Re: [ossec-list] trend-osce_rules

Thu, 17 Jul 2014 06:26:27 -0700 

Awesome work! Can you submit a pull request at
https://github.com/ossec/ossec-hids?

On Wed, Jul 16, 2014 at 6:01 PM, Scott Mace <sm...@xogrp.com> wrote:
> I've hashed together a new decoder and rules file for the "new" Trend Micro
> Office Scan logging to Windows Event Logs.  i don't quite have all the
> result codes in there, but it's a start.  Appreciate any comments,
> suggestions.  I'm using Ossec in AlienVault, so I'll be doing some
> correlation as well.
>
> Decoder:
>
> <!--
>
> 2014 Jul 15 14:15:54 (trendav01) 10.10.1.32->WinEvtLog WinEvtLog:
> Application: WARNING(500): Trend Micro OfficeScan Server: SYSTEM: NT
> AUTHORITY: TRENDAV01.MyDomain.com: Virus/Malware: Eicar_test_file  Computer:
> TEST-VM  Domain: DomainName\  File: C:\ProgramData\Microsoft\Windows
> Defender\LocalCopy\{746896D4-2FBE-4D97-972E-AA3ED8F46290}-eicarcom2.zip
> (eicar.com)  Date/Time: 7/15/2014 14:15:36  Result: Virus successfully
> detected, cannot perform the Clean action (Quarantine)
>
> - We are only extracting the scan result right now.
>
>   -->
>
> <decoder name="trend-osce">
>
>   <prematch>^\.+Trend Micro OfficeScan Server:|^\.+Trend Micro
> Security</prematch>
>
>   <regex offset="after_prematch">Result:(\.+)</regex>
>
>   <order>status</order>
>
> </decoder>
>
> Ruleset:
>
> <group name="trend_micro,ocse">
>
>   <rule id="7600" level="0">
>
>     <decoded_as>trend-osce</decoded_as>
>
>     <description>Grouping of Trend OSCE rules.</description>
>
>   </rule>
>
>
>   <rule id="7610" level="5">
>
>     <if_sid>7600</if_sid>
>
>     <status>Cleaned|Quarantine</status>
>
>     <group>virus</group>
>
>     <description>Virus detected and cleaned/quarantined/remved</description>
>
>   </rule>
>
>
>   <rule id="7611" level="9">
>
>     <if_sid>7600</if_sid>
>
>     <status>Virus successfully detected, cannot perform the Clean action
> (Quarantine)</status>
>
>    <group>virus</group>
>
>     <description>Virus detected and unable to clean up.</description>
>
>   </rule>
>
>
>   <rule id="7612" level="5">
>
>     <if_sid>7600</if_sid>
>
>     <status>Encrypted</status>
>
>     <description>Virus scan completed but the file is
> encrypted</description>
>
>   </rule>
>
>
> <!-- One of the old rules
>
>   <rule id="7613" level="5">
>
>     <if_sid>7600</if_sid>
>
>     <id>^25$</id>
>
>     <description>Virus scan passed by found potential security
> risk.</description>
>
>   </rule>
>
> -->
>
>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to