Hi Craig,
I'm running ossec-wazuh <https://github.com/wazuh/ossec-wazuh>. Try to copy
sysmon decoders from
https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml#L197
to your decoder.xml.
Let me know if it works.
Regards.
On Monday, August 1, 2016 at 3:11:35 PM UTC+2, Craig wrote:
>
> So, interesting. I guess that is my question. In my testing (using
> 2.9RC2), the decoder below won't recognize the log entry unless I keep the
> header from archives.log (you can see the output in my post above). If I
> remove the header, the decoder doesn't work. What version were you running
> with your testing of my log entry?
> <decoder name="Sysmon-EventID#1">
> <type>windows</type>
> <prematch>INFORMATION\(1\)</prematch>
> <regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User:
> (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S*
> \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid:
> \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*)
> \s*ParentCommandLine:</regex>
> <order>status,user,url,data</order>
> </decoder>
>
>
>
> On Monday, August 1, 2016 at 2:50:22 AM UTC-5, Jesus Linares wrote:
>>
>> It seems the output of ossec-logtest is cut in the previous post. I paste
>> it here again:
>>
>>
>> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational:
>> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-
>> PC1.hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846
>> ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988
>> Image: C:\Users\administrator\Desktop\svchost.exe CommandLine:
>> "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\Users
>> \administrator\Desktop\ User: HACKME\Administrator LogonGuid: {67C360F4
>> -1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: 1
>> IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076
>> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600}
>> ParentProcessId: 3056 ParentImage: C:\Windows\explorer.exe
>> ParentCommandLine: C:\Windows\Explorer.EXE
>>
>>
>>
>>
>> **Phase 1: Completed pre-decoding.
>> full event: '2016 Jul 29 22:32:24 WinEvtLog:
>> Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
>> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local:
>> Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid:
>> {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image:
>> C:\Users\administrator\Desktop\svchost.exe CommandLine:
>> "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory:
>> C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid:
>> {67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b
>> TerminalSessionId: 1 IntegrityLevel: High Hashes:
>> MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid:
>> {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage:
>> C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE'
>> hostname: 'ip-10-0-0-10'
>> program_name: '(null)'
>> log: '2016 Jul 29 22:32:24 WinEvtLog:
>> Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
>> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local:
>> Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid:
>> {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image:
>> C:\Users\administrator\Desktop\svchost.exe CommandLine:
>> "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory:
>> C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid:
>> {67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b
>> TerminalSessionId: 1 IntegrityLevel: High Hashes:
>> MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid:
>> {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage:
>> C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE'
>>
>>
>> **Phase 2: Completed decoding.
>> decoder: 'windows'
>> status: 'C:\Users\administrator\Desktop\svchost.exe'
>> dstuser: 'HACKME\Administrator'
>> url: 'C019D10F80409FC4C7D45EBFA48B0076'
>> extra_data: 'C:\Windows\explorer.exe'
>>
>>
>> **Phase 3: Completed filtering (rules).
>> Rule id: '184666'
>> Level: '12'
>> Description: 'Sysmon - Suspicious Process - svchost.exe'
>>
>> You can find decoders for all sysmon events here
>> <https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml#L197>
>> .
>>
>> Regards.
>>
>>
>>
>>
>>
>>
>> On Monday, August 1, 2016 at 9:46:31 AM UTC+2, Jesus Linares wrote:
>>>
>>> Hi Craig,
>>>
>>> the raw event is:
>>> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational:
>>> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64
>>> -PC1.hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846
>>> ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988
>>> Image: C:\Users\administrator\Desktop\svchost.exe CommandLine:
>>> "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\
>>> Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: {
>>> 67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b
>>> TerminalSessionId: 1 IntegrityLevel: High Hashes:
>>> MD5=C019D10F80409FC4C7D45EBFA48B0076
>>> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600}
>>> ParentProcessId: 3056 ParentImage: C:\Windows\explorer.exe
>>> ParentCommandLine: C:\Windows\Explorer.EXE
>>>
>>> but, OSSEC adds a header in archives.log:
>>>
>>> *2016 Jul 29 22:32:25 (WIN7-X64-PC1) 172.16.213.5->WinEvtLog *2016 Jul
>>> 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION
>>> (1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme
>>> .local: Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid:
>>> {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: C:\Users
>>> \administrator\Desktop\svchost.exe CommandLine:
>>> "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\
>>> Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: {
>>> 67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b
>>> TerminalSessionId: 1 IntegrityLevel: High Hashes:
>>> MD5=C019D10F80409FC4C7D45EBFA48B0076
>>> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600}
>>> ParentProcessId: 3056 ParentImage: C:\Windows\explorer.exe
>>> ParentCommandLine: C:\Windows\Explorer.EXE
>>>
>>>
>>> So, you must always use *ossec-logtest* without headers:
>>> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational:
>>> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64
>>> -PC1.hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846
>>> ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988
>>> Image: C:\Users\administrator\Desktop\svchost.exe CommandLine:
>>> "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\
>>> Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: {
>>> 67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b
>>> TerminalSessionId: 1 IntegrityLevel: High Hashes:
>>> MD5=C019D10F80409FC4C7D45EBFA48B0076
>>> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600}
>>> ParentProcessId: 3056<sp
>>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
