Dan, Apparently it isn't compatible:
../bin/ossec-logtest -v2017/07/07 01:50:33 ossec-analysisd: Invalid element 'accumulate' for decoder 'decoder' 2017/07/07 01:50:33 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting.
On 7/6/2017 6:48 PM, dan (ddp) wrote:
On Thu, Jul 6, 2017 at 9:08 PM, Ian Brown <[email protected]> wrote:Dan, It's what comes in SecurityOnion's latest iso (securityonion-14.04.5.2.iso). ./ossec-logtest -V OSSEC HIDS v2.8 - Trend Micro Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License (version 2) as published by the Free Software Foundation. For more details, go to http://www.ossec.net/main/license/ I tried "apt-file search /var/ossec/bin/ossec-logtest" to see if a package owns it, but that program returned no results, so I'm going to assume it has been compiled from source.2.8 is good enough info. I don't have anything that old to test unfortunately. You could backup your decoder.xml and local_decoder.xml files and download the latest decoders. I think they should be compatible, and you can test them quickly with ossec-logtest without restarting OSSEC.On 7/6/2017 5:47 PM, dan (ddp) wrote:On Wed, Jul 5, 2017 at 10:26 PM, Ian Brown <[email protected]> wrote:Dan, that matches for the source and destination IP addresses, but if I understand logtest's "Phase 2" output correctly, using those additional decoders drops all the other things that the original windows decoder found: --------------------------- # ./ossec-logtest -v 2017/07/06 02:19:12 ossec-testrule: INFO: Reading local decoder file. 2017/07/06 02:19:12 ossec-testrule: INFO: Started (pid: 4227). ossec-testrule: Type one log per line. 2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13 **Phase 1: Completed pre-decoding. full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' hostname: 'securityonion' program_name: '(null)' log: '2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' **Phase 2: Completed decoding. decoder: 'windows' srcip: '1.2.3.4' dstip: '5.6.7.8' **Rule debugging: Trying rule: 6 - Generic template for all windows rules. *Rule 6 matched. *Trying child rules. Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. Trying rule: 18100 - Group of windows rules. *Rule 18100 matched. *Trying child rules. Trying rule: 18101 - Windows informational event. Trying rule: 18102 - Windows warning event. Trying rule: 18104 - Windows audit success event. Trying rule: 18103 - Windows error event. Trying rule: 18105 - Windows audit failure event. **Phase 3: Completed filtering (rules). Rule id: '18100' Level: '0' Description: 'Group of windows rules.' ------------- This is Phase 2 without those additional decoders: **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '5152' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'workstation' Do your decoders still inherit the matching of those fields and logtest just doesn't show this?It works on mine: **Phase 1: Completed pre-decoding. full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' hostname: 'ix' program_name: 'WinEvtLog' log: 'Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '5152' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'workstation' srcip: '1.2.3.4' dstip: '5.6.7.8' **Phase 3: Completed filtering (rules). Rule id: '18105' Level: '4' Description: 'Windows audit failure event.' **Alert to be generated. Which version are you using? Here's a clean room test, before the additions: ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' hostname: 'ossec-test' program_name: 'WinEvtLog' log: 'Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '5152' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'workstation' **Phase 3: Completed filtering (rules). Rule id: '18105' Level: '4' Description: 'Windows audit failure event.' **Alert to be generated. After the additions: **Phase 1: Completed pre-decoding. full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' hostname: 'ossec-test' program_name: 'WinEvtLog' log: 'Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '5152' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'workstation' srcip: '1.2.3.4' dstip: '5.6.7.8' **Phase 3: Completed filtering (rules). Rule id: '18105' Level: '4' Description: 'Windows audit failure event.' **Alert to be generated. This was using the latest code in github.On 7/5/2017 6:51 PM, dan (ddp) wrote:On Mon, Jul 3, 2017 at 2:52 PM, Ian Brown <[email protected]> wrote:There is a decoder that isn't quite handling some log entries the want I need. I want to augment an existing decoder, but apparently I'm not doing this correctly. Here's an example log entry: 2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13 Using this as a guild: http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/create-custom.html I've created a new decoder that inherits from this existing one: <decoder name="windows"> <type>windows</type> <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: </prematch> <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex> <regex>(\.+): \.+: (\S+): </regex> <order>status, id, extra_data, user, system_name</order> <fts>name, location, user, system_name</fts> </decoder> I've tried an number of different versions of this -- below was my last attempt: <decoder name="windows-filtering-platform"> <parent>windows</parent> <prematch offset="after_parent">The Windows Filtering Platform</prematch> <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex> <regex>(\.+): \.+: (\S+): Thee Windows Filtering Platform</regex> <regex>Source Address: (\S+) Source Port: (\d+) Destination Address: (\S+) Destination Port: (\d+)</regex> <order>status, id, extra_data, user, system_name, srcip, srcport, dstip, dstport</order> </decoder> All I'm trying to do is match for the source and destination information that's in these particular log entries. However, when I added my decoder, it "took over" for all the windows decoder matches instead of just for the log entries I was hoping to match against -- any log entry that contained "The Windows Filtering Platform." On top of that, my decoder's regex doesn't seem to be matching any of the fields -- phase 2 just states: **Phase 2: Completed decoding. decoder: 'windows' instead of at least: **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '5152' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'workstation' How far off the rails am I in achieving the solution I'm looking for?Adding these 2 decoders gives me the source and destination IP addresses: <decoder name="windows1"> <parent>windows</parent> <regex>Source Address: (\S+)</regex> <order>srcip</order> </decoder> <decoder name="windows1"> <parent>windows</parent> <regex>Destination Address: (\S+) </regex> <order>dstip</order> </decoder>-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
----- You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
