Not exactly sure how to do that, not a dev guy. I'm actually not 100% this works. Using the logtest utility, it does indicate the log sample will trigger an alert, but in testing with eicar and generating the event in OfficeScan, an ossec alert does not get generated. I got the log sample from turning on logall in ossec.conf, so I know the agent is grabbing it from the event log Application section.
On Thursday, July 17, 2014 8:25:51 AM UTC-5, dan (ddpbsd) wrote: > > Awesome work! Can you submit a pull request at > https://github.com/ossec/ossec-hids? > > On Wed, Jul 16, 2014 at 6:01 PM, Scott Mace <sm...@xogrp.com <javascript:>> > wrote: > > I've hashed together a new decoder and rules file for the "new" Trend > Micro > > Office Scan logging to Windows Event Logs. i don't quite have all the > > result codes in there, but it's a start. Appreciate any comments, > > suggestions. I'm using Ossec in AlienVault, so I'll be doing some > > correlation as well. > > > > Decoder: > > > > <!-- > > > > 2014 Jul 15 14:15:54 (trendav01) 10.10.1.32->WinEvtLog WinEvtLog: > > Application: WARNING(500): Trend Micro OfficeScan Server: SYSTEM: NT > > AUTHORITY: TRENDAV01.MyDomain.com: Virus/Malware: Eicar_test_file > Computer: > > TEST-VM Domain: DomainName\ File: C:\ProgramData\Microsoft\Windows > > Defender\LocalCopy\{746896D4-2FBE-4D97-972E-AA3ED8F46290}-eicarcom2.zip > > (eicar.com) Date/Time: 7/15/2014 14:15:36 Result: Virus successfully > > detected, cannot perform the Clean action (Quarantine) > > > > - We are only extracting the scan result right now. > > > > --> > > > > <decoder name="trend-osce"> > > > > <prematch>^\.+Trend Micro OfficeScan Server:|^\.+Trend Micro > > Security</prematch> > > > > <regex offset="after_prematch">Result:(\.+)</regex> > > > > <order>status</order> > > > > </decoder> > > > > Ruleset: > > > > <group name="trend_micro,ocse"> > > > > <rule id="7600" level="0"> > > > > <decoded_as>trend-osce</decoded_as> > > > > <description>Grouping of Trend OSCE rules.</description> > > > > </rule> > > > > > > <rule id="7610" level="5"> > > > > <if_sid>7600</if_sid> > > > > <status>Cleaned|Quarantine</status> > > > > <group>virus</group> > > > > <description>Virus detected and > cleaned/quarantined/remved</description> > > > > </rule> > > > > > > <rule id="7611" level="9"> > > > > <if_sid>7600</if_sid> > > > > <status>Virus successfully detected, cannot perform the Clean action > > (Quarantine)</status> > > > > <group>virus</group> > > > > <description>Virus detected and unable to clean up.</description> > > > > </rule> > > > > > > <rule id="7612" level="5"> > > > > <if_sid>7600</if_sid> > > > > <status>Encrypted</status> > > > > <description>Virus scan completed but the file is > > encrypted</description> > > > > </rule> > > > > > > <!-- One of the old rules > > > > <rule id="7613" level="5"> > > > > <if_sid>7600</if_sid> > > > > <id>^25$</id> > > > > <description>Virus scan passed by found potential security > > risk.</description> > > > > </rule> > > > > --> > > > > > > > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.