Hi dan (ddpbsd), thanks for noticing it,I add the decoder at local_decoder to avoid damaging default decoder. this is my custom decoder right now
<decoder name="Sysmon-EventID1_X"> <parent>windows</parent> <type>windows</type> <prematch>INFORMATION\(1\)</prematch> <regex offset="after_prematch">Image:\s* (\S+) \.* CommandLine: \S+\s* CurrentDirectory: \S+\s*User:\s*(\S+)\s*LogonGuid:\s\S*\s*LogonId:\s\S+\s*TerminalSessionId:\s*\S*\s*IntegrityLevel:\s*\S+\s*Hashes:\s*MD5=\w*,SHA256=(\S+)\s*\w*:\s*\S*\s*\w*:\s*\w*\s*ParentImage:\s*(\S+)</regex> <order>status,user,url,extra_data</order> </decoder> what i want to get is : 1. Image =status 2. User = user 3. SHA256 = url 4. ParentImage = extra_data i'm kind of new and get that regex with trial and error at regex101.com is it the correct one to try regex? i don't really understand how to make it match with this decoder. is it because the <prematch>? or could the decoder executed after windows decode it? On Thursday, September 28, 2017 at 7:42:40 PM UTC+7, dan (ddpbsd) wrote: > > I'm not happy with this one: > <decoder name="sysmon2"> > <parent>windows</parent> > <type>windows</type> > <prematch>INFORMATION\(1\): </prematch> > <regex offset="after_prematch">^Microsoft-Windows-Sysmon:\.* > Image: (\.*)\s*CommandLine: "\.+"\.+User: > (\S+)\s+LogonGuid:\.*LogonId:\.*TerminalSessionId > :\.*IntegrityLevel:\s*\S+\s*Hashes: > MD5=(\S+),SHA\d+=(\S+)\.*ParentProcessGuid: \S+\s+ParentProcessId: > \d+\s+ParentImage: (\.*)\s+ParentCommand</regex> > <order>status, user, url, url, data</order> > </decoder> > > I had to add it after the windows decoder, and before windows1. So I'm > not sure how much damage it would do to other windows decoders/rules. > > > On Thu, Sep 28, 2017 at 8:02 AM, dan (ddp) <[email protected] <javascript:>> > wrote: > > On Thu, Sep 28, 2017 at 12:35 AM, amar haq <[email protected] > <javascript:>> wrote: > >> hi i have ossec manager 2.9.2 on ubuntu and ossec agent on windows > v2.9.0. > >> sysmon installed and has been configured, and for example i tried to > acces > >> powershell, agent's log. > >> so I tried to use ossec-logtest and have result : > >> > >> **Phase 1: Completed pre-decoding. > >> full event: '2017 Sep 28 11:15:28 WinEvtLog: > >> Microsoft-Windows-Sysmon/Operational: INFORMATION(1): > >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process > Create: > >> UtcTime: 2017-09-28 04:15:28.884 ProcessGuid: > >> {6B166207-7760-59CC-0000-0010F1E00800} ProcessId: 732 Image: > >> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine: > >> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" > >> CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser > LogonGuid: > >> {6B166207-76B9-59CC-0000-0020FDE40100} LogonId: 0x1e4fd > TerminalSessionId: > >> 1 IntegrityLevel: High Hashes: > >> > MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7 > > > >> ParentProcessGuid: {6B166207-76E1-59CC-0000-0010BA5F0600} > ParentProcessId: > >> 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine: > >> C:\Windows\Explorer.EXE' > >> hostname: 'ubuntu' > >> program_name: 'WinEvtLog' > >> log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1): > >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process > Create: > >> UtcTime: 2017-09-28 04:15:28.884 ProcessGuid: > >> {6B166207-7760-59CC-0000-0010F1E00800} ProcessId: 732 Image: > >> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine: > >> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" > >> CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser > LogonGuid: > >> {6B166207-76B9-59CC-0000-0020FDE40100} LogonId: 0x1e4fd > TerminalSessionId: > >> 1 IntegrityLevel: High Hashes: > >> > MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7 > > > >> ParentProcessGuid: {6B166207-76E1-59CC-0000-0010BA5F0600} > ParentProcessId: > >> 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine: > >> C:\Windows\Explorer.EXE' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'windows' > >> status: 'INFORMATION' > >> id: '1' > >> extra_data: 'Microsoft-Windows-Sysmon' > >> dstuser: 'SYSTEM' > >> system_name: 'IE11Win7' > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '99999' > >> Level: '3' > >> Description: 'Windows Rule Triggered' > >> **Alert to be generated. > >> > >> > >> here is sysmon decoder by default: > >> > >> <decoder name="Sysmon-EventID#1"> > >> <type>windows</type> > >> <prematch>INFORMATION\(1\)</prematch> > >> <regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* > \s*User: > >> (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* > >> \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) > \s*ParentProcessGuid: \S* > >> \s*ParentProcessID: \S* \s*ParentImage: (\.*) > \s*ParentCommandLine:</regex> > >> <order>status,user,url,data</order> > >> </decoder> > >> > > > > There's a few things in the decoder that don't match the sysmon > > message you posted. You don't have "HashType," "Hash:" is "Hashes:" > > for you, etc. I'll play around with it. > > > >> > >> > >> as I know , there is Sysmon decoder and sysmon rules on Ossec 2.9.2 > >> could anyone help me how to fix it so sysmon decoder and sysmon rules > is > >> triggered? > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected] <javascript:>. > >> For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
