Hi all,
exist possiblity of write source ip address in eventos of integrity check? 
For the alert display real IP?

Em sexta-feira, 3 de março de 2017 15:55:14 UTC-3, dan (ddpbsd) escreveu:
>
> On Fri, Mar 3, 2017 at 3:04 AM, Casimiro <hfba...@gmail.com <javascript:>> 
> wrote: 
> > I solve my problem with this solution 
> > 
> > 
> https://www.alienvault.com/forums/discussion/5962/ossec-plugin-modification 
> > 
> > 
> > <decoder name="windows"> 
> >         <type>windows</type> 
> >         <prematch>^WinEvtLog: </prematch> 
> > </decoder> 
> > 
> > <decoder name="windows-default"> 
> >         <parent>windows</parent> 
> >         <type>windows</type> 
> >         <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): 
> </regex> 
> >         <regex>(\.+): \.+: (\S+): </regex> 
> >         <order>status, id, extra_data, srcuser, system_name</order> 
> >         <fts>name, location, user, system_name</fts> 
> > </decoder> 
> > <!-- 
> >         And adding some IP/name extractions 
> > --> 
> > <decoder name="windows-default"> 
> >         <parent>windows</parent> 
> >         <type>windows</type> 
> >         <regex offset="after_parent">Client 
> > Address:\s*\t*(\d+.\d+.\d+.\d+)</regex> 
> >         <order>srcip</order> 
> > </decoder> 
> > 
>
> This looks similar to what's in MASTER. 
>
> > 
> > I'm trying other solution, but this don't parse well 
> > 
> > <decoder name="windows-675"> 
> >         <type>windows</type> 
> >         <parent>windows</parent> 
> >         <prematch offset="after_parent">^\.+: (\w+)\((675)\):</prematch> 
> >         <regex offset="after_parent">^\.+: (\w+)\((675)\): \.+: \.+: 
> \.+: 
> > (\S+): \.+: \.+: (\S+)</regex> 
> >         <order>status, id, system_name, srcuser</order> 
> > </decoder> 
> > <decoder name="windows-675"> 
> >         <type>windows</type> 
> >         <parent>windows</parent> 
> >         <regex offset="after_parent">Client Address: 
> > (\d+.\d+.\d+.\d+)</regex> 
> >         <order>srcip</order> 
> > </decoder> 
> > 
> > 
> > El jueves, 2 de marzo de 2017, 19:58:30 (UTC+1), dan (ddpbsd) escribió: 
> >> 
> >> It continues to work with a fresh install of MASTER 
> >> **Phase 1: Completed pre-decoding. 
> >>        full event: 'Mar  2 17:36:50 ossec-test2 WinEvtLog: Security: 
> >> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): 
> >> no domain: WK034.dom.com: The Windows Filtering Platform blocked a 
> >> packet. Application Information: Process ID: 0 Application Name: - 
> >> Network Information: Direction: %%14592 Source Address: 10.20.10.55 
> >> Source Port: 55666 Destination Address: 255.255.255.255 Destination 
> >> Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 
> >> Layer Name: %%14597 Layer Run-Time ID: 13' 
> >>        hostname: 'ossec-test2' 
> >>        program_name: 'WinEvtLog' 
> >>        log: 'Security: AUDIT_FAILURE(5152): 
> >> Microsoft-Windows-Security-Auditing: (no user): no domain: 
> >> WK034.dom.com: The Windows Filtering Platform blocked a packet. 
> >> Application Information: Process ID: 0 Application Name: - Network 
> >> Information: Direction: %%14592 Source Address: 10.20.10.55 Source 
> >> Port: 55666 Destination Address: 255.255.255.255 Destination Port: 
> >> 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer 
> >> Name: %%14597 Layer Run-Time ID: 13' 
> >> 
> >> **Phase 2: Completed decoding. 
> >>        decoder: 'windows' 
> >>        status: 'AUDIT_FAILURE' 
> >>        id: '5152' 
> >>        extra_data: 'Microsoft-Windows-Security-Auditing' 
> >>        dstuser: '(no user)' 
> >>        system_name: 'WK034.dom.com' 
> >>        srcip: '10.20.10.55' 
> >> 
> >> **Phase 3: Completed filtering (rules). 
> >>        Rule id: '18105' 
> >>        Level: '4' 
> >>        Description: 'Windows audit failure event.' 
> >> **Alert to be generated. 
> >> 
> >> On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp) <ddp...@gmail.com> wrote: 
> >> > On Thu, Mar 2, 2017 at 6:41 AM, Casimiro <hfba...@gmail.com> wrote: 
> >> >> Thanks. 
> >> >> But don't work. It only decode srcip field. Attach the output: 
> >> >> 
> >> >> **Phase 1: Completed pre-decoding. 
> >> >>        full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): 
> >> >> Microsoft-Windows-Security-Auditing: (no user): no domain: 
> >> >> WK034.dom.com: 
> >> >> The Windows Filtering Platform blocked a packet. Application 
> >> >> Information: 
> >> >> Process ID: 0 Application Name: - Network Information: Direction: 
> >> >> %%14592 
> >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 
> >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter 
> Information: 
> >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' 
> >> >>        hostname: 'USMCyberRange' 
> >> >>        program_name: '(null)' 
> >> >>        log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): 
> >> >> Microsoft-Windows-Security-Auditing: (no user): no domain: 
> >> >> WK34.dom.com: The 
> >> >> Windows Filtering Platform blocked a packet. Application 
> Information: 
> >> >> Process ID: 0 Application Name: - Network Information: Direction: 
> >> >> %%14592 
> >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 
> >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter 
> Information: 
> >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' 
> >> >> 
> >> >> **Phase 2: Completed decoding. 
> >> >>        decoder: 'windows' 
> >> >>        srcip: '10.20.10.55' 
> >> >> 
> >> >> **Rule debugging: 
> >> >>     Trying rule: 6 - Generic template for all windows rules. 
> >> >>        *Rule 6 matched. 
> >> >>        *Trying child rules. 
> >> >>     Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. 
> >> >>     Trying rule: 18100 - Group of windows rules. 
> >> >>        *Rule 18100 matched. 
> >> >>        *Trying child rules. 
> >> >>     Trying rule: 18101 - Windows informational event. 
> >> >>     Trying rule: 18102 - Windows warning event. 
> >> >>     Trying rule: 18104 - Windows audit success event. 
> >> >>     Trying rule: 18103 - Windows error event. 
> >> >>     Trying rule: 18105 - Windows audit failure event. 
> >> >> 
> >> >> **Phase 3: Completed filtering (rules). 
> >> >>        Rule id: '18100' 
> >> >>        Level: '0' 
> >> >>        Description: 'Group of windows rules.' 
> >> >> 
> >> >> So, the original fields of decoder has been erased (status, id, 
> >> >> extra_data, 
> >> >> srcuser, system_name, name, location, user, system_name). The 
> >> >> consecuence is 
> >> >> that orginal rules don't match. 
> >> >> 
> >> > 
> >> > That's strange, it works for me (I had to add the timestamp info): 
> >> > **Phase 1: Completed pre-decoding. 
> >> >        full event: 'Mar  2 11:17:01 ossec-test WinEvtLog: Security: 
> >> > AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): 
> >> > no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked 
> >> > a packet. Application Information: Process ID: 0 Application Name: - 
> >> > Network Information: Direction: %%14592 Source Address: 10.20.10.55 
> >> > Source Port: 55666 Destination Address: 255.255.255.255 Destination 
> >> > Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 
> >> > Layer Name: %%14597 Layer Run-Time ID: 13' 
> >> >        hostname: 'ossec-test' 
> >> >        program_name: 'WinEvtLog' 
> >> >        log: 'Security: AUDIT_FAILURE(5152): 
> >> > Microsoft-Windows-Security-Auditing: (no user): no domain: 
> >> > WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet. 
> >> > Application Information: Process ID: 0 Application Name: - Network 
> >> > Information: Direction: %%14592 Source Address: 10.20.10.55 Source 
> >> > Port: 55666 Destination Address: 255.255.255.255 Destination Port: 
> >> > 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer 
> >> > Name: %%14597 Layer Run-Time ID: 13' 
> >> > 
> >> > **Phase 2: Completed decoding. 
> >> >        decoder: 'windows' 
> >> >        status: 'AUDIT_FAILURE' 
> >> >        id: '5152' 
> >> >        extra_data: 'Microsoft-Windows-Security-Auditing' 
> >> >        dstuser: '(no user)' 
> >> >        system_name: 'WKSUSR034.mccd.def' 
> >> >        srcip: '10.20.10.55' 
> >> > 
> >> > **Phase 3: Completed filtering (rules). 
> >> >        Rule id: '18105' 
> >> >        Level: '4' 
> >> >        Description: 'Windows audit failure event.' 
> >> > **Alert to be generated. 
> >> > 
> >> > Are you sure you have the latest Windows decoders? I'll try firing up 
> >> > another image and try again. 
> >> > 
> >> > 
> >> >> El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro 
> escribió: 
> >> >>> 
> >> >>> I'm trying to override the windows decoder to extract more fields 
> (in 
> >> >>> local_decoder.xml), like source ip, destination ip, source port, 
> >> >>> 
> >> >>> This is my local decoder for windows 
> >> >>> 
> >> >>> <decoder name="windows-audit"> 
> >> >>>    <parent>windows</parent> 
> >> >>>    <prematch>AUDIT_FAILURE(51512)</prematch> 
> >> >>>    <regex offset="after_parent">Source 
> >> >>> Address:\s+(\d+.\d+.\d+.\d+)</regex> 
> >> >>>    <order>srcip</order> 
> >> >>> </decoder> 
> >> >>> 
> >> >>> When I put new decoder en local_decoder.xml. The windows log don't 
> >> >>> match 
> >> >>> with windows parent decoder. If I take off the local decoder then 
> log 
> >> >>> match 
> >> >>> with windows parent decoder. 
> >> >>> 
> >> >>> I want to get all fields: parent fields + soon fields (in this case 
> >> >>> status, id, extra_data, srcuser, system_name and srcip) 
> >> >>> 
> >> >>> Thanks in advanced 
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> 
> >> >> -- 
> >> >> 
> >> >> --- 
> >> >> You received this message because you are subscribed to the Google 
> >> >> Groups 
> >> >> "ossec-list" group. 
> >> >> To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> >> an 
> >> >> email to ossec-list+...@googlegroups.com. 
> >> >> For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com <javascript:>. 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to