I have been following this thread with interest and I have a question First, there is no reason, on the surface this should not have worked using rule id = 19000, I tested in my lab on 2.7.1 and it worked. (I know I need to move up and I will this year)
In my setup I tend to start with 70000 for new rules and it just works, so I altered existing working rules to use 19000 with no errors. However, when using rule 18104, isn't he essentially overwriting a current rule with a different match? Further, since the override syntax is not used, is there not a conflict in the subsystem? Thank in advance for the information. On Tuesday, October 28, 2014 10:45:15 AM UTC-4, dan (ddpbsd) wrote: > > On Tue, Oct 28, 2014 at 10:39 AM, Brian <ke...@myschatz.net <javascript:>> > wrote: > > I think I got it working; it may not be the correct way.. > > I removed Rule ID 19000 > > Added <id>^5142$|^5143$|^5144$|^5145$</id> > > to Rule 18104 > > and gave Rule 18104 Level 2 > > and it seems to work now.. If continues to work correctly, I thank > you > > for your help.. > > > > Old Rules: > > <rule id="19000" level="2"> > > Be careful using these ID ranges. New rules could always be added > using those IDs, and that would cause issues. > > > <if_sid>18100</if_sid> > > <id>^5142$|^5143$|^5144$|^5145$</id> > > <status>^AUDIT_SUCCESS|^success</status> > > <description>Windows audit success event.</description> > > </rule> > > > > <rule id="18104" level="0"> > > <if_sid>18100</if_sid> > > <status>^AUDIT_SUCCESS|^success</status> > > <description>Windows audit success event.</description> > > </rule> > > > > New Rule: > > > > <rule id="18104" level="2"> > > <if_sid>18100</if_sid> > > <id>^5142$|^5143$|^5144$|^5145$</id> > > <status>^AUDIT_SUCCESS|^success</status> > > <description>Windows audit success event.</description> > > </rule> > > > > > > > > > > > > > > On Tuesday, October 28, 2014 9:34:59 AM UTC-4, dan (ddpbsd) wrote: > >> > >> On Mon, Oct 27, 2014 at 8:34 PM, Brian <ke...@myschatz.net> wrote: > >> > From what I can tell, and I am doing this correctly. here is the log > for > >> > event ID 5145. . I did run ./ossec-logtest , I placed " > >> > WinEvtLog: Security: AUDIT_SUCCESS(5145)" and it took me to Rule > 18100 > >> > and > >> > not 19000. > >> > below I have my log, rules and logtest > >> > > >> > Log: > >> > > >> > 2014 Oct 27 14:16:54 (WinClient) 10.10.10.67->WinEvtLog 2014 Oct 27 > >> > 14:17:07 > >> > WinEvtLog: Security: AUDIT_SUCCESS(5145): > >> > Microsoft-Windows-Security-Auditing: (no user): no domain: > >> > WinClient.Domain.Local: > S-1-5-21-3748380571-1685127485-3479259990-2707 > >> > User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f > >> > %%1538 > >> > %%1541 > >> > %%4416 > >> > %%4417 > >> > %%4418 > >> > %%4419 > >> > %%4420 > >> > %%4423 > >> > %%4424 > >> > > >> > >> I don't know enough about the Windows stuff to know why all of these > >> are being presented on their own lines and whatnot. > >> Running everything up until the first newline through ossec-logtest > >> gives me the following output (Removing everything between the > >> beginning of the line and 2014 because that should be an OSSEC header > >> added to the archives.log entries): > >> > >> [root@localhost ddp]# cat /tmp/xxx > >> 2014 Oct 27 14:17:07 WinEvtLog: Security: AUDIT_SUCCESS(5145): > >> Microsoft-Windows-Security-Auditing: (no user): no domain: > >> WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707 > >> User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f > >> %%1538 > >> [root@localhost ddp]# cat /tmp/xxx | /var/ossec/bin/ossec-logtest > >> 2014/10/28 09:30:41 ossec-testrule: INFO: Reading local decoder file. > >> 2014/10/28 09:30:41 ossec-testrule: INFO: Started (pid: 6981). > >> ossec-testrule: Type one log per line. > >> > >> > >> > >> **Phase 1: Completed pre-decoding. > >> full event: '2014 Oct 27 14:17:07 WinEvtLog: Security: > >> AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user): > >> no domain: WinClient.Domain.Local: > >> S-1-5-21-3748380571-1685127485-3479259990-2707 User01 Domain 0xbe810a > >> File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f %%1538' > >> hostname: 'localhost' > >> program_name: '(null)' > >> log: '2014 Oct 27 14:17:07 WinEvtLog: Security: > >> AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user): > >> no domain: WinClient.Domain.Local: > >> S-1-5-21-3748380571-1685127485-3479259990-2707 User01 Domain 0xbe810a > >> File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f %%1538' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'windows' > >> status: 'AUDIT_SUCCESS' > >> id: '5145' > >> extra_data: 'Microsoft-Windows-Security-Auditing' > >> dstuser: '(no user)' > >> system_name: 'WinClient.Domain.Local' > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '18104' > >> Level: '0' > >> Description: 'Windows audit success event.' > >> > >> So the id is decoded. And this rule successfully captures that log > >> message: > >> <rule id="300001" level="6"> > >> <if_sid>18104</if_sid> > >> <id>^5142$|^5143$|^5144$|^5145$</id> > >> <status>^AUDIT_SUCCESS|^success</status> > >> <description>Windows audit success event.</description> > >> </rule> > >> > >> > >> > 2014 Oct 27 14:16:54 (WinClient) 10.10.10.67->WinEvtLog 2014 Oct 27 > >> > 14:17:07 > >> > WinEvtLog: Security: AUDIT_SUCCESS(5145): > >> > Microsoft-Windows-Security-Auditing: (no user): no domain: > >> > WinClient.Domain.Local: > S-1-5-21-3748380571-1685127485-3479259990-2707 > >> > User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\Objects > >> > \??\C:\import\DFSRoot\Objects \ 0x100081 %%1541 > >> > %%4416 > >> > %%4423 > >> > %%1541: %%1801 D:(A;;0x1200a9;;;WD) > >> > %%4416: %%1801 D:(A;;0x1200a9;;;WD) > >> > %%4423: %%1801 D:(A;;0x1200a9;;;WD) > >> > > >> > > >> > > >> > Rules: > >> > > >> > <group name="windows,"> > >> > > >> > <rule id="18100" level="0"> > >> > <category>windows</category> > >> > <description>Group of windows rules.</description> > >> > </rule> > >> > > >> > <rule id="18101" level="0"> > >> > <if_sid>18100</if_sid> > >> > <status>^INFORMATION</status> > >> > <description>Windows informational event.</description> > >> > </rule> > >> > > >> > <rule id="18102" level="0"> > >> > <if_sid>18100</if_sid> > >> > <status>^WARNING</status> > >> > <description>Windows warning event.</description> > >> > </rule> > >> > > >> > <rule id="18103" level="5"> > >> > <if_sid>18100</if_sid> > >> > <status>^ERROR</status> > >> > <description>Windows error event.</description> > >> > <group>system_error,</group> > >> > </rule> > >> > > >> > <rule id="19000" level="6"> > >> > <if_sid>18100</if_sid> > >> > <id>^5142$|^5143$|^5144$|^5145$</id> > >> > <status>^AUDIT_SUCCESS|^success</status> > >> > <description>Windows audit success event.</description> > >> > </rule> > >> > > >> > <rule id="18104" level="0"> > >> > <if_sid>18100</if_sid> > >> > <status>^AUDIT_SUCCESS|^success</status> > >> > <description>Windows audit success event.</description> > >> > </rule> > >> > > >> > > >> > > >> > Logtest: > >> > > >> > ossec@OSSECServer:/var/ossec/bin$ sudo ./ossec-logtest > >> > 2014/10/27 19:15:53 ossec-testrule: INFO: Reading local decoder file. > >> > 2014/10/27 19:15:53 ossec-testrule: INFO: Started (pid: 16744). > >> > ossec-testrule: Type one log per line. > >> > > >> > WinEvtLog: Security: AUDIT_SUCCESS(5145) > >> > > >> > > >> > **Phase 1: Completed pre-decoding. > >> > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(5145)' > >> > hostname: 'OSSECServer' > >> > program_name: '(null)' > >> > log: 'WinEvtLog: Security: AUDIT_SUCCESS(5145)' > >> > > >> > **Phase 2: Completed decoding. > >> > decoder: 'windows' > >> > > >> > **Phase 3: Completed filtering (rules). > >> > Rule id: '18100' > >> > Level: '0' > >> > Description: 'Group of windows rules.' > >> > > >> > > >> > > >> > On Monday, October 27, 2014 3:09:44 PM UTC-4, dan (ddpbsd) wrote: > >> >> > >> >> On Mon, Oct 27, 2014 at 3:03 PM, Brian <ke...@myschatz.net> wrote: > >> >> > I'm not sure if I am running it correctly.. > >> >> > I get the following, it doesn't show anything... in the > >> >> > ossec.conf > >> >> > file, I placed <logall>yes</logall> in the global section and > >> >> > restarted. > >> >> > I got no errors when restarting. > >> >> > > >> >> > ossec@OSSECServer:/var/ossec/bin$ sudo ./ossec-logtest > >> >> > /var/ossec/logs/archives/archives.log > >> >> > 2014/10/27 13:59:38 ossec-testrule: INFO: Reading local decoder > file. > >> >> > 2014/10/27 13:59:38 ossec-testrule: INFO: Started (pid: 15224). > >> >> > ossec-testrule: Type one log per line. > >> >> > > >> >> > >> >> The archives.log file is just a text log file. You'll need to find > the > >> >> entries you are interested in, copy them out of the file, and paste > >> >> them into the ossec-logtest program. > >> >> > >> >> Windows is odd (why does it put so many spaces in odd places?), so > >> >> copying archives.log to another location, then deleting all of the > >> >> lines you are not interested in might be the best solution. > >> >> > >> >> > >> >> As a shortcut while testing, I frequently save the log message to a > >> >> file, then run: > >> >> > >> >> cat LOGMESSAGEFILE | /var/ossec/bin/ossec-logtest > >> >> > >> >> > > >> >> > On Monday, October 27, 2014 2:05:27 PM UTC-4, dan (ddpbsd) wrote: > >> >> >> > >> >> >> On Mon, Oct 27, 2014 at 2:01 PM, Brian <ke...@myschatz.net> > wrote: > >> >> >> > Thank you for your Reply: Looks like the & was a TypeO. I > >> >> >> > fixed > >> >> >> > that > >> >> >> > and > >> >> >> > now looks like: <id>^5142$|^5143$|^5144$|^5145$</id> > >> >> >> > So, i turned on debugging on the client side, and I get the > >> >> >> > following > >> >> >> > shown > >> >> >> > below.. When I run : tail -f > /var/ossec/logs/alerts/alerts.log > >> >> >> > on the server side, I don't see anything coming in. The windows > >> >> >> > client > >> >> >> > is a > >> >> >> > Windows 2012 server. > >> >> >> > > >> >> >> > > >> >> >> > Debug: > >> >> >> > > >> >> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Attempting to send > message > >> >> >> > to > >> >> >> > server. > >> >> >> > > >> >> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Sending message to > server: > >> >> >> > '2014 > >> >> >> > Oct > >> >> >> > 27 12:46:24 WinEvtLog: Security: AUDIT_SUCCESS(5145): > >> >> >> > Microsoft-Windows-Security-Auditing: (no user): no domain: > >> >> >> > FileServer.Domain.Local: > >> >> >> > S-1-5-21-3748380571-1685127485-3479259990-18013 > >> >> >> > User01 Domain 0x9310e4 File ::1 50201 \\*\C$ \??\C:\ \ 0x100080 > >> >> >> > %%1541 > >> >> >> > > >> >> >> > %%4423 > >> >> >> > > >> >> >> > - ' > >> >> >> > > >> >> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Attempting to send > message > >> >> >> > to > >> >> >> > server. > >> >> >> > > >> >> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Sending message to > server: > >> >> >> > '2014 > >> >> >> > Oct > >> >> >> > 27 12:46:24 WinEvtLog: Security: AUDIT_SUCCESS(5145): > >> >> >> > Microsoft-Windows-Security-Auditing: (no user): no domain: > >> >> >> > FileServer.Domain.Local: > >> >> >> > S-1-5-21-3748380571-1685127485-3479259990-18013 > >> >> >> > User01 Domain 0x9310e4 File ::1 50201 \\*\C$ \??\C:\ Program > Files > >> >> >> > (x86)\ossec-agent 0x100081 %%1541 > >> >> >> > > >> >> >> > %%4416 > >> >> >> > > >> >> >> > %%4423 > >> >> >> > > >> >> >> > > >> >> >> > >> >> >> Did you turn on the log all option on the manager? If you run the > >> >> >> log > >> >> >> messages from the archives.log through ossec-logtest, what > happens? > >> >> >> > >> >> >> > > >> >> >> > On Monday, October 27, 2014 11:42:37 AM UTC-4, dan (ddpbsd) > wrote: > >> >> >> >> > >> >> >> >> On Mon, Oct 27, 2014 at 11:36 AM, Ivars Grīnbergs > >> >> >> >> <i.gri...@gmail.com> > >> >> >> >> wrote: > >> >> >> >> > Is the ampersand correctly used at the end of 5142? For > other > >> >> >> >> > IDs > >> >> >> >> > there > >> >> >> >> > are > >> >> >> >> > $ sign used. > >> >> >> >> > > >> >> >> >> > >> >> >> >> Nope, I'm not sure what they were attempting with that. > >> >> >> >> > >> >> >> >> > Ivars > >> >> >> >> > > >> >> >> >> > On Mon, Oct 27, 2014 at 1:51 PM, Brian <ke...@myschatz.net> > >> >> >> >> > wrote: > >> >> >> >> >> > >> >> >> >> >> Hello, I am hopping someone may be able to help.. > >> >> >> >> >> I want to capture Windows Event ID's 5142 5143 5144 > 5145. > >> >> >> >> >> I > >> >> >> >> >> found > >> >> >> >> >> this > >> >> >> >> >> discussion on how to add it to your ossec.conf file. > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > https://www.alienvault.com/forums/discussion/550/how-to-capture-windows-event-ids-not-captured-by-default-using-snare-or-ossec > > >> >> >> >> >> > >> >> >> >> >> However, the events aren't showing up in ossec. Would this > be > >> >> >> >> >> the > >> >> >> >> >> correct > >> >> >> >> >> way in configuring OSSEC to capture specific Windows Event > >> >> >> >> >> ID's > >> >> >> >> >> ? > >> >> >> >> >> > >> >> >> >> >> I added the following to my ossec,conf file, above 18104 > as > >> >> >> >> >> the > >> >> >> >> >> above > >> >> >> >> >> article suggested. and then restarted ossec.. > >> >> >> >> >> > >> >> >> >> >> <rule id="19000" level="6"> > >> >> >> >> >> <if_sid>18100</if_sid> > >> >> >> >> >> <id>^5142&|^5143$|^5144$|^5145$</id> > >> >> >> >> >> <status>^AUDIT_SUCCESS|^success</status> > >> >> >> >> >> <description>Windows audit success event.</description> > >> >> >> >> >> </rule> > >> >> >> >> >> > >> >> >> >> >> Thank you for your help. > >> >> >> >> >> > >> >> >> >> >> -- > >> >> >> >> >> > >> >> >> >> >> --- > >> >> >> >> >> You received this message because you are subscribed to the > >> >> >> >> >> Google > >> >> >> >> >> Groups > >> >> >> >> >> "ossec-list" group. > >> >> >> >> >> To unsubscribe from this group and stop receiving emails > from > >> >> >> >> >> it, > >> >> >> >> >> send > >> >> >> >> >> an > >> >> >> >> >> email to ossec-list+...@googlegroups.com. > >> >> >> >> >> For more options, visit https://groups.google.com/d/optout. > > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > -- > >> >> >> >> > > >> >> >> >> > --- > >> >> >> >> > You received this message because you are subscribed to the > >> >> >> >> > Google > >> >> >> >> > Groups > >> >> >> >> > "ossec-list" group. > >> >> >> >> > To unsubscribe from this group and stop receiving emails > from > >> >> >> >> > it, > >> >> >> >> > send > >> >> >> >> > an > >> >> >> >> > email to ossec-list+...@googlegroups.com. > >> >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to ossec-list+...@googlegroups.com. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to ossec-list+...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.