Hi Ian, try this rule: <group name="test,">
<!-- 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 192.168.1.120 Source Port: 39740 Destination Address: 192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13 --> <rule id="100001" level="0"> <if_sid>18105</if_sid> <match>192.168.1.120</match> <description>ignore 192.168.1.120.</description> </rule> </group> ossec-logtest: 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft- Windows-Security-Auditing: (no user): no domain: leaf-1: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 192.168.1.120 Source Port: 39740 Destination Address: 192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13 **Phase 1: Completed pre-decoding. full event: '2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 192.168.1.120 Source Port: 39740 Destination Address: 192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' hostname: 'ip-10-0-0-10' program_name: 'WinEvtLog' log: 'Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 192.168.1.120 Source Port: 39740 Destination Address: 192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '5152' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'leaf-1' **Phase 3: Completed filtering (rules). Rule id: '100001' Level: '0' Description: 'ignore 192.168.1.120.' I hope it helps. On Monday, July 3, 2017 at 5:28:04 PM UTC+2, Ian Brown wrote: > > I believe I've figured it out -- I think the decoder isn't matching the > full log string and is thus stripping the ip address information. Also > after looking at the regex in the decoder, I've discovered that it doesn't > even match against the first three example strings provided: > > Here's an example from the comments (After prematch): > Security: AUDIT_FAILURE(0x000002A9): Security: SYSTEM: NT AUTHORITY: The > logon to account: xyz by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from > workstation: la failed. The error code was: 3221225572 > > yet, the regex is: > ^\.+: (\w+)\((\d+)\): (\.+): > > The second (\d+) will only match against numbers, so (0x000002A9) will > never match. It should be ([0-9A-Fx]+) > > Also, why is it escaping the period at the beginning and at the end? > shouldn't the regex be: > ^.+: (\w+)\((\d+)\): (.+): > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.