[ossec-list] ossec-logtest verbosity levels...

Mon, 12 Mar 2018 13:49:02 -0700 

Is it possible to crank up the verbosity of ossec-logtest so that I can see 
if individual lines in a rule match?  I'm stuck on something that's got me 
flustered.

I've got what I think is a simple rule, but damn if I can get it to work:

This is the log entry:
2018 Mar 12 13:14:22 WinEvtLog: Security: AUDIT_FAILURE(5157): 
Microsoft-Windows-Security-Auditing: (no user): no domain: 
computer.domain.test: The Windows Filtering Platform has blocked a 
connection. Application Information: Process ID: 7812 Application Name: 
\device\harddiskvolume2\program files 
(x86)\pfu\scansnap\driver\pfussmon.exe Network Information: Direction: 
%%14593 Source Address: 192.168.23.1 Source Port: 53885 Destination 
Address: 192.168.23.255 Destination Port: 52217 Protocol: 17 Filter 
Information: Filter Run-Time ID: 75813 Layer Name: %%14611 Layer Run-Time 
ID: 48

msauth_rules.xml will match this under 18105.

I've written a rule in local_rules.xml that matches:

  <rule id="100014" level="0">
    <if_sid>18105</if_sid>
    <match>pfussmon.exe</match>
    <description>Harmless Network traffic</description>
  </rule>

However, I wanted to add a second match that checks the destination address 
too:
  <rule id="100014" level="0">
    <if_sid>18105</if_sid>
    <match>pfussmon.exe</match>
    <match>Destination Address: 192.168.23.255</match>
    <description>Harmless Network traffic</description>
  </rule>

Yet when I pipe that log entry back into logtest:


    Trying rule: 100014 - Harmless Network traffic
    Trying rule: 18106 - Windows Logon Failure.
    Trying rule: 18139 - Windows DC Logon Failure.
    Trying rule: 18180 - MS SQL Server Logon Failure.
    Trying rule: 18108 - Failed attempt to perform a privileged operation.

**Phase 3: Completed filtering (rules).
       Rule id: '18105'
       Level: '5'
       Description: 'Windows audit failure event.'
**Alert to be generated.

It's not matching.

Running ossec 2.8 (The version that comes with Security Onion) . Was 
multiple matching enabled in a later version or have I done something 
foolish here?



-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to