1) Confirm that you have the list referenced in ossec.conf ie <list>lists/psexec</list>
2) Create the cdb file with no extension ie vi /var/ossec/lists/psexec 3) Run: /var/ossec/bin/ossec-makelists, it should create a file named psexec.cdb in the lists folder MaWhen doing my first CDB list a couple months back I ran into some weird issues with the ossec-makelists & file extensions... The above are my raw notes that eventually worked.... -Josh On Tuesday, March 31, 2015 at 4:52:51 PM UTC-4, Brent Morris wrote: > > *Raw Log...* > > 2015 Mar 31 11:37:27 WinEvtLog: System: INFORMATION(1): Sysmon: Username: > SYSTEM-NAME: SYSTEM-NAME: Process Create: UtcTime: 3/31/2015 > 06:37:27.465 PM ProcessGuid: {7531FA7E-E967-551A-0000-0010D2A58706} > ProcessId: 5868 Image: C:\Folder\Folder\file.exe CommandLine: > C:\Folder\Folder\file.exe User: DOMAIN\Username LogonGuid: > {7531FA7E-E963-551A-0000-0020EB238706} LogonId: 0x68723eb > TerminalSessionId: 1 IntegrityLevel: no level HashType: SHA1 > Hash: 19AF48C6B036E722D74FA00C4E852774236D2F38 ParentProcessGuid: > {7531FA7E-E965-551A-0000-0010038F8706} ParentProcessId: 476 > ParentImage: C:\Folder\Folder\Parent.exe ParentCommandLine: > "C:\Folder\Folder\Parent.exe" > > *Decoded...* > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'C:\Folder\Folder\file.exe' > dstuser: 'DOMAIN\Username' > url: '19AF48C6B036E722D74FA00C4E852774236D2F38' > extra_data: 'C:\Folder\Folder\Parent.exe' > > **Phase 3: Completed filtering (rules). > Rule id: '100242' > Level: '12' > Description: 'Unauthorized Process Detected' > **Alert to be generated. > > > *Rules...* > > <rule id="100241" level="0"> > <if_sid>18100</if_sid> > <list field="url">rules/lists/filelist</list> > <description>Authorized Process</description> > </rule> > > <rule id="100242" level="12"> > <if_sid>18100</if_sid> > <list field="url" lookup="not_match_key">rules/lists/filelist</list> > <description>Unauthorized Process</description> > </rule> > > *CDB file contents...* > > 19AF48C6B036E722D74FA00C4E852774236D2F38:file.exe > > *Goal:* > > I would like to monitor a system for expected behavior and receive alerts > when unexpected behavior occurs. I have a list of SHA1 hashes of the > executables as in the CDB file contents above. I simply want an alert when > there are processes executed from this system outside of its baseline. > > *Issue:* > > I cannot get a MATCH to work in the CDB. Maybe its something simple and > I've just been looking at this too long. I've commented out the 100242 > rule and I cannot get 100241 to work. > > Much of the documentation supports no file extensions on the cdb lists in > the ossec.conf and in the rules.xml - although I can find examples where > people have included extensions... > > Maybe something silly I've overlooked? Please... someone slap some sense > into me!!! > > Thank you! > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.