On Fri, Sep 20, 2013 at 8:05 AM, Vasya Gorbachev <buc...@gmail.com> wrote: > now i did it another way > > wrote the decoder > <decoder name="kaspersky"> > <prematch>^\d\d\d\d \w+ \d\d \d\d:\d\d:\d\d \(\w+\) 0\.0\.0\.0->WinEvtLog > WinEvtLog: Kaspersky Event Log: </prematch> > </decoder> >
Logs in archives.log get a header prepended to them. The log message you actually need to plan for is: WinEvtLog: Kaspersky Event Log: WARNING(4660): avp: (no user): no domain: adminpk: File C:\Users\Admin\Desktop\crack.exe is virus This is how it is handled by ossec-logtest: # cat /tmp/xxx WinEvtLog: Kaspersky Event Log: WARNING(4660): avp: (no user): no domain: adminpk: File C:\Users\Admin\Desktop\crack.exe is virus # cat /tmp/xxx | /var/ossec/bin/ossec-logtest 2013/09/23 08:42:42 ossec-testrule: INFO: Reading local decoder file. 2013/09/23 08:42:43 ossec-testrule: INFO: Started (pid: 29343). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: 'WinEvtLog: Kaspersky Event Log: WARNING(4660): avp: (no user): no domain: adminpk: File C:\Users\Admin\Desktop\crack.exe is virus' hostname: 'arrakis' program_name: '(null)' log: 'WinEvtLog: Kaspersky Event Log: WARNING(4660): avp: (no user): no domain: adminpk: File C:\Users\Admin\Desktop\crack.exe is virus' **Phase 2: Completed decoding. decoder: 'windows' status: 'WARNING' id: '4660' extra_data: 'avp' dstuser: '(no user)' system_name: 'adminpk' **Phase 3: Completed filtering (rules). Rule id: '18102' Level: '0' Description: 'Windows warning event.' As you can see by phase 2, a bit of information is already picked out. > write the rule > <group name="kasper"> > <rule id="100100" level="8"> > <decoded_as>kaspersky</decoded_as> > <description>Any Kasper Activity</description> > </rule> > </group> > > see logs in archive.log, see alert when test log in ossec-logtest > root@domU-12-31-39-16-2A-48:/var/ossec/bin# ./ossec-logtest -a > 2013/09/20 11:31:33 ossec-testrule: INFO: Reading local decoder file. > 2013/09/20 11:31:33 ossec-testrule: INFO: Started (pid: 28710). > 2013 Sep 20 11:31:11 (W7Dell) 0.0.0.0->WinEvtLog WinEvtLog: Kaspersky Event > Log: WARNING(4660): avp: (no user): no domain: adminpk: ▒▒▒▒ > C:\Users\Admin\Desktop\crack.exe, ▒▒▒▒▒▒▒▒▒▒: ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒ > 'Trojan.Win32.Genome.zztw'. ▒▒▒▒▒▒▒▒▒▒▒▒: adminpk\Admin, ▒▒▒▒▒▒▒▒▒:localhost > ** Alert 1379676696.1: mail - kasper > 2013 Sep 20 11:31:36 domU-12-31-39-16-2A-48->stdin > Rule: 100100 (level 8) -> 'Any Kasper Activity' > 2013 Sep 20 11:31:11 (W7Dell) 0.0.0.0->WinEvtLog WinEvtLog: Kaspersky Event > Log: WARNING(4660): avp: (no user): no domain: adminpk: ▒▒▒▒ > C:\Users\Admin\Desktop\crack.exe, ▒▒▒▒▒▒▒▒▒▒: ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒ > 'Trojan.Win32.Genome.zztw'. ▒▒▒▒▒▒▒▒▒▒▒▒: adminpk\Admin, ▒▒▒▒▒▒▒▒▒:localhost > > but dont see alert from ossec > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.