On Mon, Mar 12, 2018 at 4:46 PM, Ian Brown <zestys...@gmail.com> wrote:
> Is it possible to crank up the verbosity of ossec-logtest so that I can see
> if individual lines in a rule match?  I'm stuck on something that's got me
> flustered.
>
> I've got what I think is a simple rule, but damn if I can get it to work:
>
> This is the log entry:
> 2018 Mar 12 13:14:22 WinEvtLog: Security: AUDIT_FAILURE(5157):
> Microsoft-Windows-Security-Auditing: (no user): no domain:
> computer.domain.test: The Windows Filtering Platform has blocked a
> connection. Application Information: Process ID: 7812 Application Name:
> \device\harddiskvolume2\program files (x86)\pfu\scansnap\driver\pfussmon.exe
> Network Information: Direction: %%14593 Source Address: 192.168.23.1 Source
> Port: 53885 Destination Address: 192.168.23.255 Destination Port: 52217
> Protocol: 17 Filter Information: Filter Run-Time ID: 75813 Layer Name:
> %%14611 Layer Run-Time ID: 48
>
> msauth_rules.xml will match this under 18105.
>
> I've written a rule in local_rules.xml that matches:
>
>   <rule id="100014" level="0">
>     <if_sid>18105</if_sid>
>     <match>pfussmon.exe</match>
>     <description>Harmless Network traffic</description>
>   </rule>
>
> However, I wanted to add a second match that checks the destination address
> too:
>   <rule id="100014" level="0">
>     <if_sid>18105</if_sid>
>     <match>pfussmon.exe</match>
>     <match>Destination Address: 192.168.23.255</match>

I think this combined the matches, effectively making it:
<match>pfussmon.exeDestination Address: 192.168.23.255</match>

You might need to make 2 rules, and have the parent of the second be
the sid of the first.

>     <description>Harmless Network traffic</description>
>   </rule>
>
> Yet when I pipe that log entry back into logtest:
>
>
>     Trying rule: 100014 - Harmless Network traffic
>     Trying rule: 18106 - Windows Logon Failure.
>     Trying rule: 18139 - Windows DC Logon Failure.
>     Trying rule: 18180 - MS SQL Server Logon Failure.
>     Trying rule: 18108 - Failed attempt to perform a privileged operation.
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '18105'
>        Level: '5'
>        Description: 'Windows audit failure event.'
> **Alert to be generated.
>
> It's not matching.
>
> Running ossec 2.8 (The version that comes with Security Onion) . Was
> multiple matching enabled in a later version or have I done something
> foolish here?
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to