I'm not happy with this one:
<decoder name="sysmon2">
<parent>windows</parent>
<type>windows</type>
<prematch>INFORMATION\(1\): </prematch>
<regex offset="after_prematch">^Microsoft-Windows-Sysmon:\.*
Image: (\.*)\s*CommandLine: "\.+"\.+User:
(\S+)\s+LogonGuid:\.*LogonId:\.*TerminalSessionId
:\.*IntegrityLevel:\s*\S+\s*Hashes:
MD5=(\S+),SHA\d+=(\S+)\.*ParentProcessGuid: \S+\s+ParentProcessId:
\d+\s+ParentImage: (\.*)\s+ParentCommand</regex>
<order>status, user, url, url, data</order>
</decoder>
I had to add it after the windows decoder, and before windows1. So I'm
not sure how much damage it would do to other windows decoders/rules.
On Thu, Sep 28, 2017 at 8:02 AM, dan (ddp) <[email protected]> wrote:
> On Thu, Sep 28, 2017 at 12:35 AM, amar haq <[email protected]> wrote:
>> hi i have ossec manager 2.9.2 on ubuntu and ossec agent on windows v2.9.0.
>> sysmon installed and has been configured, and for example i tried to acces
>> powershell, agent's log.
>> so I tried to use ossec-logtest and have result :
>>
>> **Phase 1: Completed pre-decoding.
>> full event: '2017 Sep 28 11:15:28 WinEvtLog:
>> Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
>> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process Create:
>> UtcTime: 2017-09-28 04:15:28.884 ProcessGuid:
>> {6B166207-7760-59CC-0000-0010F1E00800} ProcessId: 732 Image:
>> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine:
>> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
>> CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser LogonGuid:
>> {6B166207-76B9-59CC-0000-0020FDE40100} LogonId: 0x1e4fd TerminalSessionId:
>> 1 IntegrityLevel: High Hashes:
>> MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
>> ParentProcessGuid: {6B166207-76E1-59CC-0000-0010BA5F0600} ParentProcessId:
>> 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine:
>> C:\Windows\Explorer.EXE'
>> hostname: 'ubuntu'
>> program_name: 'WinEvtLog'
>> log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
>> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process Create:
>> UtcTime: 2017-09-28 04:15:28.884 ProcessGuid:
>> {6B166207-7760-59CC-0000-0010F1E00800} ProcessId: 732 Image:
>> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine:
>> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
>> CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser LogonGuid:
>> {6B166207-76B9-59CC-0000-0020FDE40100} LogonId: 0x1e4fd TerminalSessionId:
>> 1 IntegrityLevel: High Hashes:
>> MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
>> ParentProcessGuid: {6B166207-76E1-59CC-0000-0010BA5F0600} ParentProcessId:
>> 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine:
>> C:\Windows\Explorer.EXE'
>>
>> **Phase 2: Completed decoding.
>> decoder: 'windows'
>> status: 'INFORMATION'
>> id: '1'
>> extra_data: 'Microsoft-Windows-Sysmon'
>> dstuser: 'SYSTEM'
>> system_name: 'IE11Win7'
>>
>> **Phase 3: Completed filtering (rules).
>> Rule id: '99999'
>> Level: '3'
>> Description: 'Windows Rule Triggered'
>> **Alert to be generated.
>>
>>
>> here is sysmon decoder by default:
>>
>> <decoder name="Sysmon-EventID#1">
>> <type>windows</type>
>> <prematch>INFORMATION\(1\)</prematch>
>> <regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User:
>> (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S*
>> \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S*
>> \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:</regex>
>> <order>status,user,url,data</order>
>> </decoder>
>>
>
> There's a few things in the decoder that don't match the sysmon
> message you posted. You don't have "HashType," "Hash:" is "Hashes:"
> for you, etc. I'll play around with it.
>
>>
>>
>> as I know , there is Sysmon decoder and sysmon rules on Ossec 2.9.2
>> could anyone help me how to fix it so sysmon decoder and sysmon rules is
>> triggered?
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
