Hello, Thanks, it works. But I need to modify directly the decoder.xml file.
Cordialement / Regards Sylvain Crouet Security Officer - Security is everybody’s responsibility Mobile +33 (0) 7 75 24 10 28 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: dimanche 3 décembre 2017 22:34 To: [email protected] Subject: Re: [ossec-list] Adding decoders to windows decoders On Mon, Nov 27, 2017 at 10:37 AM, Sylvain Crouet <[email protected]> wrote: > Hello. > > > > I would like to add decoders to the default Windows ones. > > Considering the following security event: > > 2017 Nov 27 14:14:13 WinEvtLog: Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: (no user): no domain: my_server: > The Windows Filtering Platform blocked a packet. Application Information: > Process ID: 0 Application Name: - Network Information: Direction: > %%14592 Source Address: 192.168.1.11 Source Port: 500 Destination > Address: 192.168.1.23 Destination Port: 500 Protocol: 17 Filter > Information: Filter Run-Time ID: 96718 Layer Name: %%14601 Layer > Run-Time ID: 28 > > > > The default decoder output is (with ossec-logtest): > > **Phase 2: Completed decoding. > > decoder: 'windows' > > status: 'AUDIT_FAILURE' > > id: '5152' > > extra_data: 'Microsoft-Windows-Security-Auditing' > > dstuser: '(no user)' > > system_name: 'my_server' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '18105' > > Level: '4' > > Description: 'Windows audit failure event.' > > > > I want to get the source and destination IPs and ports. > > I tried to add the following lines to local_decoder.xml, but it does > not work (I get exactly the same output as above): > > <decoder name="WinEvtLog-Security-Filtering"> > > <type>windows</type> > > <parent>windows</parent> > > <prematch>Windows Filtering Platform</prematch> > > <regex offset="after_prematch">Source > Address:\s+(\S+)\s+Source Port:\s+(\d+)\s+Destination > Address:\s+(\S+)\s+Destination > Port:\s+(\S+)\s+Protocol:\s+(\S+)</regex> > > <order>srcip, srcport, dstip, dstport, protocol</order> > > </decoder> > This works with what I have: <decoder name="windows1"> <type>windows</type> <parent>windows</parent> <regex>Source Address:\s+(\S+)\s+Source Port:\s+(\d+)\s+Destination Address:\s+(\S+)\s+Destination Port:\s+(\S+)\s+Protocol:\s+(\S+)</regex> <order>srcip, srcport, dstip, dstport, protocol</order> </decoder> I'm on some MASTER mess though, so not entirely sure it'd work with a release. If it does, I'd be happy to add it into the tree. > > > Cordialement / Kind regards > > > > Sylvain Crouet > > Security Officer - Security is everybody’s responsibility > > Mobile +33 (0) 7 75 24 10 28 > > > > > > Neocase™ Software is a leading provider of integrated HR and Finance > service delivery solutions. > > www.neocasesoftware.com > > > > > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
