On Fri, Oct 4, 2013 at 11:08 AM, Eric <eric.luel...@gmail.com> wrote: > Michael, > > Can you please link me to the decoder you are using? I took the blog post > that Nathaniel recommended (thank you very much) and spun my own version of > it since I'm using Snare logs and it didn't match up. >
https://groups.google.com/forum/#!topic/ossec-list/1F_2Axytgzg > <decoder name="windows-snare"> > <type>windows</type> > <prematch>MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d</prematch> > </decoder> > > <decoder name="windows-sub1"> > <type>windows</type> > <parent>windows-snare</parent> > <regex offset="after_parent">:\d\d:\d\d \d\d\d\d\t(\d+)\t\.+</regex> > <regex>\t(\.+)\\(\S+)\t\.+</regex> > <order>id, extra_data, user, system_name</order> > <fts>name, location, user, system_name</fts> > </decoder> > > <decoder name="windows-sub1"> > <type>windows</type> > <parent>windows-snare</parent> > <regex offset="after_regex">Source Network Address: (\S+)</regex> > <order>srcip</order> > </decoder> > > <decoder name="windows-sub1"> > <type>windows</type> > <parent>windows-snare</parent> > <regex offset="after_regex">Source IP Address: (\S+)</regex> > <order>srcip</order> > </decoder> > > When I run my Windows events through it, I get the following results using > logtest. > > **Phase 2: Completed decoding. > decoder: 'windows-snare' > id: '4624' > extra_data: 'WIN-SERVER1' > dstuser: 'Administrator' > srcip: '10.1.1.1' > > **Phase 3: Completed filtering (rules). > Rule id: '18100' > Level: '0' > Description: 'Group of windows rules.' > > Sot it appears my parsing is working correctly now. I'm just confused why it > only tripped rule 18100 and not rule 18107 as well since it should trip off > of the ID. > > > On Thursday, October 3, 2013 9:12:27 PM UTC-4, Michael Starks wrote: >> >> On 10/03/2013 04:10 PM, Nathaniel Bentzinger wrote: >> > Sorry I ment to include my full decoder file too: >> >> Have you seen the decoder I have been using in the other thread? I'm not >> sure how this one compares, so it might be useful to see where we have >> similarities and differences. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
