Hi all, exist possiblity of write source ip address in eventos of integrity check? For the alert display real IP?
Em sexta-feira, 3 de março de 2017 15:55:14 UTC-3, dan (ddpbsd) escreveu: > > On Fri, Mar 3, 2017 at 3:04 AM, Casimiro <hfba...@gmail.com <javascript:>> > wrote: > > I solve my problem with this solution > > > > > https://www.alienvault.com/forums/discussion/5962/ossec-plugin-modification > > > > > > <decoder name="windows"> > > <type>windows</type> > > <prematch>^WinEvtLog: </prematch> > > </decoder> > > > > <decoder name="windows-default"> > > <parent>windows</parent> > > <type>windows</type> > > <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): > </regex> > > <regex>(\.+): \.+: (\S+): </regex> > > <order>status, id, extra_data, srcuser, system_name</order> > > <fts>name, location, user, system_name</fts> > > </decoder> > > <!-- > > And adding some IP/name extractions > > --> > > <decoder name="windows-default"> > > <parent>windows</parent> > > <type>windows</type> > > <regex offset="after_parent">Client > > Address:\s*\t*(\d+.\d+.\d+.\d+)</regex> > > <order>srcip</order> > > </decoder> > > > > This looks similar to what's in MASTER. > > > > > I'm trying other solution, but this don't parse well > > > > <decoder name="windows-675"> > > <type>windows</type> > > <parent>windows</parent> > > <prematch offset="after_parent">^\.+: (\w+)\((675)\):</prematch> > > <regex offset="after_parent">^\.+: (\w+)\((675)\): \.+: \.+: > \.+: > > (\S+): \.+: \.+: (\S+)</regex> > > <order>status, id, system_name, srcuser</order> > > </decoder> > > <decoder name="windows-675"> > > <type>windows</type> > > <parent>windows</parent> > > <regex offset="after_parent">Client Address: > > (\d+.\d+.\d+.\d+)</regex> > > <order>srcip</order> > > </decoder> > > > > > > El jueves, 2 de marzo de 2017, 19:58:30 (UTC+1), dan (ddpbsd) escribió: > >> > >> It continues to work with a fresh install of MASTER > >> **Phase 1: Completed pre-decoding. > >> full event: 'Mar 2 17:36:50 ossec-test2 WinEvtLog: Security: > >> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): > >> no domain: WK034.dom.com: The Windows Filtering Platform blocked a > >> packet. Application Information: Process ID: 0 Application Name: - > >> Network Information: Direction: %%14592 Source Address: 10.20.10.55 > >> Source Port: 55666 Destination Address: 255.255.255.255 Destination > >> Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 > >> Layer Name: %%14597 Layer Run-Time ID: 13' > >> hostname: 'ossec-test2' > >> program_name: 'WinEvtLog' > >> log: 'Security: AUDIT_FAILURE(5152): > >> Microsoft-Windows-Security-Auditing: (no user): no domain: > >> WK034.dom.com: The Windows Filtering Platform blocked a packet. > >> Application Information: Process ID: 0 Application Name: - Network > >> Information: Direction: %%14592 Source Address: 10.20.10.55 Source > >> Port: 55666 Destination Address: 255.255.255.255 Destination Port: > >> 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer > >> Name: %%14597 Layer Run-Time ID: 13' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'windows' > >> status: 'AUDIT_FAILURE' > >> id: '5152' > >> extra_data: 'Microsoft-Windows-Security-Auditing' > >> dstuser: '(no user)' > >> system_name: 'WK034.dom.com' > >> srcip: '10.20.10.55' > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '18105' > >> Level: '4' > >> Description: 'Windows audit failure event.' > >> **Alert to be generated. > >> > >> On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp) <ddp...@gmail.com> wrote: > >> > On Thu, Mar 2, 2017 at 6:41 AM, Casimiro <hfba...@gmail.com> wrote: > >> >> Thanks. > >> >> But don't work. It only decode srcip field. Attach the output: > >> >> > >> >> **Phase 1: Completed pre-decoding. > >> >> full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): > >> >> Microsoft-Windows-Security-Auditing: (no user): no domain: > >> >> WK034.dom.com: > >> >> The Windows Filtering Platform blocked a packet. Application > >> >> Information: > >> >> Process ID: 0 Application Name: - Network Information: Direction: > >> >> %%14592 > >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: > >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter > Information: > >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' > >> >> hostname: 'USMCyberRange' > >> >> program_name: '(null)' > >> >> log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): > >> >> Microsoft-Windows-Security-Auditing: (no user): no domain: > >> >> WK34.dom.com: The > >> >> Windows Filtering Platform blocked a packet. Application > Information: > >> >> Process ID: 0 Application Name: - Network Information: Direction: > >> >> %%14592 > >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: > >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter > Information: > >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' > >> >> > >> >> **Phase 2: Completed decoding. > >> >> decoder: 'windows' > >> >> srcip: '10.20.10.55' > >> >> > >> >> **Rule debugging: > >> >> Trying rule: 6 - Generic template for all windows rules. > >> >> *Rule 6 matched. > >> >> *Trying child rules. > >> >> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. > >> >> Trying rule: 18100 - Group of windows rules. > >> >> *Rule 18100 matched. > >> >> *Trying child rules. > >> >> Trying rule: 18101 - Windows informational event. > >> >> Trying rule: 18102 - Windows warning event. > >> >> Trying rule: 18104 - Windows audit success event. > >> >> Trying rule: 18103 - Windows error event. > >> >> Trying rule: 18105 - Windows audit failure event. > >> >> > >> >> **Phase 3: Completed filtering (rules). > >> >> Rule id: '18100' > >> >> Level: '0' > >> >> Description: 'Group of windows rules.' > >> >> > >> >> So, the original fields of decoder has been erased (status, id, > >> >> extra_data, > >> >> srcuser, system_name, name, location, user, system_name). The > >> >> consecuence is > >> >> that orginal rules don't match. > >> >> > >> > > >> > That's strange, it works for me (I had to add the timestamp info): > >> > **Phase 1: Completed pre-decoding. > >> > full event: 'Mar 2 11:17:01 ossec-test WinEvtLog: Security: > >> > AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): > >> > no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked > >> > a packet. Application Information: Process ID: 0 Application Name: - > >> > Network Information: Direction: %%14592 Source Address: 10.20.10.55 > >> > Source Port: 55666 Destination Address: 255.255.255.255 Destination > >> > Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 > >> > Layer Name: %%14597 Layer Run-Time ID: 13' > >> > hostname: 'ossec-test' > >> > program_name: 'WinEvtLog' > >> > log: 'Security: AUDIT_FAILURE(5152): > >> > Microsoft-Windows-Security-Auditing: (no user): no domain: > >> > WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet. > >> > Application Information: Process ID: 0 Application Name: - Network > >> > Information: Direction: %%14592 Source Address: 10.20.10.55 Source > >> > Port: 55666 Destination Address: 255.255.255.255 Destination Port: > >> > 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer > >> > Name: %%14597 Layer Run-Time ID: 13' > >> > > >> > **Phase 2: Completed decoding. > >> > decoder: 'windows' > >> > status: 'AUDIT_FAILURE' > >> > id: '5152' > >> > extra_data: 'Microsoft-Windows-Security-Auditing' > >> > dstuser: '(no user)' > >> > system_name: 'WKSUSR034.mccd.def' > >> > srcip: '10.20.10.55' > >> > > >> > **Phase 3: Completed filtering (rules). > >> > Rule id: '18105' > >> > Level: '4' > >> > Description: 'Windows audit failure event.' > >> > **Alert to be generated. > >> > > >> > Are you sure you have the latest Windows decoders? I'll try firing up > >> > another image and try again. > >> > > >> > > >> >> El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro > escribió: > >> >>> > >> >>> I'm trying to override the windows decoder to extract more fields > (in > >> >>> local_decoder.xml), like source ip, destination ip, source port, > >> >>> > >> >>> This is my local decoder for windows > >> >>> > >> >>> <decoder name="windows-audit"> > >> >>> <parent>windows</parent> > >> >>> <prematch>AUDIT_FAILURE(51512)</prematch> > >> >>> <regex offset="after_parent">Source > >> >>> Address:\s+(\d+.\d+.\d+.\d+)</regex> > >> >>> <order>srcip</order> > >> >>> </decoder> > >> >>> > >> >>> When I put new decoder en local_decoder.xml. The windows log don't > >> >>> match > >> >>> with windows parent decoder. If I take off the local decoder then > log > >> >>> match > >> >>> with windows parent decoder. > >> >>> > >> >>> I want to get all fields: parent fields + soon fields (in this case > >> >>> status, id, extra_data, srcuser, system_name and srcip) > >> >>> > >> >>> Thanks in advanced > >> >>> > >> >>> > >> >>> > >> >>> > >> >> -- > >> >> > >> >> --- > >> >> You received this message because you are subscribed to the Google > >> >> Groups > >> >> "ossec-list" group. > >> >> To unsubscribe from this group and stop receiving emails from it, > send > >> >> an > >> >> email to ossec-list+...@googlegroups.com. > >> >> For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
