Re: [ossec-list] Re: Windows override Audit Events. Decoder
On Mar 6, 2017 9:51 AM, "Eduardo Reichert Figueiredo" < eduardo.reich...@hotmail.com> wrote: Hi all, exist possiblity of write source ip address in eventos of integrity check? For the alert display real IP? There is no IP information in the syscheck log messages, so there is nothing to print. Em sexta-feira, 3 de março de 2017 15:55:14 UTC-3, dan (ddpbsd) escreveu: > On Fri, Mar 3, 2017 at 3:04 AM, Casimirowrote: > > I solve my problem with this solution > > > > https://www.alienvault.com/forums/discussion/5962/ossec-plug > in-modification > > > > > > > > windows > > ^WinEvtLog: > > > > > > > > windows > > windows > > ^\.+: (\w+)\((\d+)\): (\.+): > > > (\.+): \.+: (\S+): > > status, id, extra_data, srcuser, system_name > > name, location, user, system_name > > > > > > > > windows > > windows > > Client > > Address:\s*\t*(\d+.\d+.\d+.\d+) > > srcip > > > > > > This looks similar to what's in MASTER. > > > > > I'm trying other solution, but this don't parse well > > > > > > windows > > windows > > ^\.+: (\w+)\((675)\): > > ^\.+: (\w+)\((675)\): \.+: \.+: > \.+: > > (\S+): \.+: \.+: (\S+) > > status, id, system_name, srcuser > > > > > > windows > > windows > > Client Address: > > (\d+.\d+.\d+.\d+) > > srcip > > > > > > > > El jueves, 2 de marzo de 2017, 19:58:30 (UTC+1), dan (ddpbsd) escribió: > >> > >> It continues to work with a fresh install of MASTER > >> **Phase 1: Completed pre-decoding. > >>full event: 'Mar 2 17:36:50 ossec-test2 WinEvtLog: Security: > >> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): > >> no domain: WK034.dom.com: The Windows Filtering Platform blocked a > >> packet. Application Information: Process ID: 0 Application Name: - > >> Network Information: Direction: %%14592 Source Address: 10.20.10.55 > >> Source Port: 55666 Destination Address: 255.255.255.255 Destination > >> Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 > >> Layer Name: %%14597 Layer Run-Time ID: 13' > >>hostname: 'ossec-test2' > >>program_name: 'WinEvtLog' > >>log: 'Security: AUDIT_FAILURE(5152): > >> Microsoft-Windows-Security-Auditing: (no user): no domain: > >> WK034.dom.com: The Windows Filtering Platform blocked a packet. > >> Application Information: Process ID: 0 Application Name: - Network > >> Information: Direction: %%14592 Source Address: 10.20.10.55 Source > >> Port: 55666 Destination Address: 255.255.255.255 Destination Port: > >> 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer > >> Name: %%14597 Layer Run-Time ID: 13' > >> > >> **Phase 2: Completed decoding. > >>decoder: 'windows' > >>status: 'AUDIT_FAILURE' > >>id: '5152' > >>extra_data: 'Microsoft-Windows-Security-Auditing' > >>dstuser: '(no user)' > >>system_name: 'WK034.dom.com' > >>srcip: '10.20.10.55' > >> > >> **Phase 3: Completed filtering (rules). > >>Rule id: '18105' > >>Level: '4' > >>Description: 'Windows audit failure event.' > >> **Alert to be generated. > >> > >> On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp) wrote: > >> > On Thu, Mar 2, 2017 at 6:41 AM, Casimiro wrote: > >> >> Thanks. > >> >> But don't work. It only decode srcip field. Attach the output: > >> >> > >> >> **Phase 1: Completed pre-decoding. > >> >>full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): > >> >> Microsoft-Windows-Security-Auditing: (no user): no domain: > >> >> WK034.dom.com: > >> >> The Windows Filtering Platform blocked a packet. Application > >> >> Information: > >> >> Process ID: 0 Application Name: - Network Information: Direction: > >> >> %%14592 > >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: > >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter > Information: > >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' > >> >>hostname: 'USMCyberRange' > >> >>program_name: '(null)' > >> >>log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): > >> >> Microsoft-Windows-Security-Auditing: (no user): no domain: > >> >> WK34.dom.com: The > >> >> Windows Filtering Platform blocked a packet. Application > Information: > >> >> Process ID: 0 Application Name: - Network Information: Direction: > >> >> %%14592 > >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: > >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter > Information: > >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' > >> >> > >> >> **Phase 2: Completed decoding. > >> >>decoder: 'windows' > >> >>srcip: '10.20.10.55' > >> >> > >> >> **Rule debugging: > >> >> Trying rule: 6 - Generic template for all windows rules. > >> >>
Re: [ossec-list] Re: Windows override Audit Events. Decoder
Hi all, exist possiblity of write source ip address in eventos of integrity check? For the alert display real IP? Em sexta-feira, 3 de março de 2017 15:55:14 UTC-3, dan (ddpbsd) escreveu: > > On Fri, Mar 3, 2017 at 3:04 AM, Casimiro> wrote: > > I solve my problem with this solution > > > > > https://www.alienvault.com/forums/discussion/5962/ossec-plugin-modification > > > > > > > > windows > > ^WinEvtLog: > > > > > > > > windows > > windows > > ^\.+: (\w+)\((\d+)\): (\.+): > > > (\.+): \.+: (\S+): > > status, id, extra_data, srcuser, system_name > > name, location, user, system_name > > > > > > > > windows > > windows > > Client > > Address:\s*\t*(\d+.\d+.\d+.\d+) > > srcip > > > > > > This looks similar to what's in MASTER. > > > > > I'm trying other solution, but this don't parse well > > > > > > windows > > windows > > ^\.+: (\w+)\((675)\): > > ^\.+: (\w+)\((675)\): \.+: \.+: > \.+: > > (\S+): \.+: \.+: (\S+) > > status, id, system_name, srcuser > > > > > > windows > > windows > > Client Address: > > (\d+.\d+.\d+.\d+) > > srcip > > > > > > > > El jueves, 2 de marzo de 2017, 19:58:30 (UTC+1), dan (ddpbsd) escribió: > >> > >> It continues to work with a fresh install of MASTER > >> **Phase 1: Completed pre-decoding. > >>full event: 'Mar 2 17:36:50 ossec-test2 WinEvtLog: Security: > >> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): > >> no domain: WK034.dom.com: The Windows Filtering Platform blocked a > >> packet. Application Information: Process ID: 0 Application Name: - > >> Network Information: Direction: %%14592 Source Address: 10.20.10.55 > >> Source Port: 55666 Destination Address: 255.255.255.255 Destination > >> Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 > >> Layer Name: %%14597 Layer Run-Time ID: 13' > >>hostname: 'ossec-test2' > >>program_name: 'WinEvtLog' > >>log: 'Security: AUDIT_FAILURE(5152): > >> Microsoft-Windows-Security-Auditing: (no user): no domain: > >> WK034.dom.com: The Windows Filtering Platform blocked a packet. > >> Application Information: Process ID: 0 Application Name: - Network > >> Information: Direction: %%14592 Source Address: 10.20.10.55 Source > >> Port: 55666 Destination Address: 255.255.255.255 Destination Port: > >> 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer > >> Name: %%14597 Layer Run-Time ID: 13' > >> > >> **Phase 2: Completed decoding. > >>decoder: 'windows' > >>status: 'AUDIT_FAILURE' > >>id: '5152' > >>extra_data: 'Microsoft-Windows-Security-Auditing' > >>dstuser: '(no user)' > >>system_name: 'WK034.dom.com' > >>srcip: '10.20.10.55' > >> > >> **Phase 3: Completed filtering (rules). > >>Rule id: '18105' > >>Level: '4' > >>Description: 'Windows audit failure event.' > >> **Alert to be generated. > >> > >> On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp) wrote: > >> > On Thu, Mar 2, 2017 at 6:41 AM, Casimiro wrote: > >> >> Thanks. > >> >> But don't work. It only decode srcip field. Attach the output: > >> >> > >> >> **Phase 1: Completed pre-decoding. > >> >>full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): > >> >> Microsoft-Windows-Security-Auditing: (no user): no domain: > >> >> WK034.dom.com: > >> >> The Windows Filtering Platform blocked a packet. Application > >> >> Information: > >> >> Process ID: 0 Application Name: - Network Information: Direction: > >> >> %%14592 > >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: > >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter > Information: > >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' > >> >>hostname: 'USMCyberRange' > >> >>program_name: '(null)' > >> >>log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): > >> >> Microsoft-Windows-Security-Auditing: (no user): no domain: > >> >> WK34.dom.com: The > >> >> Windows Filtering Platform blocked a packet. Application > Information: > >> >> Process ID: 0 Application Name: - Network Information: Direction: > >> >> %%14592 > >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: > >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter > Information: > >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' > >> >> > >> >> **Phase 2: Completed decoding. > >> >>decoder: 'windows' > >> >>srcip: '10.20.10.55' > >> >> > >> >> **Rule debugging: > >> >> Trying rule: 6 - Generic template for all windows rules. > >> >>*Rule 6 matched. > >> >>*Trying child
Re: [ossec-list] Re: Windows override Audit Events. Decoder
On Fri, Mar 3, 2017 at 3:04 AM, Casimirowrote: > I solve my problem with this solution > > https://www.alienvault.com/forums/discussion/5962/ossec-plugin-modification > > > > windows > ^WinEvtLog: > > > > windows > windows > ^\.+: (\w+)\((\d+)\): (\.+): > (\.+): \.+: (\S+): > status, id, extra_data, srcuser, system_name > name, location, user, system_name > > > > windows > windows > Client > Address:\s*\t*(\d+.\d+.\d+.\d+) > srcip > > This looks similar to what's in MASTER. > > I'm trying other solution, but this don't parse well > > > windows > windows > ^\.+: (\w+)\((675)\): > ^\.+: (\w+)\((675)\): \.+: \.+: \.+: > (\S+): \.+: \.+: (\S+) > status, id, system_name, srcuser > > > windows > windows > Client Address: > (\d+.\d+.\d+.\d+) > srcip > > > > El jueves, 2 de marzo de 2017, 19:58:30 (UTC+1), dan (ddpbsd) escribió: >> >> It continues to work with a fresh install of MASTER >> **Phase 1: Completed pre-decoding. >>full event: 'Mar 2 17:36:50 ossec-test2 WinEvtLog: Security: >> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): >> no domain: WK034.dom.com: The Windows Filtering Platform blocked a >> packet. Application Information: Process ID: 0 Application Name: - >> Network Information: Direction: %%14592 Source Address: 10.20.10.55 >> Source Port: 55666 Destination Address: 255.255.255.255 Destination >> Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 >> Layer Name: %%14597 Layer Run-Time ID: 13' >>hostname: 'ossec-test2' >>program_name: 'WinEvtLog' >>log: 'Security: AUDIT_FAILURE(5152): >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> WK034.dom.com: The Windows Filtering Platform blocked a packet. >> Application Information: Process ID: 0 Application Name: - Network >> Information: Direction: %%14592 Source Address: 10.20.10.55 Source >> Port: 55666 Destination Address: 255.255.255.255 Destination Port: >> 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer >> Name: %%14597 Layer Run-Time ID: 13' >> >> **Phase 2: Completed decoding. >>decoder: 'windows' >>status: 'AUDIT_FAILURE' >>id: '5152' >>extra_data: 'Microsoft-Windows-Security-Auditing' >>dstuser: '(no user)' >>system_name: 'WK034.dom.com' >>srcip: '10.20.10.55' >> >> **Phase 3: Completed filtering (rules). >>Rule id: '18105' >>Level: '4' >>Description: 'Windows audit failure event.' >> **Alert to be generated. >> >> On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp) wrote: >> > On Thu, Mar 2, 2017 at 6:41 AM, Casimiro wrote: >> >> Thanks. >> >> But don't work. It only decode srcip field. Attach the output: >> >> >> >> **Phase 1: Completed pre-decoding. >> >>full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): >> >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> >> WK034.dom.com: >> >> The Windows Filtering Platform blocked a packet. Application >> >> Information: >> >> Process ID: 0 Application Name: - Network Information: Direction: >> >> %%14592 >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' >> >>hostname: 'USMCyberRange' >> >>program_name: '(null)' >> >>log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): >> >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> >> WK34.dom.com: The >> >> Windows Filtering Platform blocked a packet. Application Information: >> >> Process ID: 0 Application Name: - Network Information: Direction: >> >> %%14592 >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' >> >> >> >> **Phase 2: Completed decoding. >> >>decoder: 'windows' >> >>srcip: '10.20.10.55' >> >> >> >> **Rule debugging: >> >> Trying rule: 6 - Generic template for all windows rules. >> >>*Rule 6 matched. >> >>*Trying child rules. >> >> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. >> >> Trying rule: 18100 - Group of windows rules. >> >>*Rule 18100 matched. >> >>*Trying child rules. >> >> Trying rule: 18101 - Windows informational event. >> >> Trying rule: 18102 - Windows warning event. >> >> Trying rule: 18104 - Windows audit success event. >> >> Trying rule: 18103 - Windows error event. >> >> Trying rule: 18105 - Windows audit failure event. >> >> >> >> **Phase 3: Completed filtering (rules). >> >>Rule id: '18100' >> >>
Re: [ossec-list] Re: Windows override Audit Events. Decoder
I solve my problem with this solution https://www.alienvault.com/forums/discussion/5962/ossec-plugin-modification windows ^WinEvtLog: windows windows ^\.+: (\w+)\((\d+)\): (\.+): (\.+): \.+: (\S+): status, id, extra_data, srcuser, system_name name, location, user, system_name windows windows Client Address:\s*\t*(\d+.\d+.\d+.\d+) srcip I'm trying other solution, but this don't parse well windows windows ^\.+: (\w+)\((675)\): ^\.+: (\w+)\((675)\): \.+: \.+: \.+: (\S+): \.+: \.+: (\S+) status, id, system_name, srcuser windows windows Client Address: (\d+.\d+.\d+.\d+) srcip El jueves, 2 de marzo de 2017, 19:58:30 (UTC+1), dan (ddpbsd) escribió: > > It continues to work with a fresh install of MASTER > **Phase 1: Completed pre-decoding. >full event: 'Mar 2 17:36:50 ossec-test2 WinEvtLog: Security: > AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): > no domain: WK034.dom.com: The Windows Filtering Platform blocked a > packet. Application Information: Process ID: 0 Application Name: - > Network Information: Direction: %%14592 Source Address: 10.20.10.55 > Source Port: 55666 Destination Address: 255.255.255.255 Destination > Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 > Layer Name: %%14597 Layer Run-Time ID: 13' >hostname: 'ossec-test2' >program_name: 'WinEvtLog' >log: 'Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: (no user): no domain: > WK034.dom.com: The Windows Filtering Platform blocked a packet. > Application Information: Process ID: 0 Application Name: - Network > Information: Direction: %%14592 Source Address: 10.20.10.55 Source > Port: 55666 Destination Address: 255.255.255.255 Destination Port: > 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer > Name: %%14597 Layer Run-Time ID: 13' > > **Phase 2: Completed decoding. >decoder: 'windows' >status: 'AUDIT_FAILURE' >id: '5152' >extra_data: 'Microsoft-Windows-Security-Auditing' >dstuser: '(no user)' >system_name: 'WK034.dom.com' >srcip: '10.20.10.55' > > **Phase 3: Completed filtering (rules). >Rule id: '18105' >Level: '4' >Description: 'Windows audit failure event.' > **Alert to be generated. > > On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp)> wrote: > > On Thu, Mar 2, 2017 at 6:41 AM, Casimiro > wrote: > >> Thanks. > >> But don't work. It only decode srcip field. Attach the output: > >> > >> **Phase 1: Completed pre-decoding. > >>full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): > >> Microsoft-Windows-Security-Auditing: (no user): no domain: > WK034.dom.com: > >> The Windows Filtering Platform blocked a packet. Application > Information: > >> Process ID: 0 Application Name: - Network Information: Direction: > %%14592 > >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: > >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: > >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' > >>hostname: 'USMCyberRange' > >>program_name: '(null)' > >>log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): > >> Microsoft-Windows-Security-Auditing: (no user): no domain: WK34.dom.com: > The > >> Windows Filtering Platform blocked a packet. Application Information: > >> Process ID: 0 Application Name: - Network Information: Direction: > %%14592 > >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: > >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: > >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' > >> > >> **Phase 2: Completed decoding. > >>decoder: 'windows' > >>srcip: '10.20.10.55' > >> > >> **Rule debugging: > >> Trying rule: 6 - Generic template for all windows rules. > >>*Rule 6 matched. > >>*Trying child rules. > >> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. > >> Trying rule: 18100 - Group of windows rules. > >>*Rule 18100 matched. > >>*Trying child rules. > >> Trying rule: 18101 - Windows informational event. > >> Trying rule: 18102 - Windows warning event. > >> Trying rule: 18104 - Windows audit success event. > >> Trying rule: 18103 - Windows error event. > >> Trying rule: 18105 - Windows audit failure event. > >> > >> **Phase 3: Completed filtering (rules). > >>Rule id: '18100' > >>Level: '0' > >>Description: 'Group of windows rules.' > >> > >> So, the original fields of decoder has been erased (status, id, > extra_data, > >> srcuser, system_name, name, location, user,
Re: [ossec-list] Re: Windows override Audit Events. Decoder
It continues to work with a fresh install of MASTER **Phase 1: Completed pre-decoding. full event: 'Mar 2 17:36:50 ossec-test2 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: WK034.dom.com: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' hostname: 'ossec-test2' program_name: 'WinEvtLog' log: 'Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: WK034.dom.com: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '5152' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'WK034.dom.com' srcip: '10.20.10.55' **Phase 3: Completed filtering (rules). Rule id: '18105' Level: '4' Description: 'Windows audit failure event.' **Alert to be generated. On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp)wrote: > On Thu, Mar 2, 2017 at 6:41 AM, Casimiro wrote: >> Thanks. >> But don't work. It only decode srcip field. Attach the output: >> >> **Phase 1: Completed pre-decoding. >>full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): >> Microsoft-Windows-Security-Auditing: (no user): no domain: WK034.dom.com: >> The Windows Filtering Platform blocked a packet. Application Information: >> Process ID: 0 Application Name: - Network Information: Direction: %%14592 >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' >>hostname: 'USMCyberRange' >>program_name: '(null)' >>log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): >> Microsoft-Windows-Security-Auditing: (no user): no domain: WK34.dom.com: The >> Windows Filtering Platform blocked a packet. Application Information: >> Process ID: 0 Application Name: - Network Information: Direction: %%14592 >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' >> >> **Phase 2: Completed decoding. >>decoder: 'windows' >>srcip: '10.20.10.55' >> >> **Rule debugging: >> Trying rule: 6 - Generic template for all windows rules. >>*Rule 6 matched. >>*Trying child rules. >> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. >> Trying rule: 18100 - Group of windows rules. >>*Rule 18100 matched. >>*Trying child rules. >> Trying rule: 18101 - Windows informational event. >> Trying rule: 18102 - Windows warning event. >> Trying rule: 18104 - Windows audit success event. >> Trying rule: 18103 - Windows error event. >> Trying rule: 18105 - Windows audit failure event. >> >> **Phase 3: Completed filtering (rules). >>Rule id: '18100' >>Level: '0' >>Description: 'Group of windows rules.' >> >> So, the original fields of decoder has been erased (status, id, extra_data, >> srcuser, system_name, name, location, user, system_name). The consecuence is >> that orginal rules don't match. >> > > That's strange, it works for me (I had to add the timestamp info): > **Phase 1: Completed pre-decoding. >full event: 'Mar 2 11:17:01 ossec-test WinEvtLog: Security: > AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): > no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked > a packet. Application Information: Process ID: 0 Application Name: - > Network Information: Direction: %%14592 Source Address: 10.20.10.55 > Source Port: 55666 Destination Address: 255.255.255.255 Destination > Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 > Layer Name: %%14597 Layer Run-Time ID: 13' >hostname: 'ossec-test' >program_name: 'WinEvtLog' >log: 'Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: (no user): no domain: > WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet. > Application Information: Process ID: 0 Application Name: - Network > Information: Direction: %%14592 Source Address: 10.20.10.55 Source > Port: 55666
Re: [ossec-list] Re: Windows override Audit Events. Decoder
On Thu, Mar 2, 2017 at 6:41 AM, Casimirowrote: > Thanks. > But don't work. It only decode srcip field. Attach the output: > > **Phase 1: Completed pre-decoding. >full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: (no user): no domain: WK034.dom.com: > The Windows Filtering Platform blocked a packet. Application Information: > Process ID: 0 Application Name: - Network Information: Direction: %%14592 > Source Address: 10.20.10.55 Source Port: 55666 Destination Address: > 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: > Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' >hostname: 'USMCyberRange' >program_name: '(null)' >log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: (no user): no domain: WK34.dom.com: The > Windows Filtering Platform blocked a packet. Application Information: > Process ID: 0 Application Name: - Network Information: Direction: %%14592 > Source Address: 10.20.10.55 Source Port: 55666 Destination Address: > 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: > Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' > > **Phase 2: Completed decoding. >decoder: 'windows' >srcip: '10.20.10.55' > > **Rule debugging: > Trying rule: 6 - Generic template for all windows rules. >*Rule 6 matched. >*Trying child rules. > Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. > Trying rule: 18100 - Group of windows rules. >*Rule 18100 matched. >*Trying child rules. > Trying rule: 18101 - Windows informational event. > Trying rule: 18102 - Windows warning event. > Trying rule: 18104 - Windows audit success event. > Trying rule: 18103 - Windows error event. > Trying rule: 18105 - Windows audit failure event. > > **Phase 3: Completed filtering (rules). >Rule id: '18100' >Level: '0' >Description: 'Group of windows rules.' > > So, the original fields of decoder has been erased (status, id, extra_data, > srcuser, system_name, name, location, user, system_name). The consecuence is > that orginal rules don't match. > That's strange, it works for me (I had to add the timestamp info): **Phase 1: Completed pre-decoding. full event: 'Mar 2 11:17:01 ossec-test WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' hostname: 'ossec-test' program_name: 'WinEvtLog' log: 'Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '5152' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'WKSUSR034.mccd.def' srcip: '10.20.10.55' **Phase 3: Completed filtering (rules). Rule id: '18105' Level: '4' Description: 'Windows audit failure event.' **Alert to be generated. Are you sure you have the latest Windows decoders? I'll try firing up another image and try again. > El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió: >> >> I'm trying to override the windows decoder to extract more fields (in >> local_decoder.xml), like source ip, destination ip, source port, >> >> This is my local decoder for windows >> >> >>windows >>AUDIT_FAILURE(51512) >>Source >> Address:\s+(\d+.\d+.\d+.\d+) >>srcip >> >> >> When I put new decoder en local_decoder.xml. The windows log don't match >> with windows parent decoder. If I take off the local decoder then log match >> with windows parent decoder. >> >> I want to get all fields: parent fields + soon fields (in this case >> status, id, extra_data, srcuser, system_name and srcip) >> >> Thanks in advanced >> >> >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. --
[ossec-list] Re: Windows override Audit Events. Decoder
Thanks. But don't work. It only decode srcip field. Attach the output: **Phase 1: Completed pre-decoding. full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: WK034.dom.com: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' hostname: 'USMCyberRange' program_name: '(null)' log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: WK34.dom.com: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' **Phase 2: Completed decoding. decoder: 'windows' srcip: '10.20.10.55' **Rule debugging: Trying rule: 6 - Generic template for all windows rules. *Rule 6 matched. *Trying child rules. Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. Trying rule: 18100 - Group of windows rules. *Rule 18100 matched. *Trying child rules. Trying rule: 18101 - Windows informational event. Trying rule: 18102 - Windows warning event. Trying rule: 18104 - Windows audit success event. Trying rule: 18103 - Windows error event. Trying rule: 18105 - Windows audit failure event. **Phase 3: Completed filtering (rules). Rule id: '18100' Level: '0' Description: 'Group of windows rules.' So, the original fields of decoder has been erased (status, id, extra_data, srcuser, system_name, name, location, user, system_name). The consecuence is that orginal rules don't match. El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió: > > I'm trying to override the windows decoder to extract more fields (in > local_decoder.xml), like source ip, destination ip, source port, > > This is my local decoder for windows > > >windows >AUDIT_FAILURE(51512) >Source Address:\s+(\d+.\d+.\d+.\d+) >srcip > > > When I put new decoder en local_decoder.xml. The windows log don't match > with windows parent decoder. If I take off the local decoder then log match > with windows parent decoder. > > I want to get all fields: parent fields + soon fields (in this case > status, id, extra_data, srcuser, system_name and srcip) > > Thanks in advanced > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Windows override Audit Events. Decoder
Thanks. But don't work. It only decode srcip field. Attach the output: **Phase 1: Completed pre-decoding. full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' hostname: 'USMCyberRange' program_name: '(null)' log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' **Phase 2: Completed decoding. decoder: 'windows' srcip: '10.20.10.55' **Rule debugging: Trying rule: 6 - Generic template for all windows rules. *Rule 6 matched. *Trying child rules. Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. Trying rule: 18100 - Group of windows rules. *Rule 18100 matched. *Trying child rules. Trying rule: 18101 - Windows informational event. Trying rule: 18102 - Windows warning event. Trying rule: 18104 - Windows audit success event. Trying rule: 18103 - Windows error event. Trying rule: 18105 - Windows audit failure event. **Phase 3: Completed filtering (rules). Rule id: '18100' Level: '0' Description: 'Group of windows rules.' So, the original fields of decoder has been erased (status, id, extra_data, srcuser, system_name, name, location, user, system_name). The consecuence is that orginal rules don't match. El martes, 21 de febrero de 2017, 15:30:39 (UTC+1), dan (ddpbsd) escribió: > > On Mon, Feb 20, 2017 at 6:08 AM, Casimiro> wrote: > > Version 2.8 > > > > Events: > > > > WinEvtLog: Security: AUDIT_FAILURE(5152): > > Microsoft-Windows-Security-Auditing: no domain: WKUSR01.cm.shr: The > Windows > > Filtering Platform blocked a packet. Application Information: Process > ID: 0 > > Application Name: - Network Information: Direction: %%14952 Source > Address: > > 10.10.10.58 Source Port: 55663 Destination Address: 255.255.255.255 > > Destination Port: 1211 Protocol: 17 Filter Information: Filter Run-Time > ID: > > 70713 Layer Name: %%14597 Layer Run-Time ID:13 > > > > I want to exctract source Ip in addiction to status id, extra_data, > srcuser, > > system_name original fields extracted form original Windows decoder. > > > > This works with the latest master: > > windows > Source Address: (\S+) > srcip > > > > > > Thanks > > > > > > El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió: > >> > >> I'm trying to override the windows decoder to extract more fields (in > >> local_decoder.xml), like source ip, destination ip, source port, > >> > >> This is my local decoder for windows > >> > >> > >>windows > >>AUDIT_FAILURE(51512) > >>Source > >> Address:\s+(\d+.\d+.\d+.\d+) > >>srcip > >> > >> > >> When I put new decoder en local_decoder.xml. The windows log don't > match > >> with windows parent decoder. If I take off the local decoder then log > match > >> with windows parent decoder. > >> > >> I want to get all fields: parent fields + soon fields (in this case > >> status, id, extra_data, srcuser, system_name and srcip) > >> > >> Thanks in advanced > >> > >> > >> > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Windows override Audit Events. Decoder
On Mon, Feb 20, 2017 at 6:08 AM, Casimirowrote: > Version 2.8 > > Events: > > WinEvtLog: Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: no domain: WKUSR01.cm.shr: The Windows > Filtering Platform blocked a packet. Application Information: Process ID: 0 > Application Name: - Network Information: Direction: %%14952 Source Address: > 10.10.10.58 Source Port: 55663 Destination Address: 255.255.255.255 > Destination Port: 1211 Protocol: 17 Filter Information: Filter Run-Time ID: > 70713 Layer Name: %%14597 Layer Run-Time ID:13 > > I want to exctract source Ip in addiction to status id, extra_data, srcuser, > system_name original fields extracted form original Windows decoder. > This works with the latest master: windows Source Address: (\S+) srcip > Thanks > > > El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió: >> >> I'm trying to override the windows decoder to extract more fields (in >> local_decoder.xml), like source ip, destination ip, source port, >> >> This is my local decoder for windows >> >> >>windows >>AUDIT_FAILURE(51512) >>Source >> Address:\s+(\d+.\d+.\d+.\d+) >>srcip >> >> >> When I put new decoder en local_decoder.xml. The windows log don't match >> with windows parent decoder. If I take off the local decoder then log match >> with windows parent decoder. >> >> I want to get all fields: parent fields + soon fields (in this case >> status, id, extra_data, srcuser, system_name and srcip) >> >> Thanks in advanced >> >> >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Windows override Audit Events. Decoder
Version 2.8 Events: WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: no domain: WKUSR01.cm.shr: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14952 Source Address: 10.10.10.58 Source Port: 55663 Destination Address: 255.255.255.255 Destination Port: 1211 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID:13 I want to exctract source Ip in addiction to status id, extra_data, srcuser, system_name original fields extracted form original Windows decoder. Thanks El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió: > > I'm trying to override the windows decoder to extract more fields (in > local_decoder.xml), like source ip, destination ip, source port, > > This is my local decoder for windows > > >windows >AUDIT_FAILURE(51512) >Source Address:\s+(\d+.\d+.\d+.\d+) >srcip > > > When I put new decoder en local_decoder.xml. The windows log don't match > with windows parent decoder. If I take off the local decoder then log match > with windows parent decoder. > > I want to get all fields: parent fields + soon fields (in this case > status, id, extra_data, srcuser, system_name and srcip) > > Thanks in advanced > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.