1) Confirm that you have the list referenced in ossec.conf ie
<list>lists/psexec</list>
2) Create the cdb file with no extension ie vi /var/ossec/lists/psexec
3) Run: /var/ossec/bin/ossec-makelists, it should create a file named
psexec.cdb in the lists folder
MaWhen doing my first CDB list a couple months back I ran into some weird
issues with the ossec-makelists & file extensions... The above are my raw
notes that eventually worked....
-Josh
On Tuesday, March 31, 2015 at 4:52:51 PM UTC-4, Brent Morris wrote:
>
> *Raw Log...*
>
> 2015 Mar 31 11:37:27 WinEvtLog: System: INFORMATION(1): Sysmon: Username:
> SYSTEM-NAME: SYSTEM-NAME: Process Create: UtcTime: 3/31/2015
> 06:37:27.465 PM ProcessGuid: {7531FA7E-E967-551A-0000-0010D2A58706}
> ProcessId: 5868 Image: C:\Folder\Folder\file.exe CommandLine:
> C:\Folder\Folder\file.exe User: DOMAIN\Username LogonGuid:
> {7531FA7E-E963-551A-0000-0020EB238706} LogonId: 0x68723eb
> TerminalSessionId: 1 IntegrityLevel: no level HashType: SHA1
> Hash: 19AF48C6B036E722D74FA00C4E852774236D2F38 ParentProcessGuid:
> {7531FA7E-E965-551A-0000-0010038F8706} ParentProcessId: 476
> ParentImage: C:\Folder\Folder\Parent.exe ParentCommandLine:
> "C:\Folder\Folder\Parent.exe"
>
> *Decoded...*
>
> **Phase 2: Completed decoding.
> decoder: 'windows'
> status: 'C:\Folder\Folder\file.exe'
> dstuser: 'DOMAIN\Username'
> url: '19AF48C6B036E722D74FA00C4E852774236D2F38'
> extra_data: 'C:\Folder\Folder\Parent.exe'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '100242'
> Level: '12'
> Description: 'Unauthorized Process Detected'
> **Alert to be generated.
>
>
> *Rules...*
>
> <rule id="100241" level="0">
> <if_sid>18100</if_sid>
> <list field="url">rules/lists/filelist</list>
> <description>Authorized Process</description>
> </rule>
>
> <rule id="100242" level="12">
> <if_sid>18100</if_sid>
> <list field="url" lookup="not_match_key">rules/lists/filelist</list>
> <description>Unauthorized Process</description>
> </rule>
>
> *CDB file contents...*
>
> 19AF48C6B036E722D74FA00C4E852774236D2F38:file.exe
>
> *Goal:*
>
> I would like to monitor a system for expected behavior and receive alerts
> when unexpected behavior occurs. I have a list of SHA1 hashes of the
> executables as in the CDB file contents above. I simply want an alert when
> there are processes executed from this system outside of its baseline.
>
> *Issue:*
>
> I cannot get a MATCH to work in the CDB. Maybe its something simple and
> I've just been looking at this too long. I've commented out the 100242
> rule and I cannot get 100241 to work.
>
> Much of the documentation supports no file extensions on the cdb lists in
> the ossec.conf and in the rules.xml - although I can find examples where
> people have included extensions...
>
> Maybe something silly I've overlooked? Please... someone slap some sense
> into me!!!
>
> Thank you!
>
>
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
