Re: [ossec-list] ossec-logtest verbosity levels...
On Wed, Mar 14, 2018 at 12:53 PM, Ian Brown wrote: > Dan, > > Okay, so say I make two rules. 100014 that uses the first match, and 100015 > that uses the second. Is there a way to revert back to 18105 if 100014 > matches but 100015 doesn't? > Unfortunately, no. You could do a regex: pfussmon.exe\.*Destination Address: blah blah > On Tuesday, March 13, 2018 at 3:31:15 AM UTC-7, dan (ddpbsd) wrote: >> >> >> I think this combined the matches, effectively making it: >> pfussmon.exeDestination Address: 192.168.23.255 >> >> You might need to make 2 rules, and have the parent of the second be >> the sid of the first. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-logtest verbosity levels...
Dan, Okay, so say I make two rules. 100014 that uses the first match, and 100015 that uses the second. Is there a way to revert back to 18105 if 100014 matches but 100015 doesn't? On Tuesday, March 13, 2018 at 3:31:15 AM UTC-7, dan (ddpbsd) wrote: > > > I think this combined the matches, effectively making it: > pfussmon.exeDestination Address: 192.168.23.255 > > You might need to make 2 rules, and have the parent of the second be > the sid of the first. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-logtest verbosity levels...
On Mon, Mar 12, 2018 at 4:46 PM, Ian Brown wrote: > Is it possible to crank up the verbosity of ossec-logtest so that I can see > if individual lines in a rule match? I'm stuck on something that's got me > flustered. > > I've got what I think is a simple rule, but damn if I can get it to work: > > This is the log entry: > 2018 Mar 12 13:14:22 WinEvtLog: Security: AUDIT_FAILURE(5157): > Microsoft-Windows-Security-Auditing: (no user): no domain: > computer.domain.test: The Windows Filtering Platform has blocked a > connection. Application Information: Process ID: 7812 Application Name: > \device\harddiskvolume2\program files (x86)\pfu\scansnap\driver\pfussmon.exe > Network Information: Direction: %%14593 Source Address: 192.168.23.1 Source > Port: 53885 Destination Address: 192.168.23.255 Destination Port: 52217 > Protocol: 17 Filter Information: Filter Run-Time ID: 75813 Layer Name: > %%14611 Layer Run-Time ID: 48 > > msauth_rules.xml will match this under 18105. > > I've written a rule in local_rules.xml that matches: > > > 18105 > pfussmon.exe > Harmless Network traffic > > > However, I wanted to add a second match that checks the destination address > too: > > 18105 > pfussmon.exe > Destination Address: 192.168.23.255 I think this combined the matches, effectively making it: pfussmon.exeDestination Address: 192.168.23.255 You might need to make 2 rules, and have the parent of the second be the sid of the first. > Harmless Network traffic > > > Yet when I pipe that log entry back into logtest: > > > Trying rule: 100014 - Harmless Network traffic > Trying rule: 18106 - Windows Logon Failure. > Trying rule: 18139 - Windows DC Logon Failure. > Trying rule: 18180 - MS SQL Server Logon Failure. > Trying rule: 18108 - Failed attempt to perform a privileged operation. > > **Phase 3: Completed filtering (rules). >Rule id: '18105' >Level: '5' >Description: 'Windows audit failure event.' > **Alert to be generated. > > It's not matching. > > Running ossec 2.8 (The version that comes with Security Onion) . Was > multiple matching enabled in a later version or have I done something > foolish here? > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ossec-logtest verbosity levels...
Is it possible to crank up the verbosity of ossec-logtest so that I can see if individual lines in a rule match? I'm stuck on something that's got me flustered. I've got what I think is a simple rule, but damn if I can get it to work: This is the log entry: 2018 Mar 12 13:14:22 WinEvtLog: Security: AUDIT_FAILURE(5157): Microsoft-Windows-Security-Auditing: (no user): no domain: computer.domain.test: The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 7812 Application Name: \device\harddiskvolume2\program files (x86)\pfu\scansnap\driver\pfussmon.exe Network Information: Direction: %%14593 Source Address: 192.168.23.1 Source Port: 53885 Destination Address: 192.168.23.255 Destination Port: 52217 Protocol: 17 Filter Information: Filter Run-Time ID: 75813 Layer Name: %%14611 Layer Run-Time ID: 48 msauth_rules.xml will match this under 18105. I've written a rule in local_rules.xml that matches: 18105 pfussmon.exe Harmless Network traffic However, I wanted to add a second match that checks the destination address too: 18105 pfussmon.exe Destination Address: 192.168.23.255 Harmless Network traffic Yet when I pipe that log entry back into logtest: Trying rule: 100014 - Harmless Network traffic Trying rule: 18106 - Windows Logon Failure. Trying rule: 18139 - Windows DC Logon Failure. Trying rule: 18180 - MS SQL Server Logon Failure. Trying rule: 18108 - Failed attempt to perform a privileged operation. **Phase 3: Completed filtering (rules). Rule id: '18105' Level: '5' Description: 'Windows audit failure event.' **Alert to be generated. It's not matching. Running ossec 2.8 (The version that comes with Security Onion) . Was multiple matching enabled in a later version or have I done something foolish here? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.