Hi Dan! Here's a log from my archives.log file 2015 Nov 30 10:07:57 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 10:07:54 WinEvtLog: Security: AUDIT_SUCCESS(4688): Microsoft-Windows-Security-Auditing: (no user): no domain: HOSTNAME_FQDN: A new process has been created. Subject: Security ID: S-1-5-21-1292428093-1078145449-842925246-500 Account Name: Administrator Account Domain: DOMAIN Logon ID: 0x6b008a65 Process Information: New Process ID: 0xeac New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Creator Process ID: 0x2068
I also get other similar powershell event logs with this type of unique message info: handle to an object was closed a process has exited handle to an object was requested privileges used for access check in addition to the log above which has the message "a new process has been created" On Monday, November 30, 2015 at 7:52:14 AM UTC-6, dan (ddpbsd) wrote: > > On Mon, Nov 30, 2015 at 6:39 AM, Phillipa Moorea <philli...@gmail.com > <javascript:>> wrote: > > If anybody knows what I am doing wrong, any help would be great. Even > just > > a documentation link or something or a question of clarification? I > have > > posted this issue in the AlienVault forums as well. I've been keeping > both > > forums updated. > > > > Can you post an entry from the archives.log after the eventchannel change? > > > I think a lot of people will want to monitor any scripts from the > command > > line and from PowerShell that run on one of their servers or > workstations. > > If bad malware gets onto a device, it usually runs scripts, so this is > part > > of my detection technique to alert me if a script is ran. I'm still > working > > on the rules. > > > > This is my current rule setup in the local_rules.xml file: > > > > <group name="local,syslog,"> > > <rule id="100210" level="6"> > > <id>^400$|^403$|^500$|^501$|^600$</id> > > <description>Powershell Event.</description> > > </rule> > > <rule id="100211" level="6"> > > <match>CommandType=Cmdlet</match> > > <description>Powershell Command.</description> > > </rule> > > <rule id="100212" level="6"> > > <match>PowerShell</match> > > <description>Powershell Log.</description> > > </rule> > > </group> > > > > I'm not sure if the group name matters or needs to be something > specific? > > > > The group names shouldn't affect much. > > > > > On Friday, November 27, 2015 at 9:06:21 AM UTC-6, Phillipa Moorea wrote: > >> > >> A little further, I changed the logformat from eventlog to > eventchannel, > >> and now the archive.log has taken out all of the multiple lines. I > still do > >> not have a generated alert yet even though ossec-logtest says it > generates > >> an alert and it matches my custom rule. I set the level to level 6. > >> > >> On Friday, November 27, 2015 at 8:41:48 AM UTC-6, Phillipa Moorea > wrote: > >>> > >>> Well, I updated both the server and client OSSEC HIDS to 2.8.3, but > still > >>> no luck. The PowerShell logs in archive.log are still multi-line > logs, and > >>> I am getting the same results. > >>> > >>> On Wednesday, November 25, 2015 at 8:45:18 AM UTC-6, Phillipa Moorea > >>> wrote: > >>>> > >>>> Ok, I think I know what's going on now. I do not have the latest > stable > >>>> release of 2.8.3. I think I might have 2.8.2 or 2.8.1 or something. > >>>> > >>>> I found this issue which resembled my issue because the logs have > >>>> multiple lines in powershell. > >>>> https://github.com/ossec/ossec-hids/issues/224 > >>>> Then I saw that a fix was implemented in 2.9 from here: > >>>> https://github.com/ossec/ossec-hids/pull/457 > >>>> Then from this forum I now see that perhaps it is implemented in > 2.8.3 > >>>> on Nov 5th which is probably the day after I had made my OSSEC > updates, lol: > >>>> https://groups.google.com/forum/#!topic/ossec-list/JA9x4uzDg1g > >>>> > >>>> I'll try updating to the latest version again and see if that helps. > >>>> > >>>> On Monday, November 9, 2015 at 9:17:28 AM UTC-6, Phillipa Moorea > wrote: > >>>>> > >>>>> I have restarted OSSEC using the OSSEC Agent Manager on the ossec > >>>>> client computer. I have also restarted the OSSEC service on the > OSSEC > >>>>> server. I'm not sure why I can't reply to your response, so I had > to reply > >>>>> to mine @dan(ddpbsd) > >>>>> > >>>>> Also I am using OSSEC HIDS v2.8 on the client & server. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
