On Wed, Feb 15, 2017 at 3:20 AM, InfoSec <gjahc...@compucenter.org> wrote: > The events are sanitized. > > XML in Windows Event Viewer: > - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> > - <System> > <Provider Name="Microsoft-Windows-Security-Auditing" > Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> > <EventID>5140</EventID> > <Version>1</Version> > <Level>0</Level> > <Task>12808</Task> > <Opcode>0</Opcode> > <Keywords>0x8020000000000000</Keywords> > <TimeCreated SystemTime="2017-02-15T07:43:12.062985000Z" /> > <EventRecordID>2076547748</EventRecordID> > <Correlation /> > <Execution ProcessID="4" ThreadID="13920" /> > <Channel>Security</Channel> > <Computer>Desktop</Computer> > <Security /> > </System> > - <EventData> > <Data > Name="SubjectUserSid">S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX</Data> > <Data Name="SubjectUserName">UserName</Data> > <Data Name="SubjectDomainName">DOMAIN</Data> > <Data Name="SubjectLogonId">0xXXXXXX</Data> > <Data Name="ObjectType">File</Data> > <Data Name="IpAddress">::1</Data> > <Data Name="IpPort">9723</Data> > <Data Name="ShareName">\\*\IPC$</Data> > <Data Name="ShareLocalPath" /> > <Data Name="AccessMask">0x1</Data> > <Data Name="AccessList">%%4416</Data> > </EventData> > </Event> > > Event in Text Format (from Windows Event Viewer): > Log Name: Security > Source: Microsoft-Windows-Security-Auditing > Date: 2017-02-15 09:43:12 > Event ID: 5140 > Task Category: File Share > Level: Information > Keywords: Audit Success > User: N/A > Computer: Desktop > Description: > A network share object was accessed. > Subject: > Security ID: DOMAIN\UseName > Account Name: UserName > Account Domain: DOMAIN > Logon ID: 0xXXXXXX > > Network Information: > Object Type: File > Source Address: ::1 > Source Port: 9723 > Share Information: > Share Name: \\*\IPC$ > Share Path: > > Access Request Information: > Access Mask: 0x1 > Accesses: ReadData (or ListDirectory) > > OSSEC Log Event (in json format): > {"rule":{"level":1,"comment":"Windows - A network share object was > accessed.","sidid":182047,"firedtimes":3,"groups":["win_audit"],"PCI_DSS":["10.6.1"]},"dstuser":"(no > user)","full_log":"2017 Feb 15 09:43:12 WinEvtLog: Security: > AUDIT_SUCCESS(5140): Microsoft-Windows-Security-Auditing: (no user): no > domain: Desktop: A network share object was accessed. Subject: Security > ID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Account Name: GJahchan > Account Domain: DESKTOP Logon ID: 0xXXXXXX Network Information: Source > Address: File Source Port: ::1 Share Name: > 9723","id":"5140","status":"AUDIT_SUCCESS","data":"Microsoft-Windows-Security-Auditing","systemname":"Desktop","decoder":{"name":"windows"},"hostname":"Win10EntDsktp","agentip":"XXX.XXX.XX.X","timestamp":"2017 > Feb 15 07:43:12","location":"WinEvtLog"} > > OSSEC Log Event (in multi-line log format): > 2017 Feb 15 09:43:12 WinEvtLog: Security: AUDIT_SUCCESS(5140): > Microsoft-Windows-Security-Auditing: (no user): no domain: Desktop: A > network share object was accessed. Subject: Security ID: > S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Account Name: UserName > Account Domain: DOMAIN Logon ID: 0xXXXXXX Network Information: Source > Address: File Source Port: ::1 Share Name: 9723 > > Corresponding Custom Rule: > <rule id="182047" level="1"> > <if_sid>18104</if_sid> > <id>^5140$</id> > <description>Windows - A network share object was > accessed.</description> > <group>pci_dss_10.6.1,</group> > </rule> > > Issues: > The Source Address field is skipped, the Source Port is filled with the > Source Address, the Share Name is filled with the Source Port. > Share Name, Access Mask and Accesses fields are missing. >
Can you turn on the logall option and pull a log sample from the archives.log? The full_log entry in the json should be what OSSEC is seeing, and the source port is listed as ::1 > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
