Hi Nguyen,
Thanks for the digit meaning, in my experience, for Windows or Windows
desktop latest versions the digits have been replaced by the terms, but I
am not sure what Windows versions have digits or terms.
You could do the correlation at C level on OSSEC, maybe using a CDB List
(matching for the digits and triggering a rule with a specific
description), I also was thinking about doing it with Logstash (if you use
Logstash), using "GSUB" filter you can replace the text like this:
filter {
> mutate {
> gsub => ["rule.description", "%%1539", "ReadControl"]
> }
> }
Not tested by myself.
Best regards,
Pedro.
On Thu, Feb 16, 2017 at 4:07 AM, Nguyễn Đức Thịnh <[email protected]>
wrote:
> Hi all,
>
> I write a rules for parse Windows Event 4656, the result is pretty well
> except Accesses: is not friendly readable.
>
> accesses
> %%1541 %%4416 %%4423
>
> As you can see, accesses field show as 4 digit. For anyone who want to
> understand these digit, it mean :
> '%%1537', "Delete",
> '%%1538', "ReadControl",
> '%%1539', "ReadControl",
> '%%1540', "ReadControl",
> '%%1541', "Synchronize",
> '%%1542', "Synchronize",
> '%%4416', "ReadData",
> '%%4417', "WriteData",
> '%%4418', "AppendData",
> '%%4419', "ReadEA",
> '%%4420', "WriteEA",
> '%%4423', "ReadAttrib",
> '%%4424', "WriteAttrib",
> '%%1801', "Granted",
> '%%1805', "NotGranted"
>
> Anyone here can suggest me the way to replace these digit to another
> keywords.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
