On Thu, Jul 6, 2017 at 9:08 PM, Ian Brown <zestys...@gmail.com> wrote: > Dan, > > It's what comes in SecurityOnion's latest iso (securityonion-14.04.5.2.iso). > > ./ossec-logtest -V > > OSSEC HIDS v2.8 - Trend Micro Inc. > > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License (version 2) as > published by the Free Software Foundation. For more details, go to > http://www.ossec.net/main/license/ > > I tried "apt-file search /var/ossec/bin/ossec-logtest" to see if a package > owns it, but that program returned no results, so I'm going to assume it has > been compiled from source. >
2.8 is good enough info. I don't have anything that old to test unfortunately. You could backup your decoder.xml and local_decoder.xml files and download the latest decoders. I think they should be compatible, and you can test them quickly with ossec-logtest without restarting OSSEC. > > > On 7/6/2017 5:47 PM, dan (ddp) wrote: >> >> On Wed, Jul 5, 2017 at 10:26 PM, Ian Brown <zestys...@gmail.com> wrote: >>> >>> Dan, that matches for the source and destination IP addresses, but if I >>> understand logtest's "Phase 2" output correctly, using those additional >>> decoders drops all the other things that the original windows decoder >>> found: >>> >>> --------------------------- >>> >>> # ./ossec-logtest -v >>> 2017/07/06 02:19:12 ossec-testrule: INFO: Reading local decoder file. >>> 2017/07/06 02:19:12 ossec-testrule: INFO: Started (pid: 4227). >>> ossec-testrule: Type one log per line. >>> >>> 2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): >>> Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: >>> The >>> Windows Filtering Platform blocked a packet. Application Information: >>> Process ID: 0 Application Name: - Network Information: Direction: %%14592 >>> Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 >>> Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time >>> ID: >>> 93069 Layer Name: %%14597 Layer Run-Time ID: 13 >>> >>> >>> **Phase 1: Completed pre-decoding. >>> full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: >>> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no >>> domain: workstation: The Windows Filtering Platform blocked a packet. >>> Application Information: Process ID: 0 Application Name: - Network >>> Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: 143 >>> Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 Filter >>> Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time >>> ID: 13' >>> hostname: 'securityonion' >>> program_name: '(null)' >>> log: '2017 Jul 03 11:17:37 WinEvtLog: Security: >>> AUDIT_FAILURE(5152): >>> Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: >>> The >>> Windows Filtering Platform blocked a packet. Application Information: >>> Process ID: 0 Application Name: - Network Information: Direction: %%14592 >>> Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 >>> Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time >>> ID: >>> 93069 Layer Name: %%14597 Layer Run-Time ID: 13' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'windows' >>> srcip: '1.2.3.4' >>> dstip: '5.6.7.8' >>> >>> **Rule debugging: >>> Trying rule: 6 - Generic template for all windows rules. >>> *Rule 6 matched. >>> *Trying child rules. >>> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. >>> Trying rule: 18100 - Group of windows rules. >>> *Rule 18100 matched. >>> *Trying child rules. >>> Trying rule: 18101 - Windows informational event. >>> Trying rule: 18102 - Windows warning event. >>> Trying rule: 18104 - Windows audit success event. >>> Trying rule: 18103 - Windows error event. >>> Trying rule: 18105 - Windows audit failure event. >>> >>> **Phase 3: Completed filtering (rules). >>> Rule id: '18100' >>> Level: '0' >>> Description: 'Group of windows rules.' >>> ------------- >>> >>> This is Phase 2 without those additional decoders: >>> >>> **Phase 2: Completed decoding. >>> decoder: 'windows' >>> status: 'AUDIT_FAILURE' >>> id: '5152' >>> extra_data: 'Microsoft-Windows-Security-Auditing' >>> dstuser: '(no user)' >>> system_name: 'workstation' >>> >>> Do your decoders still inherit the matching of those fields and logtest >>> just >>> doesn't show this? >>> >> It works on mine: >> **Phase 1: Completed pre-decoding. >> full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: >> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): >> no domain: workstation: The Windows Filtering Platform blocked a >> packet. Application Information: Process ID: 0 Application Name: - >> Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source >> Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 >> Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: >> %%14597 Layer Run-Time ID: 13' >> hostname: 'ix' >> program_name: 'WinEvtLog' >> log: 'Security: AUDIT_FAILURE(5152): >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> workstation: The Windows Filtering Platform blocked a packet. >> Application Information: Process ID: 0 Application Name: - Network >> Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: >> 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 >> Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 >> Layer Run-Time ID: 13' >> >> **Phase 2: Completed decoding. >> decoder: 'windows' >> status: 'AUDIT_FAILURE' >> id: '5152' >> extra_data: 'Microsoft-Windows-Security-Auditing' >> dstuser: '(no user)' >> system_name: 'workstation' >> srcip: '1.2.3.4' >> dstip: '5.6.7.8' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '18105' >> Level: '4' >> Description: 'Windows audit failure event.' >> **Alert to be generated. >> >> Which version are you using? >> >> Here's a clean room test, before the additions: >> ossec-testrule: Type one log per line. >> >> **Phase 1: Completed pre-decoding. >> full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: >> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): >> no domain: workstation: The Windows Filtering Platform blocked a >> packet. Application Information: Process ID: 0 Application Name: - >> Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source >> Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 >> Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: >> %%14597 Layer Run-Time ID: 13' >> hostname: 'ossec-test' >> program_name: 'WinEvtLog' >> log: 'Security: AUDIT_FAILURE(5152): >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> workstation: The Windows Filtering Platform blocked a packet. >> Application Information: Process ID: 0 Application Name: - Network >> Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: >> 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 >> Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 >> Layer Run-Time ID: 13' >> >> **Phase 2: Completed decoding. >> decoder: 'windows' >> status: 'AUDIT_FAILURE' >> id: '5152' >> extra_data: 'Microsoft-Windows-Security-Auditing' >> dstuser: '(no user)' >> system_name: 'workstation' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '18105' >> Level: '4' >> Description: 'Windows audit failure event.' >> **Alert to be generated. >> >> >> After the additions: >> **Phase 1: Completed pre-decoding. >> full event: '2017 Jul 03 11:17:37 WinEvtLog: Security: >> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): >> no domain: workstation: The Windows Filtering Platform blocked a >> packet. Application Information: Process ID: 0 Application Name: - >> Network Information: Direction: %%14592 Source Address: 1.2.3.4 Source >> Port: 143 Destination Address: 5.6.7.8 Destination Port: 2619 >> Protocol: 6 Filter Information: Filter Run-Time ID: 93069 Layer Name: >> %%14597 Layer Run-Time ID: 13' >> hostname: 'ossec-test' >> program_name: 'WinEvtLog' >> log: 'Security: AUDIT_FAILURE(5152): >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> workstation: The Windows Filtering Platform blocked a packet. >> Application Information: Process ID: 0 Application Name: - Network >> Information: Direction: %%14592 Source Address: 1.2.3.4 Source Port: >> 143 Destination Address: 5.6.7.8 Destination Port: 2619 Protocol: 6 >> Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 >> Layer Run-Time ID: 13' >> >> **Phase 2: Completed decoding. >> decoder: 'windows' >> status: 'AUDIT_FAILURE' >> id: '5152' >> extra_data: 'Microsoft-Windows-Security-Auditing' >> dstuser: '(no user)' >> system_name: 'workstation' >> srcip: '1.2.3.4' >> dstip: '5.6.7.8' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '18105' >> Level: '4' >> Description: 'Windows audit failure event.' >> **Alert to be generated. >> >> >> This was using the latest code in github. >> >> >>> >>> On 7/5/2017 6:51 PM, dan (ddp) wrote: >>>> >>>> On Mon, Jul 3, 2017 at 2:52 PM, Ian Brown <zestys...@gmail.com> wrote: >>>>> >>>>> There is a decoder that isn't quite handling some log entries the want >>>>> I >>>>> need. I want to augment an existing decoder, but apparently I'm not >>>>> doing >>>>> this correctly. >>>>> Here's an example log entry: >>>>> 2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): >>>>> Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: >>>>> The >>>>> Windows Filtering Platform blocked a packet. Application Information: >>>>> Process ID: 0 Application Name: - Network Information: Direction: >>>>> %%14592 >>>>> Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 >>>>> Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time >>>>> ID: >>>>> 93069 Layer Name: %%14597 Layer Run-Time ID: 13 >>>>> >>>>> Using this as a guild: >>>>> >>>>> >>>>> http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/create-custom.html >>>>> >>>>> I've created a new decoder that inherits from this existing one: >>>>> >>>>> <decoder name="windows"> >>>>> <type>windows</type> >>>>> <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: >>>>> |^WinEvtLog: >>>>> </prematch> >>>>> <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): >>>>> </regex> >>>>> <regex>(\.+): \.+: (\S+): </regex> >>>>> <order>status, id, extra_data, user, system_name</order> >>>>> <fts>name, location, user, system_name</fts> >>>>> </decoder> >>>>> >>>>> I've tried an number of different versions of this -- below was my last >>>>> attempt: >>>>> >>>>> <decoder name="windows-filtering-platform"> >>>>> <parent>windows</parent> >>>>> <prematch offset="after_parent">The Windows Filtering >>>>> Platform</prematch> >>>>> <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex> >>>>> <regex>(\.+): \.+: (\S+): Thee Windows Filtering Platform</regex> >>>>> <regex>Source Address: (\S+) Source Port: (\d+) Destination >>>>> Address: >>>>> (\S+) >>>>> Destination Port: (\d+)</regex> >>>>> <order>status, id, extra_data, user, system_name, srcip, srcport, >>>>> dstip, >>>>> dstport</order> >>>>> </decoder> >>>>> >>>>> All I'm trying to do is match for the source and destination >>>>> information >>>>> that's in these particular log entries. However, when I added my >>>>> decoder, >>>>> it "took over" for all the windows decoder matches instead of just for >>>>> the >>>>> log entries I was hoping to match against -- any log entry that >>>>> contained >>>>> "The Windows Filtering Platform." >>>>> >>>>> On top of that, my decoder's regex doesn't seem to be matching any of >>>>> the >>>>> fields -- phase 2 just states: >>>>> >>>>> **Phase 2: Completed decoding. >>>>> decoder: 'windows' >>>>> >>>>> instead of at least: >>>>> **Phase 2: Completed decoding. >>>>> decoder: 'windows' >>>>> status: 'AUDIT_FAILURE' >>>>> id: '5152' >>>>> extra_data: 'Microsoft-Windows-Security-Auditing' >>>>> dstuser: '(no user)' >>>>> system_name: 'workstation' >>>>> >>>>> How far off the rails am I in achieving the solution I'm looking for? >>>>> >>>> Adding these 2 decoders gives me the source and destination IP >>>> addresses: >>>> <decoder name="windows1"> >>>> <parent>windows</parent> >>>> <regex>Source Address: (\S+)</regex> >>>> <order>srcip</order> >>>> </decoder> >>>> >>>> <decoder name="windows1"> >>>> <parent>windows</parent> >>>> <regex>Destination Address: (\S+) </regex> >>>> <order>dstip</order> >>>> </decoder> >>>> >>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups >>>>> "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an >>>>> email to ossec-list+unsubscr...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> >>> -- >>> >>> --- You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. > > > > -- > > --- You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
