Thanks.
But don't work. It only decode srcip field. Attach the output:
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing: (no user): no domain:
WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet.
Application Information: Process ID: 0 Application Name: - Network
Information: Direction: %%14592 Source Address: 10.20.10.55 Source Port:
55666 Destination Address: 255.255.255.255 Destination Port: 1234 Protocol:
17 Filter Information: Filter Run-Time ID: 70713 Layer Name: %%14597 Layer
Run-Time ID: 13'
hostname: 'USMCyberRange'
program_name: '(null)'
log: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing: (no user): no domain:
WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet.
Application Information: Process ID: 0 Application Name: - Network
Information: Direction: %%14592 Source Address: 10.20.10.55 Source Port:
55666 Destination Address: 255.255.255.255 Destination Port: 1234 Protocol:
17 Filter Information: Filter Run-Time ID: 70713 Layer Name: %%14597 Layer
Run-Time ID: 13'
**Phase 2: Completed decoding.
decoder: 'windows'
srcip: '10.20.10.55'
**Rule debugging:
Trying rule: 6 - Generic template for all windows rules.
*Rule 6 matched.
*Trying child rules.
Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
Trying rule: 18100 - Group of windows rules.
*Rule 18100 matched.
*Trying child rules.
Trying rule: 18101 - Windows informational event.
Trying rule: 18102 - Windows warning event.
Trying rule: 18104 - Windows audit success event.
Trying rule: 18103 - Windows error event.
Trying rule: 18105 - Windows audit failure event.
**Phase 3: Completed filtering (rules).
Rule id: '18100'
Level: '0'
Description: 'Group of windows rules.'
So, the original fields of decoder has been erased (status, id, extra_data,
srcuser, system_name, name, location, user, system_name). The consecuence
is that orginal rules don't match.
El martes, 21 de febrero de 2017, 15:30:39 (UTC+1), dan (ddpbsd) escribió:
>
> On Mon, Feb 20, 2017 at 6:08 AM, Casimiro <hfba...@gmail.com <javascript:>>
> wrote:
> > Version 2.8
> >
> > Events:
> >
> > WinEvtLog: Security: AUDIT_FAILURE(5152):
> > Microsoft-Windows-Security-Auditing: no domain: WKUSR01.cm.shr: The
> Windows
> > Filtering Platform blocked a packet. Application Information: Process
> ID: 0
> > Application Name: - Network Information: Direction: %%14952 Source
> Address:
> > 10.10.10.58 Source Port: 55663 Destination Address: 255.255.255.255
> > Destination Port: 1211 Protocol: 17 Filter Information: Filter Run-Time
> ID:
> > 70713 Layer Name: %%14597 Layer Run-Time ID:13
> >
> > I want to exctract source Ip in addiction to status id, extra_data,
> srcuser,
> > system_name original fields extracted form original Windows decoder.
> >
>
> This works with the latest master:
> <decoder name="windows1">
> <parent>windows</parent>
> <regex>Source Address: (\S+)</regex>
> <order>srcip</order>
> </decoder>
>
>
>
> > Thanks
> >
> >
> > El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió:
> >>
> >> I'm trying to override the windows decoder to extract more fields (in
> >> local_decoder.xml), like source ip, destination ip, source port,
> >>
> >> This is my local decoder for windows
> >>
> >> <decoder name="windows-audit">
> >> <parent>windows</parent>
> >> <prematch>AUDIT_FAILURE(51512)</prematch>
> >> <regex offset="after_parent">Source
> >> Address:\s+(\d+.\d+.\d+.\d+)</regex>
> >> <order>srcip</order>
> >> </decoder>
> >>
> >> When I put new decoder en local_decoder.xml. The windows log don't
> match
> >> with windows parent decoder. If I take off the local decoder then log
> match
> >> with windows parent decoder.
> >>
> >> I want to get all fields: parent fields + soon fields (in this case
> >> status, id, extra_data, srcuser, system_name and srcip)
> >>
> >> Thanks in advanced
> >>
> >>
> >>
> >>
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
