Hi Ian,
try this rule:
<group name="test,">
<!--
2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The
Windows Filtering Platform blocked a packet. Application Information:
Process ID: 0 Application Name: - Network Information: Direction: %%14592
Source Address: 192.168.1.120 Source Port: 39740 Destination Address:
192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information:
Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13
-->
<rule id="100001" level="0">
<if_sid>18105</if_sid>
<match>192.168.1.120</match>
<description>ignore 192.168.1.120.</description>
</rule>
</group>
ossec-logtest:
2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-
Windows-Security-Auditing: (no user): no domain: leaf-1: The Windows
Filtering Platform blocked a packet. Application Information: Process ID: 0
Application Name: - Network Information: Direction: %%14592 Source Address:
192.168.1.120 Source Port: 39740 Destination Address: 192.168.1.255
Destination Port: 32414 Protocol: 17 Filter Information: Filter Run-Time ID:
93069 Layer Name: %%14597 Layer Run-Time ID: 13
**Phase 1: Completed pre-decoding.
full event: '2017 Jul 02 22:38:47 WinEvtLog: Security:
AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no
domain: leaf-1: The Windows Filtering Platform blocked a packet.
Application Information: Process ID: 0 Application Name: - Network
Information: Direction: %%14592 Source Address: 192.168.1.120 Source Port:
39740 Destination Address: 192.168.1.255 Destination Port: 32414 Protocol:
17 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer
Run-Time ID: 13'
hostname: 'ip-10-0-0-10'
program_name: 'WinEvtLog'
log: 'Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The
Windows Filtering Platform blocked a packet. Application Information:
Process ID: 0 Application Name: - Network Information: Direction: %%14592
Source Address: 192.168.1.120 Source Port: 39740 Destination Address:
192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information:
Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '5152'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'leaf-1'
**Phase 3: Completed filtering (rules).
Rule id: '100001'
Level: '0'
Description: 'ignore 192.168.1.120.'
I hope it helps.
On Monday, July 3, 2017 at 5:28:04 PM UTC+2, Ian Brown wrote:
>
> I believe I've figured it out -- I think the decoder isn't matching the
> full log string and is thus stripping the ip address information. Also
> after looking at the regex in the decoder, I've discovered that it doesn't
> even match against the first three example strings provided:
>
> Here's an example from the comments (After prematch):
> Security: AUDIT_FAILURE(0x000002A9): Security: SYSTEM: NT AUTHORITY: The
> logon to account: xyz by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from
> workstation: la failed. The error code was: 3221225572
>
> yet, the regex is:
> ^\.+: (\w+)\((\d+)\): (\.+):
>
> The second (\d+) will only match against numbers, so (0x000002A9) will
> never match. It should be ([0-9A-Fx]+)
>
> Also, why is it escaping the period at the beginning and at the end?
> shouldn't the regex be:
> ^.+: (\w+)\((\d+)\): (.+):
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
