Is it possible to crank up the verbosity of ossec-logtest so that I can see if individual lines in a rule match? I'm stuck on something that's got me flustered.
I've got what I think is a simple rule, but damn if I can get it to work: This is the log entry: 2018 Mar 12 13:14:22 WinEvtLog: Security: AUDIT_FAILURE(5157): Microsoft-Windows-Security-Auditing: (no user): no domain: computer.domain.test: The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 7812 Application Name: \device\harddiskvolume2\program files (x86)\pfu\scansnap\driver\pfussmon.exe Network Information: Direction: %%14593 Source Address: 192.168.23.1 Source Port: 53885 Destination Address: 192.168.23.255 Destination Port: 52217 Protocol: 17 Filter Information: Filter Run-Time ID: 75813 Layer Name: %%14611 Layer Run-Time ID: 48 msauth_rules.xml will match this under 18105. I've written a rule in local_rules.xml that matches: <rule id="100014" level="0"> <if_sid>18105</if_sid> <match>pfussmon.exe</match> <description>Harmless Network traffic</description> </rule> However, I wanted to add a second match that checks the destination address too: <rule id="100014" level="0"> <if_sid>18105</if_sid> <match>pfussmon.exe</match> <match>Destination Address: 192.168.23.255</match> <description>Harmless Network traffic</description> </rule> Yet when I pipe that log entry back into logtest: Trying rule: 100014 - Harmless Network traffic Trying rule: 18106 - Windows Logon Failure. Trying rule: 18139 - Windows DC Logon Failure. Trying rule: 18180 - MS SQL Server Logon Failure. Trying rule: 18108 - Failed attempt to perform a privileged operation. **Phase 3: Completed filtering (rules). Rule id: '18105' Level: '5' Description: 'Windows audit failure event.' **Alert to be generated. It's not matching. Running ossec 2.8 (The version that comes with Security Onion) . Was multiple matching enabled in a later version or have I done something foolish here? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.