subject:"\[ossec\-list\] ossec\-logtest verbosity levels..."

Re: [ossec-list] ossec-logtest verbosity levels...

2018-03-14 Thread dan (ddp)

On Wed, Mar 14, 2018 at 12:53 PM, Ian Brown  wrote:
> Dan,
>
> Okay, so say I make two rules.  100014 that uses the first match, and 100015
> that uses the second.  Is there a way to revert back to 18105 if 100014
> matches but 100015 doesn't?
>

Unfortunately, no.
You could do a regex:
pfussmon.exe\.*Destination Address: blah blah

> On Tuesday, March 13, 2018 at 3:31:15 AM UTC-7, dan (ddpbsd) wrote:
>>
>>
>> I think this combined the matches, effectively making it:
>> pfussmon.exeDestination Address: 192.168.23.255
>>
>> You might need to make 2 rules, and have the parent of the second be
>> the sid of the first.
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest verbosity levels...

2018-03-14 Thread Ian Brown

Dan,

Okay, so say I make two rules.  100014 that uses the first match, and 
100015 that uses the second.  Is there a way to revert back to 18105 if 
100014 matches but 100015 doesn't?

On Tuesday, March 13, 2018 at 3:31:15 AM UTC-7, dan (ddpbsd) wrote:
>
>
> I think this combined the matches, effectively making it: 
> pfussmon.exeDestination Address: 192.168.23.255 
>
> You might need to make 2 rules, and have the parent of the second be 
> the sid of the first. 
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest verbosity levels...

2018-03-13 Thread dan (ddp)

On Mon, Mar 12, 2018 at 4:46 PM, Ian Brown  wrote:
> Is it possible to crank up the verbosity of ossec-logtest so that I can see
> if individual lines in a rule match?  I'm stuck on something that's got me
> flustered.
>
> I've got what I think is a simple rule, but damn if I can get it to work:
>
> This is the log entry:
> 2018 Mar 12 13:14:22 WinEvtLog: Security: AUDIT_FAILURE(5157):
> Microsoft-Windows-Security-Auditing: (no user): no domain:
> computer.domain.test: The Windows Filtering Platform has blocked a
> connection. Application Information: Process ID: 7812 Application Name:
> \device\harddiskvolume2\program files (x86)\pfu\scansnap\driver\pfussmon.exe
> Network Information: Direction: %%14593 Source Address: 192.168.23.1 Source
> Port: 53885 Destination Address: 192.168.23.255 Destination Port: 52217
> Protocol: 17 Filter Information: Filter Run-Time ID: 75813 Layer Name:
> %%14611 Layer Run-Time ID: 48
>
> msauth_rules.xml will match this under 18105.
>
> I've written a rule in local_rules.xml that matches:
>
>   
> 18105
> pfussmon.exe
> Harmless Network traffic
>   
>
> However, I wanted to add a second match that checks the destination address
> too:
>   
> 18105
> pfussmon.exe
> Destination Address: 192.168.23.255

I think this combined the matches, effectively making it:
pfussmon.exeDestination Address: 192.168.23.255

You might need to make 2 rules, and have the parent of the second be
the sid of the first.

> Harmless Network traffic
>   
>
> Yet when I pipe that log entry back into logtest:
>
>
> Trying rule: 100014 - Harmless Network traffic
> Trying rule: 18106 - Windows Logon Failure.
> Trying rule: 18139 - Windows DC Logon Failure.
> Trying rule: 18180 - MS SQL Server Logon Failure.
> Trying rule: 18108 - Failed attempt to perform a privileged operation.
>
> **Phase 3: Completed filtering (rules).
>Rule id: '18105'
>Level: '5'
>Description: 'Windows audit failure event.'
> **Alert to be generated.
>
> It's not matching.
>
> Running ossec 2.8 (The version that comes with Security Onion) . Was
> multiple matching enabled in a later version or have I done something
> foolish here?
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ossec-logtest verbosity levels...

2018-03-12 Thread Ian Brown

Is it possible to crank up the verbosity of ossec-logtest so that I can see 
if individual lines in a rule match?  I'm stuck on something that's got me 
flustered.

I've got what I think is a simple rule, but damn if I can get it to work:

This is the log entry:
2018 Mar 12 13:14:22 WinEvtLog: Security: AUDIT_FAILURE(5157): 
Microsoft-Windows-Security-Auditing: (no user): no domain: 
computer.domain.test: The Windows Filtering Platform has blocked a 
connection. Application Information: Process ID: 7812 Application Name: 
\device\harddiskvolume2\program files 
(x86)\pfu\scansnap\driver\pfussmon.exe Network Information: Direction: 
%%14593 Source Address: 192.168.23.1 Source Port: 53885 Destination 
Address: 192.168.23.255 Destination Port: 52217 Protocol: 17 Filter 
Information: Filter Run-Time ID: 75813 Layer Name: %%14611 Layer Run-Time 
ID: 48

msauth_rules.xml will match this under 18105.

I've written a rule in local_rules.xml that matches:

  
18105
pfussmon.exe
Harmless Network traffic
  

However, I wanted to add a second match that checks the destination address 
too:
  
18105
pfussmon.exe
Destination Address: 192.168.23.255
Harmless Network traffic
  

Yet when I pipe that log entry back into logtest:


Trying rule: 100014 - Harmless Network traffic
Trying rule: 18106 - Windows Logon Failure.
Trying rule: 18139 - Windows DC Logon Failure.
Trying rule: 18180 - MS SQL Server Logon Failure.
Trying rule: 18108 - Failed attempt to perform a privileged operation.

**Phase 3: Completed filtering (rules).
   Rule id: '18105'
   Level: '5'
   Description: 'Windows audit failure event.'
**Alert to be generated.

It's not matching.

Running ossec 2.8 (The version that comes with Security Onion) . Was 
multiple matching enabled in a later version or have I done something 
foolish here?



-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest verbosity levels...

Re: [ossec-list] ossec-logtest verbosity levels...

Re: [ossec-list] ossec-logtest verbosity levels...

[ossec-list] ossec-logtest verbosity levels...

4 matches

Site Navigation

Mail list logo

Footer information