Greetings: A while ago I ran into a problem where ossec wasn't throwing alerts on MS Security Essentials (MSE) detection of the EICAR test file. After some digging, I found a thread by Edward Welch (https://groups.google.com/forum/#!topic/ossec-list/q8eLKPL1qKc), which put me on the right track. Somewhere along the line the event IDs have changed in MSE but ossec as of 2.8 doesn't reflect that. Thus, ossec never 'sees' the event.
I've modified and expanded the MSE rules and I thought I should share what I've been using in case anyone else wants or needs them. Admittedly, they're probably overkill, but they work for my purposes. dr. cryogen ---------------------------------- <!-- Microsoft Security Essentials rules --> <!-- see https://technet.microsoft.com/en-us/library/hh144989.aspx --> <group name="windows,mse,"> <rule id="720001" level="0"> <category>windows</category> <if_sid>18101,18102,18103</if_sid> <extra_data>^Microsoft Antimalware</extra_data> <description>Grouping of Microsoft Security Essentials rules.</description> </rule> <!-- virus/malware behavior --> <rule id="720010" level="12"> <if_sid>720001</if_sid> <id>^1118$|^1119$</id> <group>virus,</group> <description>Microsoft Security Essentials - Virus detected, but unable to remove.</description> </rule> <rule id="720011" level="7"> <if_sid>720001</if_sid> <id>^1117$</id> <group>virus,</group> <description>Microsoft Security Essentials - Virus detected and properly removed.</description> </rule> <rule id="720012" level="7"> <if_sid>720001</if_sid> <id>^1119$|^1118$|^1117$|^1116$</id> <group>virus,</group> <description>Microsoft Security Essentials - Virus detected.</description> </rule> <rule id="720013" level="7"> <if_sid>720001</if_sid> <id>^1015$</id> <group>virus,</group> <description>Microsoft Security Essentials - Suspicious activity detected.</description> </rule> <!-- Service conditions and errors --> <rule id="720020" level="3"> <if_sid>720001</if_sid> <id>^5007$</id> <description>Microsoft Security Essentials - Configuration changed.</description> <group>policy_changed,</group> </rule> <rule id="720021" level="9"> <if_sid>720001</if_sid> <id>^5008$</id> <description>Microsoft Security Essentials - Service failed.</description> </rule> <rule id="720022" level="9"> <if_sid>720001</if_sid> <id>^3002$</id> <description>Microsoft Security Essentials - Real time protection failed.</description> </rule> <rule id="720023" level="8"> <if_sid>720001</if_sid> <id>^2012$</id> <description>Microsoft Security Essentials - Cannot use Dynamic Signature Service.</description> </rule> <rule id="720024" level="8"> <if_sid>720001</if_sid> <id>^2004$</id> <description>Microsoft Security Essentials - Loading definitions failed. Using last good set.</description> </rule> <rule id="720025" level="8"> <if_sid>720001</if_sid> <id>^2003$</id> <description>Microsoft Security Essentials - Engine update failed.</description> </rule> <rule id="720026" level="8"> <if_sid>720001</if_sid> <id>^2001$</id> <description>Microsoft Security Essentials - Definitions update failed.</description> </rule> <rule id="720027" level="7"> <if_sid>720001</if_sid> <id>^1005$</id> <description>Microsoft Security Essentials - Scan error. Scan has stopped.</description> </rule> <rule id="720028" level="5"> <if_sid>720001</if_sid> <id>^1002$</id> <description>Microsoft Security Essentials - Scan stopped before completion.</description> </rule> <!-- EICAR test file special case --> <!-- www.eicar.org/86-0-Intended-use.html --> <rule id="720041" level="5"> <if_sid>720012</if_sid> <match>Virus:DOS/EICAR_Test_File</match> <options>alert_by_email</options> <description>Microsoft Security Essentials - EICAR test file detected.</description> </rule> <rule id="720042" level="3"> <if_sid>720011</if_sid> <match>Virus:DOS/EICAR_Test_File</match> <options>alert_by_email</options> <description>Microsoft Security Essentials - EICAR test file removed.</description> </rule> <rule id="720043" level="8"> <if_sid>720010</if_sid> <match>Virus:DOS/EICAR_Test_File</match> <options>alert_by_email</options> <description>Microsoft Security Essentials - EICAR test file detected, but removal failed.</description> </rule> <!-- Status messages --> <rule id="720050" level="3"> <if_sid>720001</if_sid> <id>^2000$</id> <description>Microsoft Security Essentials - Signature database updated.</description> </rule> <rule id="720051" level="3"> <if_sid>720001</if_sid> <id>^2002$</id> <description>Microsoft Security Essentials - Scan engine updated.</description> </rule> <rule id="720053" level="3"> <if_sid>720001</if_sid> <id>^1000$|^1001$</id> <description>Microsoft Security Essentials - Scan started or stopped.</description> </rule> <rule id="720054" level="4"> <if_sid>720001</if_sid> <id>^1013$</id> <description>Microsoft Security Essentials - History cleared.</description> </rule> <!-- Time based alerts --> <rule id="720070" level="10" frequency="4" timeframe="240"> <if_matched_sid>720011</if_matched_sid> <description>Multiple Microsoft Security Essentials AV warnings detected.</description> </rule> <rule id="720071" level="10" frequency="4" timeframe="240"> <if_matched_sid>720012</if_matched_sid> <description>Multiple Microsoft Security Essentials AV warnings detected.</description> </rule> </group> <!-- mse --> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
