On Fri, Dec 24, 2010 at 6:55 AM, Js Opdebeeck <js.opdebe...@gmail.com> wrote:
> Hello
>
> Thanks for your reply.
>
> The events are coming from Active Directory running SNARE, then
> forward the events to Syslog-NG
> Ossec tails the syslog-ng dedicated log.
>
> Does it help ?
>
> Kind regards
>
Ok, the format is funky, and the decoder isn't recognizing it.
Part of the issue may be that the IP address and hostname(?) are both
showing up in the header:
Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME
This could throw it all off. That maybe something you can "fix" with
syslog-ng, but I don't know enough about syslog-ng to offer any real
solutions. I think, if it can be done, this is the best place to
start.
You could also (and I don't think this is the best solution), adjust
the "windows-snare" decoder to deal with this situation. Removing the
"^" in the <prematch> may be all it takes.
You could also (still not the best option, but possibly better than
the one just above) add the following to local_decoder.xml:
<decoder name="windows-snare2">
<type>windows</type>
<prematch>MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d</prematch>
<regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+)</regex>
<regex>\t(\.+)\t\.+\t(\.+)\t(\.+)\t</regex>
<order>id, extra_data, user, status, system_name</order>
<fts>name, id, location, user, system_name</fts>
</decoder>
You might have to put it in decoder.xml above the "windows-snare"
decoder, I'm not sure. A quick test with ossec-logtest (pasting
everything from "Dec 23 09:08:13" to the end) would verify whether
this is working.
> On Dec 23, 5:18 pm, "dan (ddp)" <ddp...@gmail.com> wrote:
>> These event messages seem odd. Running the first one through logtest
>> gives me the following:
>> 2010/12/23 11:12:21 ossec-testrule: INFO: Reading local decoder file.
>> 2010/12/23 11:12:21 ossec-testrule: INFO: Started (pid: 25248).
>> ossec-testrule: Type one log per line.
>>
>> Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1
>> Security 19699453 Thu: Dec 23 09:08:15 2010 680
>> Security USERXXX User Success Audit DOMAINCONTROLERNAME
>> Account Logon Logon attempt by:
>> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT
>> Source Workstation: STATIONNAMEXXX Error Code: 0x0
>> 19695682
>>
>> **Phase 1: Completed pre-decoding.
>> full event: 'Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME
>> MSWinEventLog 1 Security 19699453 Thu: Dec 23 09:08:15
>> 2010 680 Security USERXXX User Success Audit
>> DOMAINCONTROLERNAME Account Logon Logon attempt by:
>> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT
>> Source Workstation: STATIONNAMEXXX Error Code: 0x0
>> 19695682 '
>> hostname: '1.1.1.1'
>> program_name: '(null)'
>> log: 'DOMAINCONTROLERNAME MSWinEventLog 1 Security
>> 19699453 Thu: Dec 23 09:08:15 2010 680 Security
>> USERXXX User Success Audit DOMAINCONTROLERNAME Account Logon
>> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon
>> account: USERACCOUNT Source Workstation: STATIONNAMEXXX Error Code:
>> 0x0 19695682 '
>>
>> **Phase 2: Completed decoding.
>> No decoder matched.
>>
>> **Phase 3: Completed filtering (rules).
>> Rule id: '1002'
>> Level: '2'
>> Description: 'Unknown problem somewhere in the system.'
>> **Alert to be generated.
>>
>> How are these messages being passed to OSSEC?
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Dec 23, 2010 at 3:34 AM, Js Opdebeeck <js.opdebe...@gmail.com> wrote:
>> > Hello
>>
>> > Rule: 1002 'Unknown problem somewhere in the system.' represent 45% of
>> > the Alerts and
>>
>> > Here are 2 kind of alert that should be passed to 0 or at least
>> > correctly classified.
>> > Those are 'Failures' and 'Errors' but a I thought it will be handled
>> > by 'msauth_rules.xml'
>>
>> > Did someone already RE-classified this kind of rules ? If not , I'll
>> > probably have to ( mute them at least)
>>
>> > ** Alert 1293091695.18221016: - syslog,errors,
>> > 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log
>> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
>> > Src IP: (none)
>> > User: (none)
>> > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1
>> > Security 19699453 Thu: Dec 23 09:08:15 2010 680
>> > Security USERXXX User Success Audit DOMAINCONTROLERNAME
>> > Account Logon Logon attempt by:
>> > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT
>> > Source
>> > Workstation: STATIONNAMEXXX Error Code: 0x0 19695682
>>
>> > ** Alert 1293091695.18219733: - syslog,errors,
>> > 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log
>> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
>> > Src IP: (none)
>> > User: (none)
>> > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1
>> > Security 19699449 Thu: Dec 23 09:08:14 2010 673
>> > Security SYSTEM User Success Audit DOMAINCONTROLERNAME
>> > Account Logon Service Ticket Request: User Name:
>> > stationna...@petercam.corp User Domain: PETERCAM.CORP Service
>> > Name:
>> > krbtgt Service ID: %{S-1-5-21-1424381949-1679034567-623647154-502}
>> > Ticket Options: 0x60810010 Ticket Encryption Type: 0x17 Client
>> > Address: 10.10.10.1 Failure Code: - Logon GUID:
>> > {d3ba7bf0-795b-27fd-f4a8-d70ed4268f72} Transited Services: -
>> > 19695678
>>
>> > Kind regards
>>
>> > Js Op de Beeck
