well i think, there is only 1 think i can do, i just add this decoder after
windows decoder and before windows1. and it works.
<decoder name="Sysmon-EventID1_X">
<parent>windows</parent>
<type>windows</type>
<prematch>*Microsoft-Windows-Sysmon*</prematch>
<regex offset="after_prematch">^Image:\s* (\S+) \.*
CommandLine: \S+\s* CurrentDirectory:
\S+\s*User:\s*(\S+)\s*LogonGuid:\s\S*\s*LogonId:\s\S+\s*TerminalSessionId:\s*\S*\s*IntegrityLevel:\s*\S+\s*Hashes:\s*MD5=\w*,SHA256=(\S+)\s*\w*:\s*\S*\s*\w*:\s*\w*\s*ParentImage:\s*(\S+)</regex>
<order>status,user,url,extra_data</order>
thanks for the idea.
On Friday, September 29, 2017 at 11:32:56 AM UTC+7, amar haq wrote:
>
> Hi dan (ddpbsd),
>
> thanks for noticing it,I add the decoder at local_decoder to avoid
> damaging default decoder. this is my custom decoder right now
>
>
> <decoder name="Sysmon-EventID1_X">
> <parent>windows</parent>
> <type>windows</type>
> <prematch>INFORMATION\(1\)</prematch>
> <regex offset="after_prematch">Image:\s* (\S+) \.* CommandLine: \S+\s*
> CurrentDirectory:
> \S+\s*User:\s*(\S+)\s*LogonGuid:\s\S*\s*LogonId:\s\S+\s*TerminalSessionId:\s*\S*\s*IntegrityLevel:\s*\S+\s*Hashes:\s*MD5=\w*,SHA256=(\S+)\s*\w*:\s*\S*\s*\w*:\s*\w*\s*ParentImage:\s*(\S+)</regex>
> <order>status,user,url,extra_data</order>
> </decoder>
>
>
> what i want to get is :
> 1. Image =status
> 2. User = user
> 3. SHA256 = url
> 4. ParentImage = extra_data
>
> i'm kind of new and get that regex with trial and error at regex101.com
> is it the correct one to try regex?
>
> i don't really understand how to make it match with this decoder. is it
> because the <prematch>? or could the decoder executed after windows decode
> it?
>
>
> On Thursday, September 28, 2017 at 7:42:40 PM UTC+7, dan (ddpbsd) wrote:
>>
>> I'm not happy with this one:
>> <decoder name="sysmon2">
>> <parent>windows</parent>
>> <type>windows</type>
>> <prematch>INFORMATION\(1\): </prematch>
>> <regex offset="after_prematch">^Microsoft-Windows-Sysmon:\.*
>> Image: (\.*)\s*CommandLine: "\.+"\.+User:
>> (\S+)\s+LogonGuid:\.*LogonId:\.*TerminalSessionId
>> :\.*IntegrityLevel:\s*\S+\s*Hashes:
>> MD5=(\S+),SHA\d+=(\S+)\.*ParentProcessGuid: \S+\s+ParentProcessId:
>> \d+\s+ParentImage: (\.*)\s+ParentCommand</regex>
>> <order>status, user, url, url, data</order>
>> </decoder>
>>
>> I had to add it after the windows decoder, and before windows1. So I'm
>> not sure how much damage it would do to other windows decoders/rules.
>>
>>
>> On Thu, Sep 28, 2017 at 8:02 AM, dan (ddp) <[email protected]> wrote:
>> > On Thu, Sep 28, 2017 at 12:35 AM, amar haq <[email protected]> wrote:
>> >> hi i have ossec manager 2.9.2 on ubuntu and ossec agent on windows
>> v2.9.0.
>> >> sysmon installed and has been configured, and for example i tried to
>> acces
>> >> powershell, agent's log.
>> >> so I tried to use ossec-logtest and have result :
>> >>
>> >> **Phase 1: Completed pre-decoding.
>> >> full event: '2017 Sep 28 11:15:28 WinEvtLog:
>> >> Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
>> >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process
>> Create:
>> >> UtcTime: 2017-09-28 04:15:28.884 ProcessGuid:
>> >> {6B166207-7760-59CC-0000-0010F1E00800} ProcessId: 732 Image:
>> >> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
>> CommandLine:
>> >> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
>> >> CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser
>> LogonGuid:
>> >> {6B166207-76B9-59CC-0000-0020FDE40100} LogonId: 0x1e4fd
>> TerminalSessionId:
>> >> 1 IntegrityLevel: High Hashes:
>> >>
>> MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
>>
>>
>> >> ParentProcessGuid: {6B166207-76E1-59CC-0000-0010BA5F0600}
>> ParentProcessId:
>> >> 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine:
>> >> C:\Windows\Explorer.EXE'
>> >> hostname: 'ubuntu'
>> >> program_name: 'WinEvtLog'
>> >> log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
>> >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process
>> Create:
>> >> UtcTime: 2017-09-28 04:15:28.884 ProcessGuid:
>> >> {6B166207-7760-59CC-0000-0010F1E00800} ProcessId: 732 Image:
>> >> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
>> CommandLine:
>> >> "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
>> >> CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser
>> LogonGuid:
>> >> {6B166207-76B9-59CC-0000-0020FDE40100} LogonId: 0x1e4fd
>> TerminalSessionId:
>> >> 1 IntegrityLevel: High Hashes:
>> >>
>> MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
>>
>>
>> >> ParentProcessGuid: {6B166207-76E1-59CC-0000-0010BA5F0600}
>> ParentProcessId:
>> >> 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine:
>> >> C:\Windows\Explorer.EXE'
>> >>
>> >> **Phase 2: Completed decoding.
>> >> decoder: 'windows'
>> >> status: 'INFORMATION'
>> >> id: '1'
>> >> extra_data: 'Microsoft-Windows-Sysmon'
>> >> dstuser: 'SYSTEM'
>> >> system_name: 'IE11Win7'
>> >>
>> >> **Phase 3: Completed filtering (rules).
>> >> Rule id: '99999'
>> >> Level: '3'
>> >> Description: 'Windows Rule Triggered'
>> >> **Alert to be generated.
>> >>
>> >>
>> >> here is sysmon decoder by default:
>> >>
>> >> <decoder name="Sysmon-EventID#1">
>> >> <type>windows</type>
>> >> <prematch>INFORMATION\(1\)</prematch>
>> >> <regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.*
>> \s*User:
>> >> (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S*
>> >> \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*)
>> \s*ParentProcessGuid: \S*
>> >> \s*ParentProcessID: \S* \s*ParentImage: (\.*)
>> \s*ParentCommandLine:</regex>
>> >> <order>status,user,url,data</order>
>> >> </decoder>
>> >>
>> >
>> > There's a few things in the decoder that don't match the sysmon
>> > message you posted. You don't have "HashType," "Hash:" is "Hashes:"
>> > for you, etc. I'll play around with it.
>> >
>> >>
>> >>
>> >> as I know , there is Sysmon decoder and sysmon rules on Ossec 2.9.2
>> >> could anyone help me how to fix it so sysmon decoder and sysmon rules
>> is
>> >> triggered?
>> >>
>> >> --
>> >>
>> >> ---
>> >> You received this message because you are subscribed to the Google
>> Groups
>> >> "ossec-list" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send
>> an
>> >> email to [email protected].
>> >> For more options, visit https://groups.google.com/d/optout.
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
