*Raw Log...* 2015 Mar 31 11:37:27 WinEvtLog: System: INFORMATION(1): Sysmon: Username: SYSTEM-NAME: SYSTEM-NAME: Process Create: UtcTime: 3/31/2015 06:37:27.465 PM ProcessGuid: {7531FA7E-E967-551A-0000-0010D2A58706} ProcessId: 5868 Image: C:\Folder\Folder\file.exe CommandLine: C:\Folder\Folder\file.exe User: DOMAIN\Username LogonGuid: {7531FA7E-E963-551A-0000-0020EB238706} LogonId: 0x68723eb TerminalSessionId: 1 IntegrityLevel: no level HashType: SHA1 Hash: 19AF48C6B036E722D74FA00C4E852774236D2F38 ParentProcessGuid: {7531FA7E-E965-551A-0000-0010038F8706} ParentProcessId: 476 ParentImage: C:\Folder\Folder\Parent.exe ParentCommandLine: "C:\Folder\Folder\Parent.exe"
*Decoded...* **Phase 2: Completed decoding. decoder: 'windows' status: 'C:\Folder\Folder\file.exe' dstuser: 'DOMAIN\Username' url: '19AF48C6B036E722D74FA00C4E852774236D2F38' extra_data: 'C:\Folder\Folder\Parent.exe' **Phase 3: Completed filtering (rules). Rule id: '100242' Level: '12' Description: 'Unauthorized Process Detected' **Alert to be generated. *Rules...* <rule id="100241" level="0"> <if_sid>18100</if_sid> <list field="url">rules/lists/filelist</list> <description>Authorized Process</description> </rule> <rule id="100242" level="12"> <if_sid>18100</if_sid> <list field="url" lookup="not_match_key">rules/lists/filelist</list> <description>Unauthorized Process</description> </rule> *CDB file contents...* 19AF48C6B036E722D74FA00C4E852774236D2F38:file.exe *Goal:* I would like to monitor a system for expected behavior and receive alerts when unexpected behavior occurs. I have a list of SHA1 hashes of the executables as in the CDB file contents above. I simply want an alert when there are processes executed from this system outside of its baseline. *Issue:* I cannot get a MATCH to work in the CDB. Maybe its something simple and I've just been looking at this too long. I've commented out the 100242 rule and I cannot get 100241 to work. Much of the documentation supports no file extensions on the cdb lists in the ossec.conf and in the rules.xml - although I can find examples where people have included extensions... Maybe something silly I've overlooked? Please... someone slap some sense into me!!! Thank you! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.