On Mon, Mar 12, 2018 at 4:46 PM, Ian Brown <[email protected]> wrote: > Is it possible to crank up the verbosity of ossec-logtest so that I can see > if individual lines in a rule match? I'm stuck on something that's got me > flustered. > > I've got what I think is a simple rule, but damn if I can get it to work: > > This is the log entry: > 2018 Mar 12 13:14:22 WinEvtLog: Security: AUDIT_FAILURE(5157): > Microsoft-Windows-Security-Auditing: (no user): no domain: > computer.domain.test: The Windows Filtering Platform has blocked a > connection. Application Information: Process ID: 7812 Application Name: > \device\harddiskvolume2\program files (x86)\pfu\scansnap\driver\pfussmon.exe > Network Information: Direction: %%14593 Source Address: 192.168.23.1 Source > Port: 53885 Destination Address: 192.168.23.255 Destination Port: 52217 > Protocol: 17 Filter Information: Filter Run-Time ID: 75813 Layer Name: > %%14611 Layer Run-Time ID: 48 > > msauth_rules.xml will match this under 18105. > > I've written a rule in local_rules.xml that matches: > > <rule id="100014" level="0"> > <if_sid>18105</if_sid> > <match>pfussmon.exe</match> > <description>Harmless Network traffic</description> > </rule> > > However, I wanted to add a second match that checks the destination address > too: > <rule id="100014" level="0"> > <if_sid>18105</if_sid> > <match>pfussmon.exe</match> > <match>Destination Address: 192.168.23.255</match>
I think this combined the matches, effectively making it: <match>pfussmon.exeDestination Address: 192.168.23.255</match> You might need to make 2 rules, and have the parent of the second be the sid of the first. > <description>Harmless Network traffic</description> > </rule> > > Yet when I pipe that log entry back into logtest: > > > Trying rule: 100014 - Harmless Network traffic > Trying rule: 18106 - Windows Logon Failure. > Trying rule: 18139 - Windows DC Logon Failure. > Trying rule: 18180 - MS SQL Server Logon Failure. > Trying rule: 18108 - Failed attempt to perform a privileged operation. > > **Phase 3: Completed filtering (rules). > Rule id: '18105' > Level: '5' > Description: 'Windows audit failure event.' > **Alert to be generated. > > It's not matching. > > Running ossec 2.8 (The version that comes with Security Onion) . Was > multiple matching enabled in a later version or have I done something > foolish here? > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
