Awesome work! Can you submit a pull request at https://github.com/ossec/ossec-hids?
On Wed, Jul 16, 2014 at 6:01 PM, Scott Mace <sm...@xogrp.com> wrote: > I've hashed together a new decoder and rules file for the "new" Trend Micro > Office Scan logging to Windows Event Logs. i don't quite have all the > result codes in there, but it's a start. Appreciate any comments, > suggestions. I'm using Ossec in AlienVault, so I'll be doing some > correlation as well. > > Decoder: > > <!-- > > 2014 Jul 15 14:15:54 (trendav01) 10.10.1.32->WinEvtLog WinEvtLog: > Application: WARNING(500): Trend Micro OfficeScan Server: SYSTEM: NT > AUTHORITY: TRENDAV01.MyDomain.com: Virus/Malware: Eicar_test_file Computer: > TEST-VM Domain: DomainName\ File: C:\ProgramData\Microsoft\Windows > Defender\LocalCopy\{746896D4-2FBE-4D97-972E-AA3ED8F46290}-eicarcom2.zip > (eicar.com) Date/Time: 7/15/2014 14:15:36 Result: Virus successfully > detected, cannot perform the Clean action (Quarantine) > > - We are only extracting the scan result right now. > > --> > > <decoder name="trend-osce"> > > <prematch>^\.+Trend Micro OfficeScan Server:|^\.+Trend Micro > Security</prematch> > > <regex offset="after_prematch">Result:(\.+)</regex> > > <order>status</order> > > </decoder> > > Ruleset: > > <group name="trend_micro,ocse"> > > <rule id="7600" level="0"> > > <decoded_as>trend-osce</decoded_as> > > <description>Grouping of Trend OSCE rules.</description> > > </rule> > > > <rule id="7610" level="5"> > > <if_sid>7600</if_sid> > > <status>Cleaned|Quarantine</status> > > <group>virus</group> > > <description>Virus detected and cleaned/quarantined/remved</description> > > </rule> > > > <rule id="7611" level="9"> > > <if_sid>7600</if_sid> > > <status>Virus successfully detected, cannot perform the Clean action > (Quarantine)</status> > > <group>virus</group> > > <description>Virus detected and unable to clean up.</description> > > </rule> > > > <rule id="7612" level="5"> > > <if_sid>7600</if_sid> > > <status>Encrypted</status> > > <description>Virus scan completed but the file is > encrypted</description> > > </rule> > > > <!-- One of the old rules > > <rule id="7613" level="5"> > > <if_sid>7600</if_sid> > > <id>^25$</id> > > <description>Virus scan passed by found potential security > risk.</description> > > </rule> > > --> > > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.