[ossec-list] Please help with CDB lists....

Tue, 31 Mar 2015 13:53:31 -0700 

*Raw Log...*

2015 Mar 31 11:37:27 WinEvtLog: System: INFORMATION(1): Sysmon: Username: 
SYSTEM-NAME: SYSTEM-NAME: Process Create:      UtcTime: 3/31/2015 
06:37:27.465 PM      ProcessGuid: {7531FA7E-E967-551A-0000-0010D2A58706}   
   ProcessId: 5868      Image: C:\Folder\Folder\file.exe      CommandLine: 
C:\Folder\Folder\file.exe       User: DOMAIN\Username      LogonGuid: 
{7531FA7E-E963-551A-0000-0020EB238706}      LogonId: 0x68723eb     
 TerminalSessionId: 1      IntegrityLevel: no level      HashType: SHA1     
 Hash: 19AF48C6B036E722D74FA00C4E852774236D2F38      ParentProcessGuid: 
{7531FA7E-E965-551A-0000-0010038F8706}      ParentProcessId: 476     
 ParentImage: C:\Folder\Folder\Parent.exe      ParentCommandLine: 
"C:\Folder\Folder\Parent.exe"

*Decoded...*

**Phase 2: Completed decoding.
       decoder: 'windows'
       status: 'C:\Folder\Folder\file.exe'
       dstuser: 'DOMAIN\Username'
       url: '19AF48C6B036E722D74FA00C4E852774236D2F38'
       extra_data: 'C:\Folder\Folder\Parent.exe'

**Phase 3: Completed filtering (rules).
       Rule id: '100242'
       Level: '12'
       Description: 'Unauthorized Process Detected'
**Alert to be generated.


*Rules...*

<rule id="100241" level="0">
  <if_sid>18100</if_sid>
  <list field="url">rules/lists/filelist</list>
  <description>Authorized Process</description>
</rule>

<rule id="100242" level="12">
  <if_sid>18100</if_sid>
  <list field="url" lookup="not_match_key">rules/lists/filelist</list>
  <description>Unauthorized Process</description>
</rule>

*CDB file contents...*

19AF48C6B036E722D74FA00C4E852774236D2F38:file.exe

*Goal:*

I would like to monitor a system for expected behavior and receive alerts 
when unexpected behavior occurs.  I have a list of SHA1 hashes of the 
executables as in the CDB file contents above.  I simply want an alert when 
there are processes executed from this system outside of its baseline.

*Issue:*  

I cannot get a MATCH to work in the CDB.  Maybe its something simple and 
I've just been looking at this too long.  I've commented out the 100242 
rule and I cannot get 100241 to work.  

Much of the documentation supports no file extensions on the cdb lists in 
the ossec.conf and in the rules.xml - although I can find examples where 
people have included extensions...

Maybe something silly I've overlooked?  Please... someone slap some sense 
into me!!! 

Thank you!




-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to