Re: [ossec-list] Re: Windows override Audit Events. Decoder

[dan (ddp)]

On Mar 6, 2017 9:51 AM, "Eduardo Reichert Figueiredo" <
eduardo.reich...@hotmail.com> wrote:

Hi all,
exist possiblity of write source ip address in eventos of integrity check?
For the alert display real IP?


There is no IP information in the syscheck log messages, so there is
nothing to print.



Em sexta-feira, 3 de março de 2017 15:55:14 UTC-3, dan (ddpbsd) escreveu:

> On Fri, Mar 3, 2017 at 3:04 AM, Casimiro  wrote:
> > I solve my problem with this solution
> >
> > https://www.alienvault.com/forums/discussion/5962/ossec-plug
> in-modification
> >
> >
> > 
> > windows
> > ^WinEvtLog: 
> > 
> >
> > 
> > windows
> > windows
> > ^\.+: (\w+)\((\d+)\): (\.+):
> 
> > (\.+): \.+: (\S+): 
> > status, id, extra_data, srcuser, system_name
> > name, location, user, system_name
> > 
> > 
> > 
> > windows
> > windows
> > Client
> > Address:\s*\t*(\d+.\d+.\d+.\d+)
> > srcip
> > 
> >
>
> This looks similar to what's in MASTER.
>
> >
> > I'm trying other solution, but this don't parse well
> >
> > 
> > windows
> > windows
> > ^\.+: (\w+)\((675)\):
> > ^\.+: (\w+)\((675)\): \.+: \.+:
> \.+:
> > (\S+): \.+: \.+: (\S+)
> > status, id, system_name, srcuser
> > 
> > 
> > windows
> > windows
> > Client Address:
> > (\d+.\d+.\d+.\d+)
> > srcip
> > 
> >
> >
> > El jueves, 2 de marzo de 2017, 19:58:30 (UTC+1), dan (ddpbsd) escribió:
> >>
> >> It continues to work with a fresh install of MASTER
> >> **Phase 1: Completed pre-decoding.
> >>full event: 'Mar  2 17:36:50 ossec-test2 WinEvtLog: Security:
> >> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user):
> >> no domain: WK034.dom.com: The Windows Filtering Platform blocked a
> >> packet. Application Information: Process ID: 0 Application Name: -
> >> Network Information: Direction: %%14592 Source Address: 10.20.10.55
> >> Source Port: 55666 Destination Address: 255.255.255.255 Destination
> >> Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713
> >> Layer Name: %%14597 Layer Run-Time ID: 13'
> >>hostname: 'ossec-test2'
> >>program_name: 'WinEvtLog'
> >>log: 'Security: AUDIT_FAILURE(5152):
> >> Microsoft-Windows-Security-Auditing: (no user): no domain:
> >> WK034.dom.com: The Windows Filtering Platform blocked a packet.
> >> Application Information: Process ID: 0 Application Name: - Network
> >> Information: Direction: %%14592 Source Address: 10.20.10.55 Source
> >> Port: 55666 Destination Address: 255.255.255.255 Destination Port:
> >> 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer
> >> Name: %%14597 Layer Run-Time ID: 13'
> >>
> >> **Phase 2: Completed decoding.
> >>decoder: 'windows'
> >>status: 'AUDIT_FAILURE'
> >>id: '5152'
> >>extra_data: 'Microsoft-Windows-Security-Auditing'
> >>dstuser: '(no user)'
> >>system_name: 'WK034.dom.com'
> >>srcip: '10.20.10.55'
> >>
> >> **Phase 3: Completed filtering (rules).
> >>Rule id: '18105'
> >>Level: '4'
> >>Description: 'Windows audit failure event.'
> >> **Alert to be generated.
> >>
> >> On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp)  wrote:
> >> > On Thu, Mar 2, 2017 at 6:41 AM, Casimiro  wrote:
> >> >> Thanks.
> >> >> But don't work. It only decode srcip field. Attach the output:
> >> >>
> >> >> **Phase 1: Completed pre-decoding.
> >> >>full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
> >> >> Microsoft-Windows-Security-Auditing: (no user): no domain:
> >> >> WK034.dom.com:
> >> >> The Windows Filtering Platform blocked a packet. Application
> >> >> Information:
> >> >> Process ID: 0 Application Name: - Network Information: Direction:
> >> >> %%14592
> >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address:
> >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter
> Information:
> >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'
> >> >>hostname: 'USMCyberRange'
> >> >>program_name: '(null)'
> >> >>log: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
> >> >> Microsoft-Windows-Security-Auditing: (no user): no domain:
> >> >> WK34.dom.com: The
> >> >> Windows Filtering Platform blocked a packet. Application
> Information:
> >> >> Process ID: 0 Application Name: - Network Information: Direction:
> >> >> %%14592
> >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address:
> >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter
> Information:
> >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'
> >> >>
> >> >> **Phase 2: Completed decoding.
> >> >>decoder: 'windows'
> >> >>srcip: '10.20.10.55'
> >> >>
> >> >> **Rule debugging:
> >> >> Trying rule: 6 - Generic template for all windows rules.
> >> >>   

Re: [ossec-list] Re: Windows override Audit Events. Decoder

[Eduardo Reichert Figueiredo]

Hi all,
exist possiblity of write source ip address in eventos of integrity check? 
For the alert display real IP?

Em sexta-feira, 3 de março de 2017 15:55:14 UTC-3, dan (ddpbsd) escreveu:
>
> On Fri, Mar 3, 2017 at 3:04 AM, Casimiro  
> wrote: 
> > I solve my problem with this solution 
> > 
> > 
> https://www.alienvault.com/forums/discussion/5962/ossec-plugin-modification 
> > 
> > 
> >  
> > windows 
> > ^WinEvtLog:  
> >  
> > 
> >  
> > windows 
> > windows 
> > ^\.+: (\w+)\((\d+)\): (\.+): 
>  
> > (\.+): \.+: (\S+):  
> > status, id, extra_data, srcuser, system_name 
> > name, location, user, system_name 
> >  
> >  
> >  
> > windows 
> > windows 
> > Client 
> > Address:\s*\t*(\d+.\d+.\d+.\d+) 
> > srcip 
> >  
> > 
>
> This looks similar to what's in MASTER. 
>
> > 
> > I'm trying other solution, but this don't parse well 
> > 
> >  
> > windows 
> > windows 
> > ^\.+: (\w+)\((675)\): 
> > ^\.+: (\w+)\((675)\): \.+: \.+: 
> \.+: 
> > (\S+): \.+: \.+: (\S+) 
> > status, id, system_name, srcuser 
> >  
> >  
> > windows 
> > windows 
> > Client Address: 
> > (\d+.\d+.\d+.\d+) 
> > srcip 
> >  
> > 
> > 
> > El jueves, 2 de marzo de 2017, 19:58:30 (UTC+1), dan (ddpbsd) escribió: 
> >> 
> >> It continues to work with a fresh install of MASTER 
> >> **Phase 1: Completed pre-decoding. 
> >>full event: 'Mar  2 17:36:50 ossec-test2 WinEvtLog: Security: 
> >> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): 
> >> no domain: WK034.dom.com: The Windows Filtering Platform blocked a 
> >> packet. Application Information: Process ID: 0 Application Name: - 
> >> Network Information: Direction: %%14592 Source Address: 10.20.10.55 
> >> Source Port: 55666 Destination Address: 255.255.255.255 Destination 
> >> Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 
> >> Layer Name: %%14597 Layer Run-Time ID: 13' 
> >>hostname: 'ossec-test2' 
> >>program_name: 'WinEvtLog' 
> >>log: 'Security: AUDIT_FAILURE(5152): 
> >> Microsoft-Windows-Security-Auditing: (no user): no domain: 
> >> WK034.dom.com: The Windows Filtering Platform blocked a packet. 
> >> Application Information: Process ID: 0 Application Name: - Network 
> >> Information: Direction: %%14592 Source Address: 10.20.10.55 Source 
> >> Port: 55666 Destination Address: 255.255.255.255 Destination Port: 
> >> 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer 
> >> Name: %%14597 Layer Run-Time ID: 13' 
> >> 
> >> **Phase 2: Completed decoding. 
> >>decoder: 'windows' 
> >>status: 'AUDIT_FAILURE' 
> >>id: '5152' 
> >>extra_data: 'Microsoft-Windows-Security-Auditing' 
> >>dstuser: '(no user)' 
> >>system_name: 'WK034.dom.com' 
> >>srcip: '10.20.10.55' 
> >> 
> >> **Phase 3: Completed filtering (rules). 
> >>Rule id: '18105' 
> >>Level: '4' 
> >>Description: 'Windows audit failure event.' 
> >> **Alert to be generated. 
> >> 
> >> On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp)  wrote: 
> >> > On Thu, Mar 2, 2017 at 6:41 AM, Casimiro  wrote: 
> >> >> Thanks. 
> >> >> But don't work. It only decode srcip field. Attach the output: 
> >> >> 
> >> >> **Phase 1: Completed pre-decoding. 
> >> >>full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): 
> >> >> Microsoft-Windows-Security-Auditing: (no user): no domain: 
> >> >> WK034.dom.com: 
> >> >> The Windows Filtering Platform blocked a packet. Application 
> >> >> Information: 
> >> >> Process ID: 0 Application Name: - Network Information: Direction: 
> >> >> %%14592 
> >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 
> >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter 
> Information: 
> >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' 
> >> >>hostname: 'USMCyberRange' 
> >> >>program_name: '(null)' 
> >> >>log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): 
> >> >> Microsoft-Windows-Security-Auditing: (no user): no domain: 
> >> >> WK34.dom.com: The 
> >> >> Windows Filtering Platform blocked a packet. Application 
> Information: 
> >> >> Process ID: 0 Application Name: - Network Information: Direction: 
> >> >> %%14592 
> >> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 
> >> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter 
> Information: 
> >> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' 
> >> >> 
> >> >> **Phase 2: Completed decoding. 
> >> >>decoder: 'windows' 
> >> >>srcip: '10.20.10.55' 
> >> >> 
> >> >> **Rule debugging: 
> >> >> Trying rule: 6 - Generic template for all windows rules. 
> >> >>*Rule 6 matched. 
> >> >>*Trying child 

Re: [ossec-list] Re: Windows override Audit Events. Decoder

[dan (ddp)]

On Fri, Mar 3, 2017 at 3:04 AM, Casimiro  wrote:
> I solve my problem with this solution
>
> https://www.alienvault.com/forums/discussion/5962/ossec-plugin-modification
>
>
> 
> windows
> ^WinEvtLog: 
> 
>
> 
> windows
> windows
> ^\.+: (\w+)\((\d+)\): (\.+): 
> (\.+): \.+: (\S+): 
> status, id, extra_data, srcuser, system_name
> name, location, user, system_name
> 
> 
> 
> windows
> windows
> Client
> Address:\s*\t*(\d+.\d+.\d+.\d+)
> srcip
> 
>

This looks similar to what's in MASTER.

>
> I'm trying other solution, but this don't parse well
>
> 
> windows
> windows
> ^\.+: (\w+)\((675)\):
> ^\.+: (\w+)\((675)\): \.+: \.+: \.+:
> (\S+): \.+: \.+: (\S+)
> status, id, system_name, srcuser
> 
> 
> windows
> windows
> Client Address:
> (\d+.\d+.\d+.\d+)
> srcip
> 
>
>
> El jueves, 2 de marzo de 2017, 19:58:30 (UTC+1), dan (ddpbsd) escribió:
>>
>> It continues to work with a fresh install of MASTER
>> **Phase 1: Completed pre-decoding.
>>full event: 'Mar  2 17:36:50 ossec-test2 WinEvtLog: Security:
>> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user):
>> no domain: WK034.dom.com: The Windows Filtering Platform blocked a
>> packet. Application Information: Process ID: 0 Application Name: -
>> Network Information: Direction: %%14592 Source Address: 10.20.10.55
>> Source Port: 55666 Destination Address: 255.255.255.255 Destination
>> Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713
>> Layer Name: %%14597 Layer Run-Time ID: 13'
>>hostname: 'ossec-test2'
>>program_name: 'WinEvtLog'
>>log: 'Security: AUDIT_FAILURE(5152):
>> Microsoft-Windows-Security-Auditing: (no user): no domain:
>> WK034.dom.com: The Windows Filtering Platform blocked a packet.
>> Application Information: Process ID: 0 Application Name: - Network
>> Information: Direction: %%14592 Source Address: 10.20.10.55 Source
>> Port: 55666 Destination Address: 255.255.255.255 Destination Port:
>> 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer
>> Name: %%14597 Layer Run-Time ID: 13'
>>
>> **Phase 2: Completed decoding.
>>decoder: 'windows'
>>status: 'AUDIT_FAILURE'
>>id: '5152'
>>extra_data: 'Microsoft-Windows-Security-Auditing'
>>dstuser: '(no user)'
>>system_name: 'WK034.dom.com'
>>srcip: '10.20.10.55'
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '18105'
>>Level: '4'
>>Description: 'Windows audit failure event.'
>> **Alert to be generated.
>>
>> On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp)  wrote:
>> > On Thu, Mar 2, 2017 at 6:41 AM, Casimiro  wrote:
>> >> Thanks.
>> >> But don't work. It only decode srcip field. Attach the output:
>> >>
>> >> **Phase 1: Completed pre-decoding.
>> >>full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
>> >> Microsoft-Windows-Security-Auditing: (no user): no domain:
>> >> WK034.dom.com:
>> >> The Windows Filtering Platform blocked a packet. Application
>> >> Information:
>> >> Process ID: 0 Application Name: - Network Information: Direction:
>> >> %%14592
>> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address:
>> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information:
>> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'
>> >>hostname: 'USMCyberRange'
>> >>program_name: '(null)'
>> >>log: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
>> >> Microsoft-Windows-Security-Auditing: (no user): no domain:
>> >> WK34.dom.com: The
>> >> Windows Filtering Platform blocked a packet. Application Information:
>> >> Process ID: 0 Application Name: - Network Information: Direction:
>> >> %%14592
>> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address:
>> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information:
>> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'
>> >>
>> >> **Phase 2: Completed decoding.
>> >>decoder: 'windows'
>> >>srcip: '10.20.10.55'
>> >>
>> >> **Rule debugging:
>> >> Trying rule: 6 - Generic template for all windows rules.
>> >>*Rule 6 matched.
>> >>*Trying child rules.
>> >> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
>> >> Trying rule: 18100 - Group of windows rules.
>> >>*Rule 18100 matched.
>> >>*Trying child rules.
>> >> Trying rule: 18101 - Windows informational event.
>> >> Trying rule: 18102 - Windows warning event.
>> >> Trying rule: 18104 - Windows audit success event.
>> >> Trying rule: 18103 - Windows error event.
>> >> Trying rule: 18105 - Windows audit failure event.
>> >>
>> >> **Phase 3: Completed filtering (rules).
>> >>Rule id: '18100'
>> >>  

Re: [ossec-list] Re: Windows override Audit Events. Decoder

[Casimiro]

I solve my problem with this solution

https://www.alienvault.com/forums/discussion/5962/ossec-plugin-modification



windows
^WinEvtLog: 



windows
windows
^\.+: (\w+)\((\d+)\): (\.+): 
(\.+): \.+: (\S+): 
status, id, extra_data, srcuser, system_name
name, location, user, system_name



windows
windows
Client 
Address:\s*\t*(\d+.\d+.\d+.\d+)
srcip



I'm trying other solution, but this don't parse well


windows
windows
^\.+: (\w+)\((675)\):
^\.+: (\w+)\((675)\): \.+: \.+: \.+: 
(\S+): \.+: \.+: (\S+)
status, id, system_name, srcuser


windows
windows
Client Address: 
(\d+.\d+.\d+.\d+)
srcip


El jueves, 2 de marzo de 2017, 19:58:30 (UTC+1), dan (ddpbsd) escribió:
>
> It continues to work with a fresh install of MASTER 
> **Phase 1: Completed pre-decoding. 
>full event: 'Mar  2 17:36:50 ossec-test2 WinEvtLog: Security: 
> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): 
> no domain: WK034.dom.com: The Windows Filtering Platform blocked a 
> packet. Application Information: Process ID: 0 Application Name: - 
> Network Information: Direction: %%14592 Source Address: 10.20.10.55 
> Source Port: 55666 Destination Address: 255.255.255.255 Destination 
> Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 
> Layer Name: %%14597 Layer Run-Time ID: 13' 
>hostname: 'ossec-test2' 
>program_name: 'WinEvtLog' 
>log: 'Security: AUDIT_FAILURE(5152): 
> Microsoft-Windows-Security-Auditing: (no user): no domain: 
> WK034.dom.com: The Windows Filtering Platform blocked a packet. 
> Application Information: Process ID: 0 Application Name: - Network 
> Information: Direction: %%14592 Source Address: 10.20.10.55 Source 
> Port: 55666 Destination Address: 255.255.255.255 Destination Port: 
> 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer 
> Name: %%14597 Layer Run-Time ID: 13' 
>
> **Phase 2: Completed decoding. 
>decoder: 'windows' 
>status: 'AUDIT_FAILURE' 
>id: '5152' 
>extra_data: 'Microsoft-Windows-Security-Auditing' 
>dstuser: '(no user)' 
>system_name: 'WK034.dom.com' 
>srcip: '10.20.10.55' 
>
> **Phase 3: Completed filtering (rules). 
>Rule id: '18105' 
>Level: '4' 
>Description: 'Windows audit failure event.' 
> **Alert to be generated. 
>
> On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp)  
> wrote: 
> > On Thu, Mar 2, 2017 at 6:41 AM, Casimiro  > wrote: 
> >> Thanks. 
> >> But don't work. It only decode srcip field. Attach the output: 
> >> 
> >> **Phase 1: Completed pre-decoding. 
> >>full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): 
> >> Microsoft-Windows-Security-Auditing: (no user): no domain: 
> WK034.dom.com: 
> >> The Windows Filtering Platform blocked a packet. Application 
> Information: 
> >> Process ID: 0 Application Name: - Network Information: Direction: 
> %%14592 
> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 
> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: 
> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' 
> >>hostname: 'USMCyberRange' 
> >>program_name: '(null)' 
> >>log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): 
> >> Microsoft-Windows-Security-Auditing: (no user): no domain: WK34.dom.com: 
> The 
> >> Windows Filtering Platform blocked a packet. Application Information: 
> >> Process ID: 0 Application Name: - Network Information: Direction: 
> %%14592 
> >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 
> >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: 
> >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' 
> >> 
> >> **Phase 2: Completed decoding. 
> >>decoder: 'windows' 
> >>srcip: '10.20.10.55' 
> >> 
> >> **Rule debugging: 
> >> Trying rule: 6 - Generic template for all windows rules. 
> >>*Rule 6 matched. 
> >>*Trying child rules. 
> >> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. 
> >> Trying rule: 18100 - Group of windows rules. 
> >>*Rule 18100 matched. 
> >>*Trying child rules. 
> >> Trying rule: 18101 - Windows informational event. 
> >> Trying rule: 18102 - Windows warning event. 
> >> Trying rule: 18104 - Windows audit success event. 
> >> Trying rule: 18103 - Windows error event. 
> >> Trying rule: 18105 - Windows audit failure event. 
> >> 
> >> **Phase 3: Completed filtering (rules). 
> >>Rule id: '18100' 
> >>Level: '0' 
> >>Description: 'Group of windows rules.' 
> >> 
> >> So, the original fields of decoder has been erased (status, id, 
> extra_data, 
> >> srcuser, system_name, name, location, user, 

Re: [ossec-list] Re: Windows override Audit Events. Decoder

[dan (ddp)]

It continues to work with a fresh install of MASTER
**Phase 1: Completed pre-decoding.
   full event: 'Mar  2 17:36:50 ossec-test2 WinEvtLog: Security:
AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user):
no domain: WK034.dom.com: The Windows Filtering Platform blocked a
packet. Application Information: Process ID: 0 Application Name: -
Network Information: Direction: %%14592 Source Address: 10.20.10.55
Source Port: 55666 Destination Address: 255.255.255.255 Destination
Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713
Layer Name: %%14597 Layer Run-Time ID: 13'
   hostname: 'ossec-test2'
   program_name: 'WinEvtLog'
   log: 'Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing: (no user): no domain:
WK034.dom.com: The Windows Filtering Platform blocked a packet.
Application Information: Process ID: 0 Application Name: - Network
Information: Direction: %%14592 Source Address: 10.20.10.55 Source
Port: 55666 Destination Address: 255.255.255.255 Destination Port:
1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer
Name: %%14597 Layer Run-Time ID: 13'

**Phase 2: Completed decoding.
   decoder: 'windows'
   status: 'AUDIT_FAILURE'
   id: '5152'
   extra_data: 'Microsoft-Windows-Security-Auditing'
   dstuser: '(no user)'
   system_name: 'WK034.dom.com'
   srcip: '10.20.10.55'

**Phase 3: Completed filtering (rules).
   Rule id: '18105'
   Level: '4'
   Description: 'Windows audit failure event.'
**Alert to be generated.

On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp)  wrote:
> On Thu, Mar 2, 2017 at 6:41 AM, Casimiro  wrote:
>> Thanks.
>> But don't work. It only decode srcip field. Attach the output:
>>
>> **Phase 1: Completed pre-decoding.
>>full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
>> Microsoft-Windows-Security-Auditing: (no user): no domain: WK034.dom.com:
>> The Windows Filtering Platform blocked a packet. Application Information:
>> Process ID: 0 Application Name: - Network Information: Direction: %%14592
>> Source Address: 10.20.10.55 Source Port: 55666 Destination Address:
>> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information:
>> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'
>>hostname: 'USMCyberRange'
>>program_name: '(null)'
>>log: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
>> Microsoft-Windows-Security-Auditing: (no user): no domain: WK34.dom.com: The
>> Windows Filtering Platform blocked a packet. Application Information:
>> Process ID: 0 Application Name: - Network Information: Direction: %%14592
>> Source Address: 10.20.10.55 Source Port: 55666 Destination Address:
>> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information:
>> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'
>>
>> **Phase 2: Completed decoding.
>>decoder: 'windows'
>>srcip: '10.20.10.55'
>>
>> **Rule debugging:
>> Trying rule: 6 - Generic template for all windows rules.
>>*Rule 6 matched.
>>*Trying child rules.
>> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
>> Trying rule: 18100 - Group of windows rules.
>>*Rule 18100 matched.
>>*Trying child rules.
>> Trying rule: 18101 - Windows informational event.
>> Trying rule: 18102 - Windows warning event.
>> Trying rule: 18104 - Windows audit success event.
>> Trying rule: 18103 - Windows error event.
>> Trying rule: 18105 - Windows audit failure event.
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '18100'
>>Level: '0'
>>Description: 'Group of windows rules.'
>>
>> So, the original fields of decoder has been erased (status, id, extra_data,
>> srcuser, system_name, name, location, user, system_name). The consecuence is
>> that orginal rules don't match.
>>
>
> That's strange, it works for me (I had to add the timestamp info):
> **Phase 1: Completed pre-decoding.
>full event: 'Mar  2 11:17:01 ossec-test WinEvtLog: Security:
> AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user):
> no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked
> a packet. Application Information: Process ID: 0 Application Name: -
> Network Information: Direction: %%14592 Source Address: 10.20.10.55
> Source Port: 55666 Destination Address: 255.255.255.255 Destination
> Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713
> Layer Name: %%14597 Layer Run-Time ID: 13'
>hostname: 'ossec-test'
>program_name: 'WinEvtLog'
>log: 'Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user): no domain:
> WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet.
> Application Information: Process ID: 0 Application Name: - Network
> Information: Direction: %%14592 Source Address: 10.20.10.55 Source
> Port: 55666 

Re: [ossec-list] Re: Windows override Audit Events. Decoder

[dan (ddp)]

On Thu, Mar 2, 2017 at 6:41 AM, Casimiro  wrote:
> Thanks.
> But don't work. It only decode srcip field. Attach the output:
>
> **Phase 1: Completed pre-decoding.
>full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user): no domain: WK034.dom.com:
> The Windows Filtering Platform blocked a packet. Application Information:
> Process ID: 0 Application Name: - Network Information: Direction: %%14592
> Source Address: 10.20.10.55 Source Port: 55666 Destination Address:
> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information:
> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'
>hostname: 'USMCyberRange'
>program_name: '(null)'
>log: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user): no domain: WK34.dom.com: The
> Windows Filtering Platform blocked a packet. Application Information:
> Process ID: 0 Application Name: - Network Information: Direction: %%14592
> Source Address: 10.20.10.55 Source Port: 55666 Destination Address:
> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information:
> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'
>
> **Phase 2: Completed decoding.
>decoder: 'windows'
>srcip: '10.20.10.55'
>
> **Rule debugging:
> Trying rule: 6 - Generic template for all windows rules.
>*Rule 6 matched.
>*Trying child rules.
> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
> Trying rule: 18100 - Group of windows rules.
>*Rule 18100 matched.
>*Trying child rules.
> Trying rule: 18101 - Windows informational event.
> Trying rule: 18102 - Windows warning event.
> Trying rule: 18104 - Windows audit success event.
> Trying rule: 18103 - Windows error event.
> Trying rule: 18105 - Windows audit failure event.
>
> **Phase 3: Completed filtering (rules).
>Rule id: '18100'
>Level: '0'
>Description: 'Group of windows rules.'
>
> So, the original fields of decoder has been erased (status, id, extra_data,
> srcuser, system_name, name, location, user, system_name). The consecuence is
> that orginal rules don't match.
>

That's strange, it works for me (I had to add the timestamp info):
**Phase 1: Completed pre-decoding.
   full event: 'Mar  2 11:17:01 ossec-test WinEvtLog: Security:
AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user):
no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked
a packet. Application Information: Process ID: 0 Application Name: -
Network Information: Direction: %%14592 Source Address: 10.20.10.55
Source Port: 55666 Destination Address: 255.255.255.255 Destination
Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713
Layer Name: %%14597 Layer Run-Time ID: 13'
   hostname: 'ossec-test'
   program_name: 'WinEvtLog'
   log: 'Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing: (no user): no domain:
WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet.
Application Information: Process ID: 0 Application Name: - Network
Information: Direction: %%14592 Source Address: 10.20.10.55 Source
Port: 55666 Destination Address: 255.255.255.255 Destination Port:
1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer
Name: %%14597 Layer Run-Time ID: 13'

**Phase 2: Completed decoding.
   decoder: 'windows'
   status: 'AUDIT_FAILURE'
   id: '5152'
   extra_data: 'Microsoft-Windows-Security-Auditing'
   dstuser: '(no user)'
   system_name: 'WKSUSR034.mccd.def'
   srcip: '10.20.10.55'

**Phase 3: Completed filtering (rules).
   Rule id: '18105'
   Level: '4'
   Description: 'Windows audit failure event.'
**Alert to be generated.

Are you sure you have the latest Windows decoders? I'll try firing up
another image and try again.


> El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió:
>>
>> I'm trying to override the windows decoder to extract more fields (in
>> local_decoder.xml), like source ip, destination ip, source port,
>>
>> This is my local decoder for windows
>>
>> 
>>windows
>>AUDIT_FAILURE(51512)
>>Source
>> Address:\s+(\d+.\d+.\d+.\d+)
>>srcip
>> 
>>
>> When I put new decoder en local_decoder.xml. The windows log don't match
>> with windows parent decoder. If I take off the local decoder then log match
>> with windows parent decoder.
>>
>> I want to get all fields: parent fields + soon fields (in this case
>> status, id, extra_data, srcuser, system_name and srcip)
>>
>> Thanks in advanced
>>
>>
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

[ossec-list] Re: Windows override Audit Events. Decoder

[Casimiro]

Thanks.
But don't work. It only decode srcip field. Attach the output:

**Phase 1: Completed pre-decoding.
   full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): 
Microsoft-Windows-Security-Auditing: (no user): no domain: WK034.dom.com: 
The Windows Filtering Platform blocked a packet. Application Information: 
Process ID: 0 Application Name: - Network Information: Direction: %%14592 
Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 
255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: 
Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'
   hostname: 'USMCyberRange'
   program_name: '(null)'
   log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): 
Microsoft-Windows-Security-Auditing: (no user): no domain: WK34.dom.com: 
The Windows Filtering Platform blocked a packet. Application Information: 
Process ID: 0 Application Name: - Network Information: Direction: %%14592 
Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 
255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: 
Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'

**Phase 2: Completed decoding.
   decoder: 'windows'
   srcip: '10.20.10.55'

**Rule debugging:
Trying rule: 6 - Generic template for all windows rules.
   *Rule 6 matched.
   *Trying child rules.
Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
Trying rule: 18100 - Group of windows rules.
   *Rule 18100 matched.
   *Trying child rules.
Trying rule: 18101 - Windows informational event.
Trying rule: 18102 - Windows warning event.
Trying rule: 18104 - Windows audit success event.
Trying rule: 18103 - Windows error event.
Trying rule: 18105 - Windows audit failure event.

**Phase 3: Completed filtering (rules).
   Rule id: '18100'
   Level: '0'
   Description: 'Group of windows rules.'

So, the original fields of decoder has been erased (status, id, extra_data, 
srcuser, system_name, name, location, user, system_name). The consecuence 
is that orginal rules don't match.

El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió:
>
> I'm trying to override the windows decoder to extract more fields (in 
> local_decoder.xml), like source ip, destination ip, source port,
>
> This is my local decoder for windows
>
> 
>windows
>AUDIT_FAILURE(51512)
>Source Address:\s+(\d+.\d+.\d+.\d+)
>srcip
> 
>
> When I put new decoder en local_decoder.xml. The windows log don't match 
> with windows parent decoder. If I take off the local decoder then log match 
> with windows parent decoder.
>
> I want to get all fields: parent fields + soon fields (in this case 
> status, id, extra_data, srcuser, system_name and srcip)
>
> Thanks in advanced
>
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Windows override Audit Events. Decoder

[Casimiro]

Thanks.
But don't work. It only decode srcip field. Attach the output:

**Phase 1: Completed pre-decoding.
   full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): 
Microsoft-Windows-Security-Auditing: (no user): no domain: 
WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet. 
Application Information: Process ID: 0 Application Name: - Network 
Information: Direction: %%14592 Source Address: 10.20.10.55 Source Port: 
55666 Destination Address: 255.255.255.255 Destination Port: 1234 Protocol: 
17 Filter Information: Filter Run-Time ID: 70713 Layer Name: %%14597 Layer 
Run-Time ID: 13'
   hostname: 'USMCyberRange'
   program_name: '(null)'
   log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): 
Microsoft-Windows-Security-Auditing: (no user): no domain: 
WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet. 
Application Information: Process ID: 0 Application Name: - Network 
Information: Direction: %%14592 Source Address: 10.20.10.55 Source Port: 
55666 Destination Address: 255.255.255.255 Destination Port: 1234 Protocol: 
17 Filter Information: Filter Run-Time ID: 70713 Layer Name: %%14597 Layer 
Run-Time ID: 13'

**Phase 2: Completed decoding.
   decoder: 'windows'
   srcip: '10.20.10.55'

**Rule debugging:
Trying rule: 6 - Generic template for all windows rules.
   *Rule 6 matched.
   *Trying child rules.
Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
Trying rule: 18100 - Group of windows rules.
   *Rule 18100 matched.
   *Trying child rules.
Trying rule: 18101 - Windows informational event.
Trying rule: 18102 - Windows warning event.
Trying rule: 18104 - Windows audit success event.
Trying rule: 18103 - Windows error event.
Trying rule: 18105 - Windows audit failure event.

**Phase 3: Completed filtering (rules).
   Rule id: '18100'
   Level: '0'
   Description: 'Group of windows rules.'

So, the original fields of decoder has been erased (status, id, extra_data, 
srcuser, system_name, name, location, user, system_name). The consecuence 
is that orginal rules don't match.




El martes, 21 de febrero de 2017, 15:30:39 (UTC+1), dan (ddpbsd) escribió:
>
> On Mon, Feb 20, 2017 at 6:08 AM, Casimiro  
> wrote: 
> > Version 2.8 
> > 
> > Events: 
> > 
> > WinEvtLog: Security: AUDIT_FAILURE(5152): 
> > Microsoft-Windows-Security-Auditing: no domain: WKUSR01.cm.shr: The 
> Windows 
> > Filtering Platform blocked a packet. Application Information: Process 
> ID: 0 
> > Application Name: - Network Information: Direction: %%14952 Source 
> Address: 
> > 10.10.10.58 Source Port: 55663 Destination Address: 255.255.255.255 
> > Destination Port: 1211 Protocol: 17 Filter Information: Filter Run-Time 
> ID: 
> > 70713 Layer Name: %%14597 Layer Run-Time ID:13 
> > 
> > I want to exctract source Ip in addiction to status id, extra_data, 
> srcuser, 
> > system_name original fields extracted form original Windows decoder. 
> > 
>
> This works with the latest master: 
>  
>   windows 
>   Source Address: (\S+) 
>   srcip 
>  
>
>
>
> > Thanks 
> > 
> > 
> > El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió: 
> >> 
> >> I'm trying to override the windows decoder to extract more fields (in 
> >> local_decoder.xml), like source ip, destination ip, source port, 
> >> 
> >> This is my local decoder for windows 
> >> 
> >>  
> >>windows 
> >>AUDIT_FAILURE(51512) 
> >>Source 
> >> Address:\s+(\d+.\d+.\d+.\d+) 
> >>srcip 
> >>  
> >> 
> >> When I put new decoder en local_decoder.xml. The windows log don't 
> match 
> >> with windows parent decoder. If I take off the local decoder then log 
> match 
> >> with windows parent decoder. 
> >> 
> >> I want to get all fields: parent fields + soon fields (in this case 
> >> status, id, extra_data, srcuser, system_name and srcip) 
> >> 
> >> Thanks in advanced 
> >> 
> >> 
> >> 
> >> 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Windows override Audit Events. Decoder

[dan (ddp)]

On Mon, Feb 20, 2017 at 6:08 AM, Casimiro  wrote:
> Version 2.8
>
> Events:
>
> WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: no domain: WKUSR01.cm.shr: The Windows
> Filtering Platform blocked a packet. Application Information: Process ID: 0
> Application Name: - Network Information: Direction: %%14952 Source Address:
> 10.10.10.58 Source Port: 55663 Destination Address: 255.255.255.255
> Destination Port: 1211 Protocol: 17 Filter Information: Filter Run-Time ID:
> 70713 Layer Name: %%14597 Layer Run-Time ID:13
>
> I want to exctract source Ip in addiction to status id, extra_data, srcuser,
> system_name original fields extracted form original Windows decoder.
>

This works with the latest master:

  windows
  Source Address: (\S+)
  srcip




> Thanks
>
>
> El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió:
>>
>> I'm trying to override the windows decoder to extract more fields (in
>> local_decoder.xml), like source ip, destination ip, source port,
>>
>> This is my local decoder for windows
>>
>> 
>>windows
>>AUDIT_FAILURE(51512)
>>Source
>> Address:\s+(\d+.\d+.\d+.\d+)
>>srcip
>> 
>>
>> When I put new decoder en local_decoder.xml. The windows log don't match
>> with windows parent decoder. If I take off the local decoder then log match
>> with windows parent decoder.
>>
>> I want to get all fields: parent fields + soon fields (in this case
>> status, id, extra_data, srcuser, system_name and srcip)
>>
>> Thanks in advanced
>>
>>
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Windows override Audit Events. Decoder

[Casimiro]

Version 2.8

Events:

WinEvtLog: Security: AUDIT_FAILURE(5152): 
Microsoft-Windows-Security-Auditing: no domain: WKUSR01.cm.shr: The Windows 
Filtering Platform blocked a packet. Application Information: Process ID: 0 
Application Name: - Network Information: Direction: %%14952 Source Address: 
10.10.10.58 Source Port: 55663 Destination Address: 255.255.255.255 
Destination Port: 1211 Protocol: 17 Filter Information: Filter Run-Time ID: 
70713 Layer Name: %%14597 Layer Run-Time ID:13

I want to exctract source Ip in addiction to status id, extra_data, 
srcuser, system_name original fields extracted form original Windows 
decoder.

Thanks

El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió:
>
> I'm trying to override the windows decoder to extract more fields (in 
> local_decoder.xml), like source ip, destination ip, source port,
>
> This is my local decoder for windows
>
> 
>windows
>AUDIT_FAILURE(51512)
>Source Address:\s+(\d+.\d+.\d+.\d+)
>srcip
> 
>
> When I put new decoder en local_decoder.xml. The windows log don't match 
> with windows parent decoder. If I take off the local decoder then log match 
> with windows parent decoder.
>
> I want to get all fields: parent fields + soon fields (in this case 
> status, id, extra_data, srcuser, system_name and srcip)
>
> Thanks in advanced
>
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.