Hello
Maybe someone can help for newbie to write first OSSEC rule. I tried to
read OSSEC chapter 4 book „Working with rules“ but it didn‘t help. So I
have Windows event logs and want to write a rule with regex to drop out
events with specific pattern. I attached example log bellow:
2017 Mar 08 14:36:56 WinEvtLog: Security: AUDIT_SUCCESS(4688):
Microsoft-Windows-Security-Auditing: (no user): no domain: H-N571-1: A new
process has been created. Subject: Security ID: S-1-5-xx Account Name:
Administrator Account Domain: H-N571-1 Logon ID: 0x2ed5d Process
Information: New Process ID: 0x7fc New Process Name:
C:\Windows\System32\calc.exe Token Elevation Type: %%1936 Creator Process
ID: 0xaf0 [END]";
For example I want to drop out events with „Administrator“ AND
„C:\Windows\System32\calc.exe“ OR „C:\Windows\System32\mspaint.exe“
(Administrator AND (xxx/calc.exe OR xxx/mspaint.exe OR xxx/xxx.exe). Could
someone help with this?
Tried with this rule but it ended with server error.
<rule id="111003" level="0">
<if_sid>18104</if_sid>
<regex>\.*Account\s+Name:\s+Administrator\.*(C:\\Windows\\System32\\mspaint.exe|C:\\Windows\\System32\\calc.exe)</regex>
<description>new process Drop</description>
</rule>
Tried this, but it not working at all:
<rule id="111003" level="0">
<if_sid>18104</if_sid>
<regex>\.*Account\s+Name:\s+Administrator\.*\(C:\\Windows\\System32\\mspaint.exe|C:\\Windows\\System32\\calc.exe\)</regex>
<description>new process Drop</description>
</rule>
I think I can achieve my goal by writing two rules: first for mach
„Administrator“ and second for maching other patterns, but maybe it is
possible to write only one rule for this job?
Thanks for help.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
