It continues to work with a fresh install of MASTER
**Phase 1: Completed pre-decoding.
full event: 'Mar 2 17:36:50 ossec-test2 WinEvtLog: Security:
AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user):
no domain: WK034.dom.com: The Windows Filtering Platform blocked a
packet. Application Information: Process ID: 0 Application Name: -
Network Information: Direction: %%14592 Source Address: 10.20.10.55
Source Port: 55666 Destination Address: 255.255.255.255 Destination
Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713
Layer Name: %%14597 Layer Run-Time ID: 13'
hostname: 'ossec-test2'
program_name: 'WinEvtLog'
log: 'Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing: (no user): no domain:
WK034.dom.com: The Windows Filtering Platform blocked a packet.
Application Information: Process ID: 0 Application Name: - Network
Information: Direction: %%14592 Source Address: 10.20.10.55 Source
Port: 55666 Destination Address: 255.255.255.255 Destination Port:
1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer
Name: %%14597 Layer Run-Time ID: 13'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '5152'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'WK034.dom.com'
srcip: '10.20.10.55'
**Phase 3: Completed filtering (rules).
Rule id: '18105'
Level: '4'
Description: 'Windows audit failure event.'
**Alert to be generated.
On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp) <[email protected]> wrote:
> On Thu, Mar 2, 2017 at 6:41 AM, Casimiro <[email protected]> wrote:
>> Thanks.
>> But don't work. It only decode srcip field. Attach the output:
>>
>> **Phase 1: Completed pre-decoding.
>> full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
>> Microsoft-Windows-Security-Auditing: (no user): no domain: WK034.dom.com:
>> The Windows Filtering Platform blocked a packet. Application Information:
>> Process ID: 0 Application Name: - Network Information: Direction: %%14592
>> Source Address: 10.20.10.55 Source Port: 55666 Destination Address:
>> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information:
>> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'
>> hostname: 'USMCyberRange'
>> program_name: '(null)'
>> log: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
>> Microsoft-Windows-Security-Auditing: (no user): no domain: WK34.dom.com: The
>> Windows Filtering Platform blocked a packet. Application Information:
>> Process ID: 0 Application Name: - Network Information: Direction: %%14592
>> Source Address: 10.20.10.55 Source Port: 55666 Destination Address:
>> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information:
>> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'
>>
>> **Phase 2: Completed decoding.
>> decoder: 'windows'
>> srcip: '10.20.10.55'
>>
>> **Rule debugging:
>> Trying rule: 6 - Generic template for all windows rules.
>> *Rule 6 matched.
>> *Trying child rules.
>> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
>> Trying rule: 18100 - Group of windows rules.
>> *Rule 18100 matched.
>> *Trying child rules.
>> Trying rule: 18101 - Windows informational event.
>> Trying rule: 18102 - Windows warning event.
>> Trying rule: 18104 - Windows audit success event.
>> Trying rule: 18103 - Windows error event.
>> Trying rule: 18105 - Windows audit failure event.
>>
>> **Phase 3: Completed filtering (rules).
>> Rule id: '18100'
>> Level: '0'
>> Description: 'Group of windows rules.'
>>
>> So, the original fields of decoder has been erased (status, id, extra_data,
>> srcuser, system_name, name, location, user, system_name). The consecuence is
>> that orginal rules don't match.
>>
>
> That's strange, it works for me (I had to add the timestamp info):
> **Phase 1: Completed pre-decoding.
> full event: 'Mar 2 11:17:01 ossec-test WinEvtLog: Security:
> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user):
> no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked
> a packet. Application Information: Process ID: 0 Application Name: -
> Network Information: Direction: %%14592 Source Address: 10.20.10.55
> Source Port: 55666 Destination Address: 255.255.255.255 Destination
> Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713
> Layer Name: %%14597 Layer Run-Time ID: 13'
> hostname: 'ossec-test'
> program_name: 'WinEvtLog'
> log: 'Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user): no domain:
> WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet.
> Application Information: Process ID: 0 Application Name: - Network
> Information: Direction: %%14592 Source Address: 10.20.10.55 Source
> Port: 55666 Destination Address: 255.255.255.255 Destination Port:
> 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer
> Name: %%14597 Layer Run-Time ID: 13'
>
> **Phase 2: Completed decoding.
> decoder: 'windows'
> status: 'AUDIT_FAILURE'
> id: '5152'
> extra_data: 'Microsoft-Windows-Security-Auditing'
> dstuser: '(no user)'
> system_name: 'WKSUSR034.mccd.def'
> srcip: '10.20.10.55'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '18105'
> Level: '4'
> Description: 'Windows audit failure event.'
> **Alert to be generated.
>
> Are you sure you have the latest Windows decoders? I'll try firing up
> another image and try again.
>
>
>> El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió:
>>>
>>> I'm trying to override the windows decoder to extract more fields (in
>>> local_decoder.xml), like source ip, destination ip, source port,
>>>
>>> This is my local decoder for windows
>>>
>>> <decoder name="windows-audit">
>>> <parent>windows</parent>
>>> <prematch>AUDIT_FAILURE(51512)</prematch>
>>> <regex offset="after_parent">Source
>>> Address:\s+(\d+.\d+.\d+.\d+)</regex>
>>> <order>srcip</order>
>>> </decoder>
>>>
>>> When I put new decoder en local_decoder.xml. The windows log don't match
>>> with windows parent decoder. If I take off the local decoder then log match
>>> with windows parent decoder.
>>>
>>> I want to get all fields: parent fields + soon fields (in this case
>>> status, id, extra_data, srcuser, system_name and srcip)
>>>
>>> Thanks in advanced
>>>
>>>
>>>
>>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
