EC0600}  ParentProcessId: 3056  ParentImage: 
> C:\Windows\explorer.exe  ParentCommandLine: C:\Windows\Explorer.EXE'
>
>
> **Phase 2: Completed decoding.
>        decoder: 'windows'
>        status: 'C:\Users\administrator\Desktop\svchost.exe'
>        dstuser: 'HACKME\Administrator'
>        url: 'C019D10F80409FC4C7D45EBFA48B0076'
>        extra_data: 'C:\Windows\explorer.exe'
>
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '184666'
>        Level: '12'
>        Description: 'Sysmon - Suspicious Process - svchost.exe'
>
> You can find decoders for all sysmon events here 
> <https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml#L197>
> .
>
> Regards.
>
>
>
>
>
>
> On Monday, August 1, 2016 at 9:46:31 AM UTC+2, Jesus Linares wrote:
>>
>> Hi Craig,
>>
>> the raw event is:
>> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: 
>> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-
>> PC1.hackme.local: Process Create:  UtcTime: 2016-07-30 03:32:24.846  
>> ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00}  ProcessId: 3988  
>> Image: C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
>> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: C:\Users
>> \administrator\Desktop\  User: HACKME\Administrator  LogonGuid: {67C360F4
>> -1C55-579C-0000-00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
>> IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
>> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600}  
>> ParentProcessId: 3056  ParentImage: C:\Windows\explorer.exe  
>> ParentCommandLine: C:\Windows\Explorer.EXE
>>
>> but, OSSEC adds a header in archives.log:
>>
>> *2016 Jul 29 22:32:25 (WIN7-X64-PC1) 172.16.213.5->WinEvtLog *2016 Jul 29 
>> 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): 
>> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local
>> : Process Create:  UtcTime: 2016-07-30 03:32:24.846  ProcessGuid: {
>> 67C360F4-1FC8-579C-0000-001017F41E00}  ProcessId: 3988  Image: C:\Users\
>> administrator\Desktop\svchost.exe  CommandLine: 
>> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: C:\Users
>> \administrator\Desktop\  User: HACKME\Administrator  LogonGuid: {67C360F4
>> -1C55-579C-0000-00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
>> IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
>> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600}  
>> ParentProcessId: 3056  ParentImage: C:\Windows\explorer.exe  
>> ParentCommandLine: C:\Windows\Explorer.EXE
>>
>>
>> So, you must always use *ossec-logtest* without headers:
>> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: 
>> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-
>> PC1.hackme.local: Process Create:  UtcTime: 2016-07-30 03:32:24.846  
>> ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00}  ProcessId: 3988  
>> Image: C:\Users\administrator\Desktop\svchost.exe  CommandLine: 
>> "C:\Users\administrator\Desktop\svchost.exe"   CurrentDirectory: C:\Users
>> \administrator\Desktop\  User: HACKME\Administrator  LogonGuid: {67C360F4
>> -1C55-579C-0000-00206BBC0600}  LogonId: 0x6bc6b  TerminalSessionId: 1  
>> IntegrityLevel: High  Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076  
>> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600}  
>> ParentProcessId: 3056<sp
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] eventchannel decoder testing

Reply via email to