On Fri, Sep 20, 2013 at 8:05 AM, Vasya Gorbachev <buc...@gmail.com> wrote:
> now i did it another way
>
> wrote the decoder
> <decoder name="kaspersky">
> <prematch>^\d\d\d\d \w+ \d\d \d\d:\d\d:\d\d \(\w+\) 0\.0\.0\.0->WinEvtLog
> WinEvtLog: Kaspersky Event Log: </prematch>
> </decoder>
>
Logs in archives.log get a header prepended to them. The log message
you actually need to plan for is:
WinEvtLog: Kaspersky Event Log: WARNING(4660): avp: (no user): no
domain: adminpk: File C:\Users\Admin\Desktop\crack.exe is virus
This is how it is handled by ossec-logtest:
# cat /tmp/xxx
WinEvtLog: Kaspersky Event Log: WARNING(4660): avp: (no user): no
domain: adminpk: File C:\Users\Admin\Desktop\crack.exe is virus
# cat /tmp/xxx | /var/ossec/bin/ossec-logtest
2013/09/23 08:42:42 ossec-testrule: INFO: Reading local decoder file.
2013/09/23 08:42:43 ossec-testrule: INFO: Started (pid: 29343).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Kaspersky Event Log: WARNING(4660):
avp: (no user): no domain: adminpk: File
C:\Users\Admin\Desktop\crack.exe is virus'
hostname: 'arrakis'
program_name: '(null)'
log: 'WinEvtLog: Kaspersky Event Log: WARNING(4660): avp: (no
user): no domain: adminpk: File C:\Users\Admin\Desktop\crack.exe is
virus'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'WARNING'
id: '4660'
extra_data: 'avp'
dstuser: '(no user)'
system_name: 'adminpk'
**Phase 3: Completed filtering (rules).
Rule id: '18102'
Level: '0'
Description: 'Windows warning event.'
As you can see by phase 2, a bit of information is already picked out.
> write the rule
> <group name="kasper">
> <rule id="100100" level="8">
> <decoded_as>kaspersky</decoded_as>
> <description>Any Kasper Activity</description>
> </rule>
> </group>
>
> see logs in archive.log, see alert when test log in ossec-logtest
> root@domU-12-31-39-16-2A-48:/var/ossec/bin# ./ossec-logtest -a
> 2013/09/20 11:31:33 ossec-testrule: INFO: Reading local decoder file.
> 2013/09/20 11:31:33 ossec-testrule: INFO: Started (pid: 28710).
> 2013 Sep 20 11:31:11 (W7Dell) 0.0.0.0->WinEvtLog WinEvtLog: Kaspersky Event
> Log: WARNING(4660): avp: (no user): no domain: adminpk: ▒▒▒▒
> C:\Users\Admin\Desktop\crack.exe, ▒▒▒▒▒▒▒▒▒▒: ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒
> 'Trojan.Win32.Genome.zztw'. ▒▒▒▒▒▒▒▒▒▒▒▒: adminpk\Admin, ▒▒▒▒▒▒▒▒▒:localhost
> ** Alert 1379676696.1: mail - kasper
> 2013 Sep 20 11:31:36 domU-12-31-39-16-2A-48->stdin
> Rule: 100100 (level 8) -> 'Any Kasper Activity'
> 2013 Sep 20 11:31:11 (W7Dell) 0.0.0.0->WinEvtLog WinEvtLog: Kaspersky Event
> Log: WARNING(4660): avp: (no user): no domain: adminpk: ▒▒▒▒
> C:\Users\Admin\Desktop\crack.exe, ▒▒▒▒▒▒▒▒▒▒: ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒
> 'Trojan.Win32.Genome.zztw'. ▒▒▒▒▒▒▒▒▒▒▒▒: adminpk\Admin, ▒▒▒▒▒▒▒▒▒:localhost
>
> but dont see alert from ossec
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
